Community discussions

MikroTik App
 
janisbanis
just joined
Topic Author
Posts: 8
Joined: Mon Aug 17, 2009 2:40 pm

Port forwarding problems

Mon Aug 17, 2009 3:21 pm

Main problem, if i forward a port to internal ip, lets say 213.213.213.213:25 -> 10.0.0.1:25, i cannot access it using FQDN from internal network.
In current example port 25 is forwarded, so if i use mail.blabla.com as SMTP server, then from internal network i get timeout and mail cannot be sent, from outside everything works ok.
I know there is workaround, to create record in local DNS to point to 10.0.0.1, but this only partialy resolves the problem.
Because if a user goes somwhere outside local network, with his notebook, and after a while comes back, he has record in his notebook DNS cache that mail.blabla.com is at 213.213.213.213 and he cannot send mail from local network anymore, until dns cache is flushed.

And equal situation is for everything else, if i forward port 80, from outside webpage is accessible, but from inside is not.

RB433, v3.28
Port forwarding done like this :
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \
action=dst-nat to-addresses=192.168.1.101 to-ports=5900

Tried also other method found in forums, using netmap, the same result.

In linux if i do port forwarding in iptables then there is no such problems, also in any "cheapy" router like D-Links, Linksys etc, there's also no such problems with port forwarding.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8465
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Port forwarding problems

Mon Aug 17, 2009 4:14 pm

there MUST be such problem. because server sends response directly to the client, not via router, so router cannot 'de-NAT' those addresses. client sends packets to 213.213.213.213, receives an answers from 10.0.0.1 and drops them =)

the solutions: =)
- split DNS (resolves FQDN to external address for external users, and to internal - for internal ones);
- add src-nat rule, so router will masquerade clients (server will see only router's ip in incoming packets);
- move server out of user's subnet, so that server replies via router, not directly).
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
janisbanis
just joined
Topic Author
Posts: 8
Joined: Mon Aug 17, 2009 2:40 pm

Re: Port forwarding problems

Mon Aug 17, 2009 4:43 pm

DNS is split allready, but as i allready writed, if a user with notebook goes to some other place checks e-mail an then returns, in his notebook local dns cache there is still record that mail.blahblah.com was at 213.213.213.213 and does not perform lookup against internal dns server. only when a DNS cache is flushed (or expires, usualy after 24h) they get correct ip from internal server.

Interesting then how linux iptables works without a problem in the same setup?

Maybe there is some ip filter rules to overcome behavior like this.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8465
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Port forwarding problems

Mon Aug 17, 2009 4:57 pm

I described the details of the problem. you cannot just get it to work, without breaking something
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
janisbanis
just joined
Topic Author
Posts: 8
Joined: Mon Aug 17, 2009 2:40 pm

Re: Port forwarding problems

Mon Aug 17, 2009 5:27 pm

as i understand, when dst-nat'ing mikrotik rewrites destination address (public ip) to internal ip and sends it from own internal interface to 10.0.0.1 and when receives answer from server changes internal ip address to public IP and sends to ...

This sh*t with mikrotik is cousing me too much trouble, i think Mikrotik 433AH will have to go ...

How does all other routers then deal with this problem?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8465
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Port forwarding problems

Mon Aug 17, 2009 5:39 pm

This sh*t with mikrotik
this sh*t is with any router. it's how NAT works. don't show your stupidity with abusive words
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
janisbanis
just joined
Topic Author
Posts: 8
Joined: Mon Aug 17, 2009 2:40 pm

Re: Port forwarding problems

Mon Aug 17, 2009 6:19 pm

no, it is not !!! realy

I think there should be some way ...
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Port forwarding problems

Tue Aug 18, 2009 1:12 am

Chupaka is correct. Here is the way I do it:

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=69.69.69.69 to-addresses=192.168.1.101 place-before=0
add chain=srcnat action=src-nat src-address=192.168.1.101 to-addresses=69.69.69.69 place-before=0

It comes in as 69.69.69.69, and dst-natted to 192.168.1.101. But that is not enough. It must go out the same way. The srcnat insures that the responses go back out as 69.69.69.69. Otherwise, they will show as your default IP on that interface if you use a masquerade here too. That isn't 69.69.69.69, is it?
 
janisbanis
just joined
Topic Author
Posts: 8
Joined: Mon Aug 17, 2009 2:40 pm

Re: Port forwarding problems

Tue Aug 18, 2009 11:22 am

I allready tried setup like this too.

