Community discussions

MikroTik App
 
sithlord
just joined
Topic Author
Posts: 2
Joined: Wed Nov 15, 2006 10:12 pm

Opening ports and forwarding (drives me crazy!)

Wed Nov 15, 2006 11:01 pm

Ok, first of, I am very sorry for posting this question since you probably awnsered this one a million times before.

I have been plowing through the manual and this forum now for the last three days and I simply cannot find an awnser, or atleast an awnser that I can understand as a total mikrotik newbie.

See i got my router from my ISP since it enables me to connect to a wireless network through out the valley.

I got several PC behind the router, so ofcourse I have DHCP enabled on the router. (router internal ip is 192.168.2.1)

Now I need to open and forward ports to several PC's for different reasons.

1) - FTP and Torrent server on 192.168.2.252
2) - Gameserver on 192.168.2.253
3) - Workstation on 192.168.2.254

I use the winbox program to communicate with the router and I do understand SOME of it... but the whole forwarding section remains a mystery to me.

This is the scematic of my setup.
[img=http://img50.imageshack.us/img50/7075/m ... kc1.th.jpg]

Please, please, please, please, please, please, please, please help me with this problem

Let me explain what the idea is:

1) - 192.168.2.252 needs to have port 21 forwarded to this IP from the router.
2) - 192.168.2.253 needs to have port 80, 8085, 3443, 3724 forwarded in order to run my game server
3) - 192.168.2.254 is running just fine.

Could anyone help me step-by-step ?

You could also add me at sebastiaan_bloemhoff@hotmail.com for MSN chat.

Thank you very much for your time.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Thu Nov 16, 2006 9:53 am

Simple dst-nat rules:

If something is coming to your public IP address and specific port - you redirect it to the specific local IP address:

http://www.mikrotik.com/testdocs/ros/2.9/ip/nat.php
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
sithlord
just joined
Topic Author
Posts: 2
Joined: Wed Nov 15, 2006 10:12 pm

Thu Nov 16, 2006 11:19 am

Simple dst-nat rules:

If something is coming to your public IP address and specific port - you redirect it to the specific local IP address:

http://www.mikrotik.com/testdocs/ros/2.9/ip/nat.php
I understand that part, but i don't understand what to do.
I have been fiddeling with all kinds of settings, but nothing what I do works.

Especially the game server. People instantly get a disconnect message.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24605
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Thu Nov 16, 2006 11:49 am

did you see the examples part ?
http://www.mikrotik.com/testdocs/ros/2. ... p#6.36.3.3

what exactly is unclear? do you know what ports the game uses? did you write your rules correltly? post them here
 
randallr
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Oct 13, 2006 1:01 am
Location: Texas

Mon Nov 20, 2006 6:34 pm

I have a similar issue - the 1st rule forwards great, but then I obviously can't get into router remotely, so I've tried adding rules to forward port 8291 (winbox) to the private side IP.

I've setup according to example

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109

I've added the 'to-ports' field for the destination port.
I tried adding the Protocol and Dst. Port also.

The first rule on the list will work fine, but subsequent rules seem ignored.

Ideas?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue Nov 21, 2006 10:01 am

Paste 'ip firewall nat export' or NAT rules you have.
 
randallr
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Oct 13, 2006 1:01 am
Location: Texas

Tue Nov 21, 2006 4:22 pm

Here are the three rules... Masquerade, then the remote desktop, then finally one to allow me to get into router through winbox from outside. This is my home router.....


0 chain=srcnat out-interface=wlan1 action=masquerade

1 chain=dstnat dst-address=12.195.xx.xxx dst-port=3189 action=dst-nat
to-addresses=192.168.254.160 to-ports=3389

2 chain=dstnat dst-address=12.195.xx.xxx dst-port=8291 action=dst-nat
to-addresses=192.168.254.1 to-ports=8291
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed Nov 22, 2006 10:06 am

You must specify protocol together with used src/dst - port.
 
randallr
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Oct 13, 2006 1:01 am
Location: Texas

Wed Nov 22, 2006 2:18 pm

Added the ports on both ends for both rules...
Works great now.

