Forwarding UDP port

VBykov · Fri Jan 20, 2017 2:25 pm

Hi there!
Please help me to find why my port forwarding on Mikrotik doesnt work.
I setup:
Chain dstnat
Protocol udp
Dst. Port 49068
In.Interface ether1
Action netmap
To Address 192.168.10.200
To Ports 6000

But when I try to send packages from external network router doesnt forward they in local.
In this case, the log record only one record.
Please help.

25.png

26.png

2frogs · Fri Jan 20, 2017 2:52 pm

Use action=dst-nat instead of the netmap. I believe netmap requires both dst-address and to-address and is intended to forward port for port.

VBykov · Sat Jan 21, 2017 4:14 pm

Thanks, 2frogs.
I tried, but it doesnt work.
Got the same one log message.

screenshot.png

2frogs · Sat Jan 21, 2017 4:33 pm

That log just states that the router received a request to port 49068 from the internet, which is what is supposed to happen. It looks like your device at 192.168.10.200 is not responding to the request. Have you checked that it responds to port 6000 from the local LAN?

VBykov · Sat Jan 21, 2017 7:46 pm

Yes, device with address 192.168.10.200 responds in the local network

screenshot.png

pe1chl · Sat Jan 21, 2017 7:55 pm

You ALSO need to pass the relevant traffic in Filter rules, in addition to dstnat.
You can arrange this with a single rule to allow dstnat traffic.

VBykov · Sat Jan 21, 2017 8:35 pm

I add filter rule:
chain: input
Protocol: udp
Dst.Port: 49068
Action: accept

It doesnt help.

screenshot.png

2frogs · Sun Jan 22, 2017 1:24 am

chain=forward

And order matters! You have to put accepts above drops according to chains...
Normally the default forward drop has a "connection nat state"=!dst-nat.

VBykov · Sun Jan 22, 2017 7:11 pm

Change chain, order and set "connection nat state"=!dst-nat.
Unfortunately, doesnt help.

screenshot.png

RLithgo · Mon Jan 23, 2017 3:31 am

I suspect your NAT rule isn't working. From my experience, once my NAT rules worked properly, there was no need to add firewall rule as well. From my understanding, NAT happens first.
Try setting Dst. Address Type = local in the NAT rules. That's what did it for me.

VBykov · Mon Jan 23, 2017 8:42 am

I agree with you, RLithgo.
But I spent on it for almost two weeks on it. Who knows, maybe a filter would help.
Your proposal has not helped too (.

Maybe, it is not possible to setup udp forwarding?

Jotne · Mon Jan 23, 2017 8:56 am

Filter rules is not needed with dstnat.
Are you 100% sure your server is responding on 49068.
If its a Windows or linux server try
netstat -noa
look for
udp 0.0.0.0:49068 *.*
or
udp 127.0.0.1:49068 *.*

Is there a firewall turned on. Default its turned on on Windows. Turn it off for test. If ok, turn FW on and make a rule on the server for the port or application.
Do you have other NAT rules working?
Do you have other NAT rules to this server working?

pe1chl · Mon Jan 23, 2017 10:52 am

Filter rules is not needed with dstnat.

Incorrect. There is a default filter rule that blocks incoming traffic from ether1 EXCEPT dstnat traffic.
Once you have deleted that and built some other defense against outside traffic you again need to
cater for the dstnat traffic.

Jotne · Mon Jan 23, 2017 12:14 pm

Incorrect. There is a default filter rule that blocks incoming traffic from ether1 EXCEPT dstnat traffic.
Once you have deleted that and built some other defense against outside traffic you again need to
cater for the dstnat traffic.

I am new to this so like to learn.
Here is my filter rule:

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 

 2    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 3    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 

 4    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 5    ;;; Drop ICMP on outside IF
      chain=input action=drop protocol=icmp in-interface=ether1 log=no log-prefix="" 

 6    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 

 7    ;;; PPTP VPN
      chain=input action=accept protocol=tcp in-interface=ether1 dst-port=1723 port="" log=no log-prefix="" 

 8    ;;; L2TP VPN
      chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix="" 

 9 XI  ;;; L2TP VPN
      chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no log-prefix="" 

10    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=yes log-prefix="rule_10"

I have several port from wan to lan open (port tcp/80 udp/514) etc.
Form list above I do see lot of traffic logged in rule 0, but guess that is made just for informational purpose.
What rule lets the traffic trough? Is it the fasttrack stuff?

VBykov · Mon Jan 23, 2017 2:17 pm

Are you 100% sure your server is responding on 49068.

Yes. But it is not a server. I control device via phone. In local network it works fine.
But when I try remote control (from the other network) I doesnt see packages from my remote phone in local network.

Mikrotik (1).png

Is there a firewall turned on. Default its turned on on Windows. Turn it off for test. If ok, turn FW on and make a rule on the server for the port or application.

There are no firewalls. And I doesnt see packages from external.

Do you have other NAT rules working?

No. It is my first port forwarding experience.

