Hi !

I have a rule on dstnat chain that forward all ports to other router inside , otherwise: all traffic TCP from WAN forward to 172.17.1.2 This rule forward ok all ports. Suddenly I need exclude one port 7000 tcp from this forward, so I modify this rule and replace it for 2 rules:

forward port 1-6999
forward port 7001-65000

as well, first rule works perfectly but second does not.

If I change the order of rules, as same mode, the first rule works fine.

At the same time that this occur, the tcp port 7000 (where I located ovpn tcp port from this MK router) it does not work either.

Is this a bug, or I am forgetting any ?

PD: RB2011UAS and 6.39 RoS

have to add that, the WAN port is a PPPoE interface, and this trouble rules are:

add action=dst-nat chain=dstnat in-interface="pppoe - wan1" protocol=tcp to-addresses=172.17.1.2 to-ports=1-6999
add action=dst-nat chain=dstnat in-interface="pppoe - wan1" protocol=tcp to-addresses=172.17.1.2 to-ports=7001-65000


First rule works ok (1 to 6999 ports are forwarded ok to 172.17.1.2 ip) but second rule does not, Nevertheless:

add action=dst-nat chain=dstnat in-interface="pppoe - wan1" protocol=tcp to-addresses=172.17.1.2 to-ports=1-65000

works ok !

You forget to do the corresponding match on the destination ports in the matching section of the rule!

Oh Sh*t! That's it all ? You're right! But, why when I indicate all ports, it works sucessfully ?

In any case, lot of thanks!!!

What your rule does is to forward all ports to a limited set of ports.
So it uses those low port numbers 1:1 but for higher numbers it assigns a random port number.
When you want 1:1 port forwarding you need to indicate both the ports you want to match and the ports you want to forward to.