Community discussions

MUM Europe 2020
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Forwarding UDP port

Fri Jan 20, 2017 2:25 pm

Hi there!
Please help me to find why my port forwarding on Mikrotik doesnt work.
I setup:
Chain dstnat
Protocol udp
Dst. Port 49068
In.Interface ether1
Action netmap
To Address 192.168.10.200
To Ports 6000

But when I try to send packages from external network router doesnt forward they in local.
In this case, the log record only one record.
Please help.
25.png
26.png
You do not have the required permissions to view the files attached to this post.
 
2frogs
Long time Member
Long time Member
Posts: 541
Joined: Fri Dec 03, 2010 1:38 am

Re: Forwarding UDP port

Fri Jan 20, 2017 2:52 pm

Use action=dst-nat instead of the netmap. I believe netmap requires both dst-address and to-address and is intended to forward port for port.
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Sat Jan 21, 2017 4:14 pm

Thanks, 2frogs.
I tried, but it doesnt work.
Got the same one log message.
screenshot.png
You do not have the required permissions to view the files attached to this post.
 
2frogs
Long time Member
Long time Member
Posts: 541
Joined: Fri Dec 03, 2010 1:38 am

Re: Forwarding UDP port

Sat Jan 21, 2017 4:33 pm

That log just states that the router received a request to port 49068 from the internet, which is what is supposed to happen. It looks like your device at 192.168.10.200 is not responding to the request. Have you checked that it responds to port 6000 from the local LAN?
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Sat Jan 21, 2017 7:46 pm

Yes, device with address 192.168.10.200 responds in the local network
screenshot.png
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6166
Joined: Mon Jun 08, 2015 12:09 pm

Re: Forwarding UDP port

Sat Jan 21, 2017 7:55 pm

You ALSO need to pass the relevant traffic in Filter rules, in addition to dstnat.
You can arrange this with a single rule to allow dstnat traffic.
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Sat Jan 21, 2017 8:35 pm

I add filter rule:
chain: input
Protocol: udp
Dst.Port: 49068
Action: accept

It doesnt help.
screenshot.png
You do not have the required permissions to view the files attached to this post.
 
2frogs
Long time Member
Long time Member
Posts: 541
Joined: Fri Dec 03, 2010 1:38 am

Re: Forwarding UDP port

Sun Jan 22, 2017 1:24 am

chain=forward

And order matters! You have to put accepts above drops according to chains...
Normally the default forward drop has a "connection nat state"=!dst-nat.
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Sun Jan 22, 2017 7:11 pm

Change chain, order and set "connection nat state"=!dst-nat.
Unfortunately, doesnt help.
screenshot.png
You do not have the required permissions to view the files attached to this post.
 
RLithgo
newbie
Posts: 30
Joined: Mon Dec 12, 2016 12:21 am

Re: Forwarding UDP port

Mon Jan 23, 2017 3:31 am

I suspect your NAT rule isn't working. From my experience, once my NAT rules worked properly, there was no need to add firewall rule as well. From my understanding, NAT happens first.
Try setting Dst. Address Type = local in the NAT rules. That's what did it for me.
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Mon Jan 23, 2017 8:42 am

I agree with you, RLithgo.
But I spent on it for almost two weeks on it. Who knows, maybe a filter would help.
Your proposal has not helped too (.

Maybe, it is not possible to setup udp forwarding?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Forwarding UDP port

Mon Jan 23, 2017 8:56 am

Filter rules is not needed with dstnat.
Are you 100% sure your server is responding on 49068.
If its a Windows or linux server try
netstat -noa
look for
udp 0.0.0.0:49068 *.*
or
udp 127.0.0.1:49068 *.*

Is there a firewall turned on. Default its turned on on Windows. Turn it off for test. If ok, turn FW on and make a rule on the server for the port or application.
Do you have other NAT rules working?
Do you have other NAT rules to this server working?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 6166
Joined: Mon Jun 08, 2015 12:09 pm

Re: Forwarding UDP port

Mon Jan 23, 2017 10:52 am

Filter rules is not needed with dstnat.
Incorrect. There is a default filter rule that blocks incoming traffic from ether1 EXCEPT dstnat traffic.
Once you have deleted that and built some other defense against outside traffic you again need to
cater for the dstnat traffic.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Forwarding UDP port

Mon Jan 23, 2017 12:14 pm

Incorrect. There is a default filter rule that blocks incoming traffic from ether1 EXCEPT dstnat traffic.
Once you have deleted that and built some other defense against outside traffic you again need to
cater for the dstnat traffic.
I am new to this so like to learn.
Here is my filter rule:
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 

 2    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 3    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 

 4    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 5    ;;; Drop ICMP on outside IF
      chain=input action=drop protocol=icmp in-interface=ether1 log=no log-prefix="" 

 6    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 

 7    ;;; PPTP VPN
      chain=input action=accept protocol=tcp in-interface=ether1 dst-port=1723 port="" log=no log-prefix="" 

 8    ;;; L2TP VPN
      chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix="" 

 9 XI  ;;; L2TP VPN
      chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no log-prefix="" 

10    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=yes log-prefix="rule_10" 
I have several port from wan to lan open (port tcp/80 udp/514) etc.
Form list above I do see lot of traffic logged in rule 0, but guess that is made just for informational purpose.
What rule lets the traffic trough? Is it the fasttrack stuff?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Mon Jan 23, 2017 2:17 pm

Are you 100% sure your server is responding on 49068.
Yes. But it is not a server. I control device via phone. In local network it works fine.
But when I try remote control (from the other network) I doesnt see packages from my remote phone in local network.
Mikrotik (1).png
Is there a firewall turned on. Default its turned on on Windows. Turn it off for test. If ok, turn FW on and make a rule on the server for the port or application.
There are no firewalls. And I doesnt see packages from external.
Do you have other NAT rules working?
No. It is my first port forwarding experience.
Do you have other NAT rules to this server working?
No
You do not have the required permissions to view the files attached to this post.
 
