Community discussions

MikroTik App
 
marcosteamware
just joined
Topic Author
Posts: 7
Joined: Fri Sep 24, 2021 10:48 am

Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 12:37 pm

Hi, I'm trying to do something probably trivial with a mikrotik hexs, basically I want do a port forwarding to redirect all traffic to the wan on a lan address where a simulator (ip 192.168.0.102) runs on port 105. Basically all the configurations I have implemented to redirect all traffic or just port 105 were unsuccessful. After the initially quickconf i have the wan address (static) on 192.168.51.150 and the lan address to 192.168.0.99. I used the following rules as per miktotic textbook

/ip firewall nat add chain=dstnat dst-address=192.168.51.150 action=dst-nat to-addresses=192.168.0.102
/ip firewall nat add chain=srcnat src-address=192.168.0.102 action=src-nat to-addresses=192.168.51.150

When i try with my laptop with 192.168.51.180 (connected with wan port) to connect to 192.168.51.150 the simulator that runs on 192168.0.102 does't respond (ping always fails). When i connect the laptop to the lan ports with 192.168.0.x i can ping and query the app on 192.168.0.102 without problems.

There is something that i'm missing ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 2:34 pm

The information missing from your post is: does router know it's supposed to handle packets targeting 192.168.51.150? What is router's own address in that particular subnet?

Generally adding DST-NAT rule doesn't make router handle additional addresses.

To spare us from guessing, post full text configuration here. In terminal window execute /export hide-sensitive file=anynameyouwish, fetch resulting file, open it in text editor and copy-paste contents inside [code] [/code] environment.
 
marcosteamware
just joined
Topic Author
Posts: 7
Joined: Fri Sep 24, 2021 10:48 am

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 3:45 pm

OK here is my conf, there are some changes from the originals due to the many attempts....
# jan/02/1970 05:30:05 by RouterOS 6.46.8
# software id = F1YH-2JE1
#
# model = RB760iGS
# serial number = E1F10E6F8760
/interface bridge
add admin-mac=2C:C8:1B:52:A3:A5 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.99/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=192.168.51.138/20 interface=ether1 network=192.168.48.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.99 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.99 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.51.138 to-addresses=\
    192.168.0.102
add action=src-nat chain=srcnat src-address=192.168.0.102 to-addresses=\
    192.168.51.138
add action=dst-nat chain=dstnat dst-port=102 protocol=tcp to-addresses=\
    192.168.0.102 to-ports=102
/ip route
add distance=1 gateway=192.168.48.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 4:32 pm

The explanation is still lacking.
Can you explain the use case or requirements without any mention of the config.

I need person X, or Device Y to be able to ...............
I am running a server and want devices or persons to ........... in relation to the server.

Mixing up the config with requirements leads to FOG.

Then I am doubly confused when you state you use laptop but from the WAN????
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As for the config, it makes no sense to me!

You have one LAN subnet 192.168.88.1/24 which you have attached to the bridge.
Ether 2 is listed as a bridge port.
But then you give ether2 its own IP address.
If that is the case, take ether2 off the bridge.
PLUS
Where is the pool and the DHCP server etc. for the ether2 subnet???
Where is the dhcp server network for the bridge??

I am not conversant with how public IPs are distributed as often gateways are different from the actual public IP provided.
but yours appears to be a private IP, not sure why then the address and the network are so different .51 and .48 ???

Forward chain - last rule in the forward chain is a duplicate of a previous rule and can be removed.
add action=accept chain=forward connection-state=established,related

Since you have a static wanip the generic sourcenat rule can be modified to
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN


add chain=srcnat action=src-nat in-interface=ether1 to-addresses=192.168.51.138

Other Sourcenat rule, no clue if its okay or should be stated prior to the default one above?

This dst nat rule is incomplete (you should be able to figure it out).
add action=dst-nat chain=dstnat dst-port=102 protocol=tcp to-addresses=\
192.168.0.102 to-ports=102
 
marcosteamware
just joined
Topic Author
Posts: 7
Joined: Fri Sep 24, 2021 10:48 am

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 5:12 pm

OK I'll try to be clearer, the router in question (perhaps used improperly) must be used to reach a particular machine in a private subnet with ip 192.168.0.102 on port 102, the wan is not connected to the internet but through a switch to a local network with subnet 192.168.51.x, all calls to the address 192.168.51.138 (which is now the static address on the wan - ether1) must be addressed to 192.168.0.102 (the application we are using use port 102), during quickconf I was asked for the LAN address and I entered 192.168.0.99. I am connected directly to the wan with a laptop to verify that the redirect in question works.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 5:15 pm

KK, did you fix the errors in the config?