It does not resolves the problem.

i think MT lacks some internal inteligence to deal with this problem.

As i allready stated linux iptables, bsd pf does not have such problems including many of linux/unix firewall/router implementations like - m0n0wall, PfSense, Endian, IPCOP, Smoothwall etc etc.. Also any cheapest router can handle port forwarding corectly (if someone dont like term corectly, then i should say - the way i want and think it should work ;) ). i mention linux, because routerOS is built on/from linux.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Port forwarding problems

Tue Aug 18, 2009 12:00 pm

Hi janisbanis,

Please notice the wording on my response. I did not say this might work, or this could work, or something like that. This works. It is working. I just used it. Http, email, ftp, etc, all from the internal net using the public domain name.

They have enough internal intelligence for me.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Port forwarding problems

Tue Aug 18, 2009 12:08 pm

You have to masquerade local traffic to make this setup work. RouterOS behavior is exactly the same as Linux, FreeBSD, OpenWRT and others.
Here are some references:
http://tldp.org/HOWTO/IP-Masquerade-HOW ... rders.html
https://forum.openwrt.org/viewtopic.php?id=4030

Article and forum topic above explains exactly what rules you have to set in iptabes. It is basically the same as others already suggested here.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Port forwarding problems

Tue Aug 18, 2009 12:23 pm

Since mrz brought it up, I do NOT use "action=masquerade" for the default nat when assigning multiple ips to an interface. I always use "action=src-nat" only. Masquerade with multiple ips leaves too much to chance for me. I have found it does not always choose the ip you expect.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Port forwarding problems

Tue Aug 18, 2009 12:30 pm

Yes, if you have multiple IP's then it is advised to use src-nat.
 
janisbanis
just joined
Topic Author
Posts: 8
Joined: Mon Aug 17, 2009 2:40 pm

Re: Port forwarding problems

Tue Aug 18, 2009 1:13 pm

I use use "action=masquerade", using one external IP.

1st try
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.1.101 to-ports=80

Webserver accessible from outside, not accessible from local network using FQDN or public IP

2nd try
addes SRC-NAT

the same

3rd try
found on forum thah action=NETMAP in place of action=dst-nat and action=src-nat can be used

the same result
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Port forwarding problems

Tue Aug 18, 2009 1:26 pm

Have you read anything from links I gave you? I guess not.

You have to add following rule to make it work:
/ip firewall nat chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-port=80 protocol=tcp

So at the end you get three nat rules:
1) Masquerade internal-to external (you already have it)
2) port forwarding (you already have it)
3) masquerade local to local (rule i wrote above)

You also have to do the same in linux an any other OS where iptables are used.
 
janisbanis
just joined
Topic Author
Posts: 8
Joined: Mon Aug 17, 2009 2:40 pm

Re: Port forwarding problems

Tue Aug 18, 2009 2:32 pm

it works man !!! :lol:

Paldies par palīdzību
 
jernejd
just joined
Posts: 2
Joined: Mon Nov 02, 2009 8:36 am

Re: Port forwarding problems

Mon Nov 02, 2009 9:10 pm

it works man !!! :lol:

Paldies par palīdzību
Hi,

please paste here comlete sequence for your example.

Thanks,

Jernej
 
tombee79
Member Candidate
Member Candidate
Posts: 247
Joined: Sun May 09, 2010 2:28 am

Re: Port forwarding problems

Mon Aug 30, 2010 5:10 am

Hi

I got only 2 /ip firewall rules ( general ) to do this and works with FDQN.

1. I masquerade the local IP ( subnets)
2. I do port forwarding to my LAN servers ( ftp, smtp etc. )

Here is the code:
-------------------------------------------------------------
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 X chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24

3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.55.0/24

4 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.44.0/24

5 chain=dstnat action=dst-nat to-addresses=192.168.0.199 to-ports=20 protocol=tcp dst-address=64.165.220.163 dst-port=20

6 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=21 protocol=tcp dst-address=69.165.220.163 dst-port=21

7 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=110 protocol=tcp dst-address=64.165.220.163
dst-port=110

8 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=25 protocol=tcp dst-address=64.165.220.163 dst-port=25
[admin@MikroTik] /ip firewall nat>

i didn't have to masquerade local to local

How is your config/

?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Port forwarding problems

Mon Aug 30, 2010 8:59 am

i didn't have to masquerade local to local
And what do you thing these two rules are doing?
2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24 

3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.55.0/24 
 
tombee79
Member Candidate
Member Candidate
Posts: 247
Joined: Sun May 09, 2010 2:28 am

Re: Port forwarding problems

Wed Sep 01, 2010 4:46 am

mikrotik staff.

