Community discussions

 
sambuddy200471
just joined
Topic Author
Posts: 13
Joined: Fri Jun 10, 2016 3:55 am

simple port forwarding not working

Mon Feb 05, 2018 1:47 pm

Hello All,
I have set up a server so i can access it over the internet.
My server is on 192.168.150.200 and is listening on port 80
I would like to access it from the internet on port 8000, so the http request would be
http://publicIP:8000
my WAN port is ether1

my firewall configuration is as follows
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; stop external dns queries from being answered
chain=input action=drop protocol=udp in-interface=ether1 dst-port=53 log=no log-prefix=""

1 ;;; stop external dns queries from being answered
chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53 log=no log-prefix=""

2 ;;; block all https
chain=input action=drop protocol=tcp in-interface=ether1 dst-port=443 log=no log-prefix=""

3 ;;; block ssh, telnet and ftp
chain=input action=drop protocol=tcp in-interface=ether1 dst-port=21-23 log=no log-prefix=""

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

1 chain=dstnat action=dst-nat to-addresses=192.168.150.200 to-ports=80 protocol=tcp
dst-address=122.107.35.32 in-interface=ether1 dst-port=8000 log=no log-prefix=""

I have read quite a few posts about this and from what i can tell, it should all work..but its not.
Any suggestions as to where i may be going wrong?

Thanks
Stuart
 
sindy
Forum Guru
Forum Guru
Posts: 3897
Joined: Mon Dec 04, 2017 9:19 pm

Re: simple port forwarding not working

Mon Feb 05, 2018 2:47 pm

Possibly some fitering rules in chain forward prevent the redirected packets from reaching the server.

If you can post the result of "/ip firewall export", we could say more. Also, if 192.168.150.0/24 (where the server is) is not an own subnet of the Mikrotik and Mikrotik's IP from that subnet is not the web server's default gateway, there may be a problem.

And, also important: do you test from something in the internet or from another device connected to Mikrotik's LAN side?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sambuddy200471
just joined
Topic Author
Posts: 13
Joined: Fri Jun 10, 2016 3:55 am

Re: simple port forwarding not working

Mon Feb 05, 2018 10:25 pm

Hello,
my firewall export is
[admin@MikroTik] /ip firewall> export
# feb/06/2018 06:41:36 by RouterOS 6.40.5
# software id = AWE7-LI4Q
#
# model = CRS125-24G-1S
# serial number = 6D08058AB1C9
/ip firewall filter
add action=drop chain=input comment="stop external dns queries from being answered" dst-port=53 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="stop external dns queries from being answered" dst-port=53 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block all https" dst-port=443 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block ssh, telnet and ftp" dst-port=21-23 in-interface=ether1 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=122.107.35.32 dst-port=8000 in-interface=ether1 protocol=tcp \
to-addresses=192.168.150.200 to-ports=80
192.168.150.200 is on the subnet owned by the mikrotik
I can access the webserver from this subnet but not from the WAN side.

Thanks for your help
 
sindy
Forum Guru
Forum Guru
Posts: 3897
Joined: Mon Dec 04, 2017 9:19 pm

Re: simple port forwarding not working

Mon Feb 05, 2018 11:00 pm

As there is nothing at all in the forward chain of the filter table of your firewall, I'd think about the routing on the web server - is its default gateway the IP of your Mikrotik? Because I can see nothing in your firewall rules what would prevent the client's requests from being delivered to the server, so routing of the server's responses may be an issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: simple port forwarding not working

Mon Feb 05, 2018 11:22 pm

Hello,
my firewall export is
[admin@MikroTik] /ip firewall> export
# feb/06/2018 06:41:36 by RouterOS 6.40.5
# software id = AWE7-LI4Q
#
# model = CRS125-24G-1S
# serial number = 6D08058AB1C9
/ip firewall filter
add action=drop chain=input comment="stop external dns queries from being answered" dst-port=53 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="stop external dns queries from being answered" dst-port=53 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block all https" dst-port=443 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block ssh, telnet and ftp" dst-port=21-23 in-interface=ether1 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=122.107.35.32 dst-port=8000 in-interface=ether1 protocol=tcp \
to-addresses=192.168.150.200 to-ports=80
192.168.150.200 is on the subnet owned by the mikrotik
I can access the webserver from this subnet but not from the WAN side.

Thanks for your help
Try to make your line as below:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.150.200 to-ports=80

Don't use any other IPs in the rule.

By the way, I assume, that you have public IP from your ISP?
 
sambuddy200471
just joined
Topic Author
Posts: 13
Joined: Fri Jun 10, 2016 3:55 am

Re: simple port forwarding not working

Sat Feb 10, 2018 2:27 am

Hello Sindy and Matiaszon,
Thankyou for your help. I have resolved the issue. The configuration ended up being correct, it was just that I was testing it incorrectly. I COULD access the website externally from my phone.. if i turned off my wifi connection on my phone and forced the connection to go through the mobile (hence external ) network.
Thanks for your help.
Regards
Stuart
 
bitcohen
just joined
Posts: 2
Joined: Sat Feb 10, 2018 5:28 pm

Re: simple port forwarding not working

Sat Feb 10, 2018 6:38 pm

I'm having the same issue, It's almost embarrassing to admit.
Ever since I upgraded my mikrotiks to v6.20 simple port forwarding doesn't work. I tried sniffing, inbound and outbound. traffic comes and goes, I can not capture packets on the WAN so I cant tell you if NAT is actually translating the source address.
and yes, the default gateway on the internal host is correct

Who is online

Users browsing this forum: Google [Bot] and 49 guests