Also, if I am on a browser and am going out http or https ports 80 or 443 or for that matter
any browser entry in the form www.address.com:XXXX where port XXXX could be any port,
how is that going to come in on port 105 on the simulator???
 
marcosteamware
just joined
Topic Author
Posts: 7
Joined: Fri Sep 24, 2021 10:48 am

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 6:32 pm

I tried to fix the conf based on your suggestion, i canceled

/ip firewall filter add action=accept chain=forward connection-state=established,related

i modified the last dst-nat in

/ip firewall nat add action=dst-nat chain=dstnat src-address=192.168.51.138 dst-port=102 protocol=tcp to-addresses=\
192.168.0.102 to-ports=102

but when i try to input

/ip firewall nat add chain=srcnat action=src-nat in-interface=ether1 to-address=192.168.51.138
failure: incoming interface matching not possibile in output and postrouting chains
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 7:18 pm

But of course it would LOL

My bad, it should be
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-address=192.168.51.138
 
marcosteamware
just joined
Topic Author
Posts: 7
Joined: Fri Sep 24, 2021 10:48 am

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 8:01 pm

With the following configuration is not working (i disabled some rules ...)

ps. There isn't any web browser scenario, it's a custom application that communicate on port 102
# jan/02/1970 09:50:11 by RouterOS 6.46.8
# software id = F1YH-2JE1
#
# model = RB760iGS
# serial number = E1F10E6F8760
/interface bridge
add admin-mac=2C:C8:1B:52:A3:A5 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.99/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=192.168.51.138/20 interface=ether1 network=192.168.48.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.99 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.99 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=102 protocol=tcp \
    to-addresses=192.168.0.102 to-ports=102
add action=dst-nat chain=dstnat dst-port=102 protocol=tcp src-address=\
    192.168.51.138 to-addresses=192.168.0.102 to-ports=102
add action=src-nat chain=srcnat disabled=yes dst-port=102 protocol=tcp \
    src-address=192.168.0.102 to-addresses=192.168.51.138 to-ports=102
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
    192.168.51.138
/ip route
add distance=1 gateway=192.168.48.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 8:14 pm

Starting to make sense!!

(1) FROM
/ip address
add address=192.168.0.99/24 comment=defconf interface=ether2 network=\
192.168.0.0
TO
/ip address
add address=192.168.0.99/24 comment=defconf interface=bridge network=\
192.168.0.0

(2) Lets go back to basics on nat rules........
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=102 protocol=tcp \
to-addresses=192.168.0.102 to-ports=102
add action=dst-nat chain=dstnat dst-port=102 protocol=tcp src-address=\
192.168.51.138 to-addresses=192.168.0.102 to-ports=102
add action=src-nat chain=srcnat disabled=yes dst-port=102 protocol=tcp \
src-address=192.168.0.102 to-addresses=192.168.51.138 to-ports=102
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
192.168.51.138


- okay I see some are disabled and the last rule (sourcenat) is now in good shape (fixed).
- this leaves one dst nat rule still in place.
add action=dst-nat chain=dstnat dst-port=102 protocol=tcp src-address=\
192.168.51.138 to-addresses=192.168.0.102 to-ports=102


Is the purpose of this rule to address people that are accessing the server from OUTSIDE the WAN, either on the external network the WAN resides or from the internet aka a public IP, on a router further up the food chain??

In any case the format for Dst-nat is as follows
add action=dst-nat chain=dstnat dst-port=102 protocol=tcp dst-address=\
192.168.51.138 to-addresses=192.168.0.102
{note: to-ports not required if same as dst-ports)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

That fixes all the config points now the challenge is to ensure all users on the LAN, when they use the application, get directed to the correct LANIP!
My question is what is the argument the application uses to communicate its outbound search?
How does the application on PC X, when you start it open, attempt to reach the server?
Does it have a domain name www.myserver.com for example?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Fri Sep 24, 2021 8:27 pm

TO SOLVE THE APPLICATION DILEMMA

If communication by the application is by domain name, then we can use DNS to force computers to that LANIP.
Assume application searches for domain name and its www.myserver.net

Pre STEP1 Work -Remove this current static rule or it will take precedence
/ip dns static
add address=192.168.0.99 comment=defconf name=router.lan


Ensure that this rule contains the dns-server entry!
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.99 gateway=192.168.0.99

Step 1. Put Script in STATIC DNS
/ip dns static
add address=192.168.0.102 regexp="(^|www\\.)myserver\\.net\$" ttl=5m


This rule will capture any request for DNS when looking for that domain name and direct the query to the server IP.
However, some users on the same subnet may have DNS hard coded on their PCs...... and thus you need to redirect all DNS queries to the router to handle.

add action=redirect chain=dstnat comment="Force Users to Router for DNS - TCP" \
dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=redirect chain=dstnat comment="Force Users to Router for DNS - UDP" \
dst-port=53 protocol=udp src-address=192.168.0.0/24

This should effectively ensure that regardless of PC DNS settings, all the queries from the subnet will go through the router and thus hit the static DNS rule created.

