Page 1 of 1
Opening ports and forwarding (drives me crazy!)
Posted: Wed Nov 15, 2006 11:01 pm
Ok, first of, I am very sorry for posting this question since you probably awnsered this one a million times before.
I have been plowing through the manual and this forum now for the last three days and I simply cannot find an awnser, or atleast an awnser that I can understand as a total mikrotik newbie.
See i got my router from my ISP since it enables me to connect to a wireless network through out the valley.
I got several PC behind the router, so ofcourse I have DHCP enabled on the router. (router internal ip is 192.168.2.1)
Now I need to open and forward ports to several PC's for different reasons.
1) - FTP and Torrent server on 192.168.2.252
2) - Gameserver on 192.168.2.253
3) - Workstation on 192.168.2.254
I use the winbox program to communicate with the router and I do understand SOME of it... but the whole forwarding section remains a mystery to me.
This is the scematic of my setup.
[img=http://img50.imageshack.us/img50/7075/m ... kc1.th.jpg]
Please, please, please, please, please, please, please, please help me with this problem
Let me explain what the idea is:
1) - 192.168.2.252 needs to have port 21 forwarded to this IP from the router.
2) - 192.168.2.253 needs to have port 80, 8085, 3443, 3724 forwarded in order to run my game server
3) - 192.168.2.254 is running just fine.
Could anyone help me step-by-step ?
You could also add me at firstname.lastname@example.org
for MSN chat.
Thank you very much for your time.
Posted: Thu Nov 16, 2006 9:53 am
Simple dst-nat rules:
If something is coming to your public IP address and specific port - you redirect it to the specific local IP address:
Posted: Thu Nov 16, 2006 11:19 am
I understand that part, but i don't understand what to do.
I have been fiddeling with all kinds of settings, but nothing what I do works.
Especially the game server. People instantly get a disconnect message.
Posted: Thu Nov 16, 2006 11:49 am
did you see the examples part ?
http://www.mikrotik.com/testdocs/ros/2. ... p#188.8.131.52
what exactly is unclear? do you know what ports the game uses? did you write your rules correltly? post them here
Posted: Mon Nov 20, 2006 6:34 pm
I have a similar issue - the 1st rule forwards great, but then I obviously can't get into router remotely, so I've tried adding rules to forward port 8291 (winbox) to the private side IP.
I've setup according to example
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
I've added the 'to-ports' field for the destination port.
I tried adding the Protocol and Dst. Port also.
The first rule on the list will work fine, but subsequent rules seem ignored.
Posted: Tue Nov 21, 2006 10:01 am
Paste 'ip firewall nat export' or NAT rules you have.
Posted: Tue Nov 21, 2006 4:22 pm
Here are the three rules... Masquerade, then the remote desktop, then finally one to allow me to get into router through winbox from outside. This is my home router.....
0 chain=srcnat out-interface=wlan1 action=masquerade
1 chain=dstnat dst-address=12.195.xx.xxx dst-port=3189 action=dst-nat
2 chain=dstnat dst-address=12.195.xx.xxx dst-port=8291 action=dst-nat
Posted: Wed Nov 22, 2006 10:06 am
You must specify protocol together with used src/dst - port.
Posted: Wed Nov 22, 2006 2:18 pm
Added the ports on both ends for both rules...
Works great now.
Posted: Thu Nov 23, 2006 1:00 pm
I've been battling with this for some time also.
Can you post an export of the rules that you used to fix the problem?
this is what I've got and it wont work either.
# nov/23/2006 12:47:06 by RouterOS 2.9.27
# software id = VB6E-2RN
/ ip firewall nat
add chain=srcnat out-interface=wan action=masquerade comment="" disabled=no
add chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=25 action=dst-nat \
to-addresses=192.168.0.1 to-ports=25 comment="" disabled=no
when I telent to the mailserver I get no response
Posted: Thu Nov 23, 2006 1:07 pm
25 port number does not forward Telnet traffic.
25 port forwards SMTP traffic, if you want to set redirection for Telnet session, then use port 23 (default port number for the Telnet).
Posted: Thu Nov 23, 2006 2:15 pm
Hi Sergejs, It is intended for smtp traffic, but I use telnet to port 25 to test that the mailserver can respond. Will this export that I posted earlier work for smtp?
Posted: Thu Nov 23, 2006 2:28 pm
DST-NAT changes dst-address of the packet, these rule actually directs packets destined to 184.108.40.206 to 192.168.0.1.
You need to add SRC-NAT rule that will redirect 25 port traffic from 192.168.0.1 to 220.127.116.11
Packets sended from 192.168.0.1 will have 18.104.22.168 src-address.
Posted: Thu Nov 23, 2006 4:47 pm
see the latest try, it still does not accept incoming mails although I'm able to send outgoing smtp.
I have a mailserver on private ip 192.168.0.1, the public ip is 193.x.x.78 i want the mailserver on the private ip to be able to send and receive public smtp and pop emails.
[admin@WAHGICP] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=wan action=masquerade
1 chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=25 action=dst-nat
2 chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=25 action=src-nat
3 chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=110 action=src-nat
4 ;;; pop
chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=110 action=dst-nat
Your help would be greatly appreciated.
Posted: Sat Nov 25, 2006 10:03 am
It seems that when I disable masquerade, everything now works.
Posted: Fri Jan 05, 2007 2:38 am
I've got two W3k boxes running remote desktop on the same network. I can access the first one just fine.
I try to add the 2nd one and can't connect to it.
I know I can't have the 2nd entry the same as the first, since RDP is using the same port on both machines.
So I tried to redirect port 3390 from remote machine to 3389.
Here are my rules.
1 ;;; NAT Rule to allow RDP from outside network
chain=dstnat dst-address=22.214.171.124 action=dst-nat to-addresses=10.0.0.5
2 chain=dstnat dst-address=126.96.36.199 protocol=tcp dst-port=3390
action=dst-nat to-addresses=10.0.0.4 to-ports=3389