Thanks
 
charliem99
just joined
Posts: 4
Joined: Tue Oct 24, 2006 6:28 pm
Location: Botswana
Contact:

Thu Nov 23, 2006 1:00 pm

I've been battling with this for some time also.
Can you post an export of the rules that you used to fix the problem?
this is what I've got and it wont work either.

# nov/23/2006 12:47:06 by RouterOS 2.9.27
# software id = VB6E-2RN
#
/ ip firewall nat
add chain=srcnat out-interface=wan action=masquerade comment="" disabled=no
add chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=25 action=dst-nat \
to-addresses=192.168.0.1 to-ports=25 comment="" disabled=no


when I telent to the mailserver I get no response
Please help
Last edited by charliem99 on Thu Nov 23, 2006 8:05 pm, edited 1 time in total.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Nov 23, 2006 1:07 pm

25 port number does not forward Telnet traffic.
25 port forwards SMTP traffic, if you want to set redirection for Telnet session, then use port 23 (default port number for the Telnet).
 
charliem99
just joined
Posts: 4
Joined: Tue Oct 24, 2006 6:28 pm
Location: Botswana
Contact:

Thu Nov 23, 2006 2:15 pm

Hi Sergejs, It is intended for smtp traffic, but I use telnet to port 25 to test that the mailserver can respond. Will this export that I posted earlier work for smtp?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Nov 23, 2006 2:28 pm

DST-NAT changes dst-address of the packet, these rule actually directs packets destined to 193.220.217.78 to 192.168.0.1.
You need to add SRC-NAT rule that will redirect 25 port traffic from 192.168.0.1 to 193.220.217.78
Packets sended from 192.168.0.1 will have 193.220.217.78 src-address.
 
charliem99
just joined
Posts: 4
Joined: Tue Oct 24, 2006 6:28 pm
Location: Botswana
Contact:

Thu Nov 23, 2006 4:47 pm

Hi Sergejs

see the latest try, it still does not accept incoming mails although I'm able to send outgoing smtp.

I have a mailserver on private ip 192.168.0.1, the public ip is 193.x.x.78 i want the mailserver on the private ip to be able to send and receive public smtp and pop emails.


[admin@WAHGICP] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=wan action=masquerade

1 chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=25 action=dst-nat
to-addresses=192.168.0.1 to-ports=25

2 chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=25 action=src-nat
to-addresses=193.x.x.78 to-ports=25

3 chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=110 action=src-nat
to-addresses=193.x.x.78 to-ports=110

4 ;;; pop
chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=110 action=dst-nat
to-addresses=192.168.0.1 to-ports=110


Your help would be greatly appreciated.
 
charliem99
just joined
Posts: 4
Joined: Tue Oct 24, 2006 6:28 pm
Location: Botswana
Contact:

Sat Nov 25, 2006 10:03 am

It seems that when I disable masquerade, everything now works.
 
gregdhayes
newbie
Posts: 47
Joined: Wed Oct 04, 2006 5:35 am
Location: Osgood, IN
Contact:

Fri Jan 05, 2007 2:38 am

I've got two W3k boxes running remote desktop on the same network. I can access the first one just fine.

I try to add the 2nd one and can't connect to it.

I know I can't have the 2nd entry the same as the first, since RDP is using the same port on both machines.

So I tried to redirect port 3390 from remote machine to 3389.

Here are my rules.

1 ;;; NAT Rule to allow RDP from outside network
chain=dstnat dst-address=12.166.5.8 action=dst-nat to-addresses=10.0.0.5
to-ports=3389

2 chain=dstnat dst-address=12.166.5.8 protocol=tcp dst-port=3390
action=dst-nat to-addresses=10.0.0.4 to-ports=3389

Any suggestions.

Thanks

Who is online

Users browsing this forum: anav, Google [Bot], pe1chl, Sob, WookieeFer and 70 guests