Two important points:
(i) You'd need to make sure "allow remote request" is turned on in /IP DNS, ( I see that is already in place!)

(ii) *BE SURE* that your input firewall filter blocks DNS requests from the Internet itself so that you don't get this router taken over by a dns-amp ddos attack. This is not normally a concern if you are using the default firewall rules or any substitution thereof with a drop all else rule. (covered by your default rule, input chain does not allow any WAN incoming unsolicited traffic)
 
marcosteamware
just joined
Topic Author
Posts: 7
Joined: Fri Sep 24, 2021 10:48 am

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 2:35 pm

First of all thanks... the application that runs on ip 192.168.0.102 is a siemens cnc so there is no web application that could involve dns, i tried the last suggestion you made but when i try to connect on port 102 on 192.168.51.138 the connection is refused, i tried even telnet to 102 but with the same results.... there are some detailed logs that i can check on the device ?
# jan/02/1970 01:05:26 by RouterOS 6.46.8
# software id = F1YH-2JE1
#
# model = RB760iGS
# serial number = E1F10E6F8760
/interface bridge
add admin-mac=2C:C8:1B:52:A3:A5 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.99/24 comment=defconf disabled=yes interface=ether2 \
    network=192.168.0.0
add address=192.168.51.138/20 interface=ether1 network=192.168.48.0
add address=192.168.0.99/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.99 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.99 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=102 protocol=tcp \
    to-addresses=192.168.0.102 to-ports=102
add action=dst-nat chain=dstnat disabled=yes dst-port=102 protocol=tcp \
    src-address=192.168.51.138 to-addresses=192.168.0.102 to-ports=102
add action=src-nat chain=srcnat disabled=yes dst-port=102 protocol=tcp \
    src-address=192.168.0.102 to-addresses=192.168.51.138 to-ports=102
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
    192.168.51.138
add action=dst-nat chain=dstnat dst-address=192.168.51.138 dst-port=102 \
    protocol=tcp to-addresses=192.168.0.102
/ip route
add distance=1 gateway=192.168.48.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 3:19 pm

So the relevant stuff about NAT is currently this:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.51.138
add action=dst-nat chain=dstnat dst-address=192.168.51.138 dst-port=102 protocol=tcp to-addresses=192.168.0.102

It is very likely that CNC gadget doesn't have any routing enabled, so it can only talk to devices on same IP subnet. Which means you have to add src-nat which would make CNC gadget happy.

And adding this rule doesn't do the trick?
/ip firewall nat 
add chain=srcnat dst-address=192.168.0.102 action=src-nat to-addresses=192.168.0.99

This rule should change header of every packet targeting 192.168.0.102 ... it should change src-address to 192.168.0.99 (which is router's address in this particular subnet).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 3:39 pm

You can make firewal rules log some headers of the packets they have processed, but in this type of investigation, it is usually either enough to look at the counters on firewall rules, or even their logs are insufficient and you need packet sniffing.

In the unlikely event that the suggestion of @mkx doesn't resolve your issue, we may take that path (watching rule counters and sniffing).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 4:16 pm

Hi Mkx, thought you had given up on this thread or were using it as cheap entertainment watching me flounder around LOL.

Lets take the starting point discussion
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.51.138
add action=dst-nat chain=dstnat dst-address=192.168.51.138 dst-port=102 protocol=tcp to-addresses=192.168.0.102


First rule, standard rule, tells the router for any outbound traffic from the LANSIDE please assign the IP so designated when leaving the router..
The second rule which says to me for any traffic heading towards the WANIP, on port 102, send this traffic to the LANIP.

The difference between this dst nat rule and the ones SIMPLE me is used to is that there is no reference to in-interface-list, meaning, the traffic we are directing can come from anywhere.
Thus not the Port forwarding I am not used to but okay DST nat is much more than that, and to keep Sindy happy/sane, I will allow it . ;-)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I am with you so far.
Then I get lost by this rule as I dont see how it applies???
/ip firewall nat
add chain=srcnat dst-address=192.168.0.102 action=src-nat to-addresses=192.168.0.99 ??????????????????????