2frogs
Long time Member
Long time Member
Posts: 541
Joined: Fri Dec 03, 2010 1:38 am

Re: Forwarding UDP port

Mon Jan 23, 2017 2:55 pm

I agree with you, RLithgo.
But I spent on it for almost two weeks on it. Who knows, maybe a filter would help.
Your proposal has not helped too (.

Maybe, it is not possible to setup udp forwarding?
I should have caught this sooner, but you also need a return path from the server to remote client. Since you changed the incoming from port 49068 to 6000, you would need the opposite for the return since the client is expecting port 49068.
/ip firewall nat add chain=src-nat sec-address=192.168.10.200 src-port=6000 out-interface=ether1 to-port=49068
I am not 100% on the code, it's been a while since I have had to change ports...
 
Sob
Forum Guru
Forum Guru
Posts: 5014
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding UDP port

Mon Jan 23, 2017 4:15 pm

..., but you also need a return path from the server to remote client.
Not really, that's what conntrack is for, if there's NAT in one direction, it automatically takes care about the other one.

Filter rules from few posts back don't block it either, the only blocking rule is #6, but it does not apply to dstnated packets.

Anyway, this should be extremely easy to debug, especially for someone who can use Wireshark. Do the similar at router (either use Tools->Torch in interfaces or add logging rules in prerouting/forward/postrouting chains). When you connect from <outside client> to <public IP>:49068, you must see:

- packet from <outside client>:<some port> to <public IP>:49068 in prerouting
- packet from <outside client>:<some port> to 192.168.10.200:6000 in forward and postrouting (where the outgoing interface must be <LAN interface>

If this all works, the problem is not in router. Most likely 192.168.10.200 does not allow packets from non-LAN addresses or doesn't have correct default gateway.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Tue Jan 24, 2017 9:46 am

Thanks, Sob.

In the local network:
I tried Torch.
29.png
But I didn't get anything from him, while Wireshark showed me packages.
30.png

In the remote network:
I set checkbox "log" in my forwarding rule. But I get only one log message, then I send first package from phone from external
32.png
I dont anderstand what it is mean.


Most likely 192.168.10.200 does not allow packets from non-LAN addresses
But I doesnt see any packages in Wireshark from external network
or doesn't have correct default gateway.
It has gateway address 192.168.10.1 -- address of my router
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 5014
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding UDP port

Tue Jan 24, 2017 10:13 pm

Try it with logging rules. If you have this dstnat rule:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=49068 in-interface=ether1-gateway log=yes \
    protocol=udp to-addresses=192.168.10.200 to-ports=6000
Then add these rules and put them at top before all other rules:
/ip firewall filter
add action=log chain=forward dst-address=192.168.10.200 dst-port=6000 protocol=udp
/ip firewall mangle
add action=log chain=prerouting dst-port=49068 in-interface=ether1-gateway protocol=udp
add action=log chain=postrouting dst-address=192.168.10.200 dst-port=6000 protocol=udp
Then try to connect and this is what you should see:
21:09:11 firewall,info prerouting: in:ether1-gateway out:(none), src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>-><your-public-addr>:49068, len xx 
21:09:11 firewall,info dstnat: in:ether1-gateway out:(none), src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>-><your-public-addr>:49068, len xx
21:09:11 firewall,info forward: in:ether1-gateway out:bridge-local, src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>->192.168.10.200:6000, NAT <src-addr>:<src-port>->(<your-public-addr>:49068->192.168.10.200:6000), len xx
21:09:11 firewall,info postrouting: in:(none) out:bridge-local, src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>->192.168.10.200:6000, NAT <src-addr>:<src-port>->(<your-public-addr>:49068->192.168.10.200:6000), len xx
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Thu Jan 26, 2017 11:28 am

Thanks, Sob.
I got a lot of messages about forwarding.
34a.PNG
35a.PNG
36a.PNG



But:
  • 1. I still doesnt see it on network;
    2. Number of pakets of log rules grows up while number of packets of forward increments only by 1.
Maybe it is something wrong with my udp packeges and they die in router befor leave him?
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 5014
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding UDP port

Thu Jan 26, 2017 7:11 pm

But those logs show that it works. Take the last one from postrouting, it says that packet is about to leave via bridge-local interface to 192.168.10.200:6000. The only possibly unexpected thing may be that it doesn't have original source address, but was srcnated to router's internal address 192.168.10.1. That's because of NAT rule #6 (see image in your first post).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Fri Jan 27, 2017 7:08 am

Sob, should grow number of packets of forward route counter?
 
VBykov
just joined
Topic Author
Posts: 11
Joined: Fri Jan 20, 2017 1:25 pm

Re: Forwarding UDP port

Mon Jan 30, 2017 9:27 am

Hi guys!

The problem is really in the device. It answer me by broadcast packages.
So I did not see feedback when I tried remote control via internet.

For some reason Wireshark doesnt show external packages from remote control and it confused me.

Thanks for your support.
 
Sob
Forum Guru
Forum Guru
Posts: 5014
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding UDP port

Mon Jan 30, 2017 9:43 pm

Yes, packet counters for rules should increase with each packet. Unless they are caught by other rules, e.g. by main "accept established & related" rule. In that case you'll only see the counter increased by one for each connection. Exception are NAT rules, those will always only fire once per connection.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: babiwd, Dude2048, Quellcrist and 149 guests