/ip firewall nat add action=netmap chain=dstnat dst-port=139 protocol=tcp to-addresses=192.168.123.123 to-ports=139you're never sleep, hahI'm not sure action=netmap accepts a single IP address as to-addresses value, you should use action=dst-nat instead. And put back the src-address=your.current.ip.address, as it was not the reason why it did not work. Plus you don't need to use to-ports if you don't need to change the original dst-port value.
No, didn't help.try action dst-nat instead of netmap and specify in-interface.
Do you have counters moving in this rule? If yes, then problem in PCs.No, didn't help.try action dst-nat instead of netmap and specify in-interface.
I have several perfectly working forwards like rdp, vnc and ssh, but problem with samba.
Samba also uses 445 for file sharing it is after all microsoft-ds so same port you'd open on windows, 139 you don't need across the internet they'll get to you by public ip address or dns name no need for Netbios name resolution, use a dst-nat rule to forward 445 to your samba host and may god help you, security wise i mean. make sure you have the latest build of samba pkg for you distro.No, didn't help.try action dst-nat instead of netmap and specify in-interface.
I have several perfectly working forwards like rdp, vnc and ssh, but problem with samba.
Mangle is empty. NAT is full of netmap rules, simple port forwarding, no samba ports.Export your filter, mangle and Nat rules.
/ip firewall filter
add action=accept chain=input comment=PPTPD dst-port=1723 protocol=tcp
add action=drop chain=forward dst-address-list="***" protocol=!icmp src-address=192.168.123.123
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=INVALID
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=internet
add action=accept chain=input comment=defconf connection-state=established,related
add action=drop chain=input comment=defconf in-interface-list=internet
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=internet src-address=192.168.123.0/24No, there are not even 3-digit ports in my rules, only 2,4,5-digits.Again all rules are needed to determine which one is causing the problem something is forwarding your publicip:445 to an internal host before it gets to the samba dst-nat rule,try in nat move the samba dst-nat to the begginng of the list am sure it'll work or your samba is blocking connections.
*netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
Not familiar with this, but clearly if your nat chain is full of netmaps you're mapping 1:1 so you can't use the same public ip of any netmap rules for samba since the port 445 is already mapped to another internal ip.
No, I have several netmap rules with different ports. I can change any netmap action to dst-nat action and it works. And I tried to place samba rules on top.I may be wrong, but I believe action=netmap ignores ports even if you provide dst-port as rule parameter. So if a netmap rule is before a dst-nat one and matches, the dst-nat one never sees the packet.
/ip firewall mangle
add action=passthrough chain=prerouting protocol=tcp dst-port=139
add action=passthrough chain=prerouting protocol=tcp dst-port=445
netmap is a direct 1:1 mapping public to private there is no port choosing here that is in dst-nat.*netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
i wouldn't discard this, it's very possible if you are just been handed /24 bit address blocks and ISP knows you're corporate and might be unpatched.If they count packets when you attempt the SMB connection, the issue is in your firewall; if they don't, your ISP is blocking the port whose rule does not count.