Argg you always make this into extreme yoga!!!!
 
marcosteamware
just joined
Topic Author
Posts: 7
Joined: Fri Sep 24, 2021 10:48 am

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 5:03 pm

WOW it works ! Thanks Mkx and anav :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 5:06 pm

That is GREAT news!!!, bu dont thank me, well okay maybe for confusing you, its all MKX........ depressingly so LOL.

What is missing for me is the explanation of this statement which magically mks devined was the culprit.
It is very likely that CNC gadget doesn't have any routing enabled, so it can only talk to devices on same IP subnet. Which means you have to add src-nat which would make CNC gadget happy.

What about the route already existing on the router??
/ip route
add distance=1 gateway=192.168.48.1

What about if I had an FTP server for example.
Typically .........................................oh.........................
I assign an IP address of 192.168.xx.yy and give it a gateway IP of the subnet
or it gets a DCHP assignment with gateway IP of the subnet

So in effect the FTP server knows where to send return traffic and that is to the gateway of the subnet and then routing takes over from there?
Is that the holy grail I am missing?

Well what kind of dipshit server does not have a gateway component of its address setup??
More to the point how the heck did MKX know this......................
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I am probably still wrong but getting nowhere fast is my motto. (Could be my reproductive motto as well, at my age).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 6:07 pm

If CNC gadget doesn't use a router as gateway, then it can't send replies back to outer network. Which means our beloved router has to fake return address so that CNC gadget thinks it's talking to router when it's not. Perhaps CNC gadget even does talk to gateway, but mikrotik doesn't gave the right address? Who would have known ....

BTW, great motto yo have, anav
Last edited by mkx on Mon Sep 27, 2021 6:21 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 6:20 pm

Okay, can I ask you when the stock market will crash and also what date approximately I will expire so I can plan accordingly.................... fricken clairvoyant networker........................

In terms of order, does the DST NAT rule have to be located before the new srcnat rule.
SO its like this.

1. dstnatrule
2. sourcnatrule
3. default normal sourcenat rule

In other words does the router have to state I have incoming from Joe blow and this traffic is going to 192.168.0.102
but wait, the next rule states
take that traffic and sourcenat it with IP 192.168.0.99 so it appears to hit 192.168.0.102 from 192.168.0.99 (vice joe blows public wanip).

When the return traffic leaves the server, the router unsource-nats the traffic so that it the destination gets corrected (it doesnt get sent to 192.168.0.99 but back to joe blows public wanip).
I am still fuzzy on NAT rules and if order applies in general.
Last edited by anav on Mon Sep 27, 2021 6:27 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 6:22 pm

Okay, can I ask you when the stock market will crash

Whenever you'll have most of your money invested ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 6:28 pm

Okay, can I ask you when the stock market will crash

Whenever you'll have most of your money invested ...
And my legs are long enough to reach the ground............... thanks yoda! (see above post for additional question)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 6:43 pm

In terms of order, does the DST NAT rule have to be located before the new srcnat rule.

Rule ordering (top to bottom) applies here as well. If both srcnat rules are orthogonal, then rule order doesn't affect the result (but it might slightly affect performance). In particular case of OP srcnat rules are orthogonal (one is targeting traffic egressing via ether1 and the other is targeting traffic destined to one particular IP address which happens to be behind one of bridge ports - ether1 is not member of bridge).

Dst-nat rule has nothing to do with src-nat rule order ... dst-nat gets executed as part of pre-routing (before packet gets processed by routing engine) and src-nat gets executed as part of post-routing. So all of dst-nat rules will always get executed way earlier than any of src-nat rules.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 7:58 pm

So all of dst-nat rules will always get executed way earlier than any of src-nat rules.
... regardless their position in the configuration - only the order within each chain matters.

So even if you create this mess:
chain=srcnat rule 1
chain=srcnat rule 2
chain=dstnat rule 1
chain=srcnat rule 3
chain=dstnat rule 2

the packet will pass the dstnat rules 1 and 2 in this order as the it enters the router, and it will pass the srcnat rules 1, 2 and 3 in this order as it will leave the router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex s redirect traffic or port forwarding

Mon Sep 27, 2021 9:05 pm

Got it thanks!!

Who is online

Users browsing this forum: alotofbacardi, Bing [Bot], holvoetn, Sirajs and 61 guests