I don't know if you can explain this.

Like i already mention that i masqueraded Local to Local address so people on my LAN 192.168.88.1/24 can brows and send mail. I set up mail server and on the PC runing the main server i can send and receive the mail but when trying to send and receive on my other PC on the same LAN i get in Outlook Express Err: Can not Connect to POP server???


What i have done in my Firewall>NAT config is this:

For every subnet in firewall ( local to local masqueraded ) i also had configuration set for "Outgoing Interface" to my PPPoE connection ( my WAN, internet ISP Dsl line ).

SO I REMOVE IT FROM MY 192.168.88.1/24.
AND IT WORKED.

Can you tell me why it did work?









1 chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24

3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.55.0/24
out-interface=pppoe-out1

4 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.44.0/24
out-interface=pppoe-out1

5 chain=dstnat action=dst-nat to-addresses=192.168.0.199 to-ports=20
protocol=tcp dst-address=64.165.220.163 dst-port=20

6 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=21
protocol=tcp dst-address=64.165.220.163 dst-port=21

7 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=110
protocol=tcp dst-address=64.165.220.163 dst-port=110

8 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=25
protocol=tcp dst-address=64.165.220.163 dst-port=25

9 chain=srcnat action=src-nat to-addresses=64.165.220.163 protocol=tcp
src-address=192.168.88.8
 
tombee79
Member Candidate
Member Candidate
Posts: 247
Joined: Sun May 09, 2010 2:28 am

Re: Port forwarding problems

Wed Sep 01, 2010 7:21 am

this is my Edited/corrected version for runing servers on my LAN and allowing access for in and out of my LAN users. I run Mail Server, FTP so far. They all works?

WANT EMAIL???? lol
:)

1 chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24

3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.55.0/24


4 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.44.0/24


5 chain=dstnat action=dst-nat to-addresses=192.168.0.199 to-ports=20
protocol=tcp dst-address=64.165.220.163 dst-port=20

6 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=21
protocol=tcp dst-address=64.165.220.163 dst-port=21

7 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=110
protocol=tcp dst-address=64.165.220.163 dst-port=110

8 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=25
protocol=tcp dst-address=64.165.220.163 dst-port=25



IT WORKS. BUT I FORGOT IF ON MY LAN USER EX. WITH DOS FTP CLIENT TRIES TO CONNECT TO FTP SERVER THEN THIS CODE IS NEEDED. correct me if i am wrong

9 chain=srcnat action=src-nat to-addresses=64.165.220.163 protocol=tcp
src-address=192.168.88.8

( this enable inside LAN PC / Nodes comunication BOTH WAYS send/receive between client and server )


P.S How do i disable port scanning so hackers wont damage my LAN/?
Thx
Last edited by tombee79 on Wed Sep 01, 2010 7:35 am, edited 1 time in total.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port forwarding problems

Wed Sep 01, 2010 7:31 am

Why wouldn't it work? It's less specific so those rules NAT everything they did before, plus everything else that matches now (traffic between local networks). That is not surprising even a little bit. For what it's worth, what you're doing now is bad practice. Only masquerade when you have to.
 
energyy
just joined
Posts: 1
Joined: Fri Mar 22, 2013 9:25 pm

Re: Port forwarding problems

Fri Mar 22, 2013 9:29 pm

Chupaka is correct. Here is the way I do it:

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=69.69.69.69 to-addresses=192.168.1.101 place-before=0
add chain=srcnat action=src-nat src-address=192.168.1.101 to-addresses=69.69.69.69 place-before=0

It comes in as 69.69.69.69, and dst-natted to 192.168.1.101. But that is not enough. It must go out the same way. The srcnat insures that the responses go back out as 69.69.69.69. Otherwise, they will show as your default IP on that interface if you use a masquerade here too. That isn't 69.69.69.69, is it?
69.69.69.69 - External IP
192.168.1.101 - Internal server IP
This one helped me, only need one little fix:

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=69.69.69.69 to-addresses=192.168.1.101 place-before=0
add chain=srcnat action=src-nat dst-address=192.168.1.101 to-addresses=69.69.69.69 place-before=0

Who is online

Users browsing this forum: andkar and 29 guests