Do you have other NAT rules to this server working?

No

2frogs · Mon Jan 23, 2017 2:55 pm

I agree with you, RLithgo.
But I spent on it for almost two weeks on it. Who knows, maybe a filter would help.
Your proposal has not helped too (.

Maybe, it is not possible to setup udp forwarding?

I should have caught this sooner, but you also need a return path from the server to remote client. Since you changed the incoming from port 49068 to 6000, you would need the opposite for the return since the client is expecting port 49068.

/ip firewall nat add chain=src-nat sec-address=192.168.10.200 src-port=6000 out-interface=ether1 to-port=49068

I am not 100% on the code, it's been a while since I have had to change ports...

Sob · Mon Jan 23, 2017 4:15 pm

..., but you also need a return path from the server to remote client.

Not really, that's what conntrack is for, if there's NAT in one direction, it automatically takes care about the other one.

Filter rules from few posts back don't block it either, the only blocking rule is #6, but it does not apply to dstnated packets.

Anyway, this should be extremely easy to debug, especially for someone who can use Wireshark. Do the similar at router (either use Tools->Torch in interfaces or add logging rules in prerouting/forward/postrouting chains). When you connect from <outside client> to <public IP>:49068, you must see:

- packet from <outside client>:<some port> to <public IP>:49068 in prerouting
- packet from <outside client>:<some port> to 192.168.10.200:6000 in forward and postrouting (where the outgoing interface must be <LAN interface>

If this all works, the problem is not in router. Most likely 192.168.10.200 does not allow packets from non-LAN addresses or doesn't have correct default gateway.

VBykov · Tue Jan 24, 2017 9:46 am

Thanks, Sob.

In the local network:
I tried Torch.

29.png

But I didn't get anything from him, while Wireshark showed me packages.

30.png

In the remote network:
I set checkbox "log" in my forwarding rule. But I get only one log message, then I send first package from phone from external

32.png

I dont anderstand what it is mean.

Most likely 192.168.10.200 does not allow packets from non-LAN addresses

But I doesnt see any packages in Wireshark from external network

or doesn't have correct default gateway.

It has gateway address 192.168.10.1 -- address of my router

Sob · Tue Jan 24, 2017 10:13 pm

Try it with logging rules. If you have this dstnat rule:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=49068 in-interface=ether1-gateway log=yes \
    protocol=udp to-addresses=192.168.10.200 to-ports=6000

Then add these rules and put them at top before all other rules:

/ip firewall filter
add action=log chain=forward dst-address=192.168.10.200 dst-port=6000 protocol=udp
/ip firewall mangle
add action=log chain=prerouting dst-port=49068 in-interface=ether1-gateway protocol=udp
add action=log chain=postrouting dst-address=192.168.10.200 dst-port=6000 protocol=udp

Then try to connect and this is what you should see:

21:09:11 firewall,info prerouting: in:ether1-gateway out:(none), src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>-><your-public-addr>:49068, len xx 
21:09:11 firewall,info dstnat: in:ether1-gateway out:(none), src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>-><your-public-addr>:49068, len xx
21:09:11 firewall,info forward: in:ether1-gateway out:bridge-local, src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>->192.168.10.200:6000, NAT <src-addr>:<src-port>->(<your-public-addr>:49068->192.168.10.200:6000), len xx
21:09:11 firewall,info postrouting: in:(none) out:bridge-local, src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>->192.168.10.200:6000, NAT <src-addr>:<src-port>->(<your-public-addr>:49068->192.168.10.200:6000), len xx

VBykov · Thu Jan 26, 2017 11:28 am

Thanks, Sob.
I got a lot of messages about forwarding.

34a.PNG

35a.PNG

36a.PNG

But:

1. I still doesnt see it on network;
2. Number of pakets of log rules grows up while number of packets of forward increments only by 1.

Maybe it is something wrong with my udp packeges and they die in router befor leave him?

Sob · Thu Jan 26, 2017 7:11 pm

But those logs show that it works. Take the last one from postrouting, it says that packet is about to leave via bridge-local interface to 192.168.10.200:6000. The only possibly unexpected thing may be that it doesn't have original source address, but was srcnated to router's internal address 192.168.10.1. That's because of NAT rule #6 (see image in your first post).

VBykov · Fri Jan 27, 2017 7:08 am

Sob, should grow number of packets of forward route counter?

VBykov · Mon Jan 30, 2017 9:27 am

Hi guys!

The problem is really in the device. It answer me by broadcast packages.
So I did not see feedback when I tried remote control via internet.

For some reason Wireshark doesnt show external packages from remote control and it confused me.

Thanks for your support.

Sob · Mon Jan 30, 2017 9:43 pm

Yes, packet counters for rules should increase with each packet. Unless they are caught by other rules, e.g. by main "accept established & related" rule. In that case you'll only see the counter increased by one for each connection. Exception are NAT rules, those will always only fire once per connection.

Forwarding UDP port

Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Re: Forwarding UDP port

Who is online