Community discussions

 
Sohraab
just joined
Topic Author
Posts: 5
Joined: Wed Apr 27, 2016 9:02 am

Port Forwarding Not Working

Thu Dec 06, 2018 1:11 am

Hello All,
I have set up a VOIP server with address 10.10.1.1 .
Also i have VOIP service that comes from VOIP Provider in a private network (VOIP Gateway Address 10.105.20.134) and i have set up 10.123.232.61/24 on my router. I can ping voip gateway ip address fine.
Now i need some rule to receive request from voip provider same as this

0 chain=dstnat action=dst-nat to-addresses=10.10.1.1 to-ports=5060
protocol=udp src-address=10.105.20.134 dst-address=10.123.232.61
dst-port=5060 log=no log-prefix=""

But does not work :(

I used Torch for monitoring interface
# Eth. Protocol Protocol Src. Dst. VLAN Id DSCP Tx Rate Rx Rate Tx Packet Rate Rx Packet Rate
0 800 (ip) 17 (udp) 10.105.20.134:5060 (sip) 10.123.232.61:5060 (sip) 0 bps 3.1 kbps 0 0

Where is my mistake?
 
sebastia
Long time Member
Long time Member
Posts: 684
Joined: Tue Oct 12, 2010 3:23 am

Re: Port Forwarding Not Working

Thu Dec 06, 2018 1:30 am

Hi

The forward needs to be allowed in filter table too. In default config, it's done auto for all "dst-nat"-ed connections. If you have modified it, you need to allow it.

/ip firewall filter add chain=forward ...
 
Sohraab
just joined
Topic Author
Posts: 5
Joined: Wed Apr 27, 2016 9:02 am

Re: Port Forwarding Not Working

Thu Dec 06, 2018 1:53 am

Thanks for your replay.

There is no rule in filter table.
 
sebastia
Long time Member
Long time Member
Posts: 684
Joined: Tue Oct 12, 2010 3:23 am

Re: Port Forwarding Not Working

Thu Dec 06, 2018 1:58 am

would you mind posting your config?

"/export hide-sensitive compact"
 
Sohraab
just joined
Topic Author
Posts: 5
Joined: Wed Apr 27, 2016 9:02 am

Re: Port Forwarding Not Working

Thu Dec 06, 2018 2:16 am

would you mind posting your config?

"/export hide-sensitive compact"


# model = CCR1036-12G-4S
# serial number = 76C182F2Y7S9
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-Clients
set [ find default-name=ether3 ] name=ether3-pbx
set [ find default-name=ether11 ] name=ether11-tctvoip
set [ find default-name=ether12 ] name=ether12-internet
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether12-internet name=\
internet user=aaa
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.26.1-192.168.26.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 lease-time=\
3d10m name=dhcp1
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface detect-internet
set detect-interface-list=all
/interface pptp-server server
set enabled=yes
/ip address
add address=10.10.1.254/24 interface=ether3-pbx network=10.10.1.0
add address=10.123.232.61/24 interface=ether11-tctvoip network=10.123.232.0
add address=192.168.26.254/24 interface=ether2-Clients network=192.168.26.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
ether11-tctvoip use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.26.0/24 dns-server=10.2.1.1,4.2.2.4,8.8.8.8 gateway=\
192.168.26.254

/ip firewall nat
add action=dst-nat chain=dstnat comment="tct voip----> local voip server" \
dst-address=10.123.232.61 dst-port=5060 protocol=udp src-address=\
10.105.20.134 to-addresses=10.10.1.1 to-ports=5060
add action=masquerade chain=srcnat comment="VOIP server<====>Clients" \
dst-address=10.10.1.1 out-interface=ether2-Clients src-address=\
192.168.26.0/24
add action=masquerade chain=srcnat comment="my laptop" out-interface=\
internet src-address=192.168.26.11
add action=src-nat chain=srcnat dst-address=192.168.100.1 src-address=\
192.168.26.11 to-addresses=192.168.100.1
add action=masquerade chain=srcnat src-address=1.1.1.2

/ip route
add check-gateway=ping distance=1 gateway=10.123.232.1 routing-mark=TEST
add comment="To tct gateway" distance=1 dst-address=10.105.20.134/32 gateway=\
10.123.232.1

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=51.37.172.106/23 disabled=yes port=8021
set ssh disabled=yes
set winbox port=23321
set api-ssl disabled=yes
/ppp secret
add local-address=1.1.1.1 name=sohraab remote-address=1.1.1.2 service=pptp
 
anav
Forum Guru
Forum Guru
Posts: 1139
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port Forwarding Not Working

Thu Dec 06, 2018 3:51 am

These look all wrong to me..........
add action=masquerade chain=srcnat comment="VOIP server<====>Clients" \
dst-address=10.10.1.1 out-interface=ether2-Clients src-address=\
192.168.26.0/24
add action=masquerade chain=srcnat comment="my laptop" out-interface=\
internet src-address=192.168.26.11
add action=src-nat chain=srcnat dst-address=192.168.100.1 src-address=\
192.168.26.11 to-addresses=192.168.100.1
add action=masquerade chain=srcnat src-address=1.1.1.2


Plus dont see any firewall rules and thus the config is not ready to put on the net!
(in the forward chain of firewall rules you would want this one)
action=accept chain=forward comment=\
"Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat
 
sebastia
Long time Member
Long time Member
Posts: 684
Joined: Tue Oct 12, 2010 3:23 am

Re: Port Forwarding Not Working

Thu Dec 06, 2018 2:44 pm

Some observations

# You know what your internet interface is => pppoe, would suggest to disable it as it caused issues in other instances
/interface detect-internet
set detect-interface-list=all

# There is a fixed ip set & dhcp together? dhcp-client can / should probably be disabled/removed.
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
ether11-tctvoip use-peer-dns=no use-peer-ntp=no

# out interface is .26. and src too?, is that even needed both have router as default gateway anyway
add action=masquerade chain=srcnat comment="VOIP server<====>Clients" \
dst-address=10.10.1.1 out-interface=ether2-Clients src-address=\
192.168.26.0/24

# you should remove the src-address, as you want all traffic to be masqueraded 
add action=masquerade chain=srcnat comment="my laptop" out-interface=\
internet src-address=192.168.26.11

# .100. address is not set on this router. This rule should be removed.
add action=src-nat chain=srcnat dst-address=192.168.100.1 src-address=\
192.168.26.11 to-addresses=192.168.100.1

# 1.2 address is not set on this router. This rule should be removed.
add action=masquerade chain=srcnat src-address=1.1.1.2

# This one is currently unused
add check-gateway=ping distance=1 gateway=10.123.232.1 routing-mark=TEST


currently there is no filtering at all: so once dstnat-ed it will pass to voip -> pbx. but in reverse there is also translation needed, src-nat pbx -> voip
add action=src-nat chain=srcnat out-interface=ether11-tctvoip to-addresses=10.123.232.61


you would want to secure the router if connected to internet: see https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Who is online

Users browsing this forum: mducharme and 55 guests