Community discussions

MikroTik App
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

cannot port forward on internal LAN

Sun Mar 17, 2019 11:09 am

Hi,

My Andriod media player cannot be rooted so I cannot get Samba working on the default port 139 and 445 so I want to forward traffic on the local LAN from ports 139 to 1139 and 445 to 4455 but it's been unsuccessful.
All my LAN devices connect using wireless through a "RouterBOARD cAP Gi-5acD2nD" on the IP subnet 192.168.10.0/24. The Android media player uses IP 192.168.10.50 (fixed in DHCP).

I have following firewall and NAT rules, yet cannot connect to it from Windows / Linux:



Samba works as expected on the Android Media Player, as I can connect to the Shared folders from another Android device using Port 4455. Windows doesn't allow SMB to work on another port.


Firewall rules
[admin@MikroTik] /ip firewall nat> /ip firewall export
# mar/17/2019 11:06:49 by RouterOS 6.43.8
# software id = MKII-15HB
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = xxx
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward dst-address=192.168.10.50 dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445
add action=accept chain=forward dst-address=192.168.10.50 dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=139
add action=drop chain=input in-interface-list=!LAN
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=192.168.10.50 dst-port=4455 protocol=tcp src-address=192.168.10.0 src-port=139
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1-LTE
add action=masquerade chain=srcnat disabled=yes out-interface=ether2-PoeOut to-addresses=0.0.0.0
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
add action=dst-nat chain=dstnat dst-address-type=local dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445 to-addresses=192.168.10.50 to-ports=4455
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=1139 to-addresses=192.168.10.50 to-ports=1139
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
NAT Rules
[admin@MikroTik] /ip firewall nat> /ip firewall nat export
# mar/17/2019 11:07:42 by RouterOS 6.43.8
# software id = MKII-15HB
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = xxx
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1-LTE
add action=masquerade chain=srcnat disabled=yes out-interface=ether2-PoeOut to-addresses=0.0.0.0
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
add action=dst-nat chain=dstnat dst-address-type=local dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445 to-addresses=192.168.10.50 \
to-ports=4455
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=1139 to-addresses=192.168.10.50 \
to-ports=1139
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
[admin@MikroTik] /ip firewall nat>
Filter rules
[admin@MikroTik] /ip firewall nat> /ip firewall filter export
# mar/17/2019 11:12:24 by RouterOS 6.43.8
# software id = MKII-15HB
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = 817E07FC6F48
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward dst-address=192.168.10.50 dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445
add action=accept chain=forward dst-address=192.168.10.50 dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=139
add action=drop chain=input in-interface-list=!LAN


P.S. Why can't I past more than one "code /code" section?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: cannot port forward on internal LAN

Sun Mar 17, 2019 3:19 pm

/export hide-sensitive file=yourconfigmar17
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: cannot port forward on internal LAN

Sun Mar 17, 2019 4:48 pm

/export hide-sensitive file=yourconfigmar17
That's random.
What other settings are you looking for?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: cannot port forward on internal LAN

Sun Mar 17, 2019 4:49 pm

My least favourite game is whackamole! ;-)
https://www.youtube.com/watch?v=kbyekup6i6U

This is analogous to my troubleshooting skills as well. :-)
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: cannot port forward on internal LAN

Mon Mar 18, 2019 6:02 pm

Can anyone help me with this, please?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: cannot port forward on internal LAN

Mon Mar 18, 2019 7:49 pm

To do port forwarding for internal lan, you'd have to force all LAN traffic through router ... if all clients are wireless and samba server is wired, then this might be possible by setting
/interface bridge settings set use-ip-firewall=yes
...
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: cannot port forward on internal LAN

Mon Mar 18, 2019 8:01 pm

To do port forwarding for internal lan, you'd have to force all LAN traffic through router ... if all clients are wireless and samba server is wired, then this might be possible by setting
/interface bridge settings set use-ip-firewall=yes
...
Everything is wireless, except for the LTE router.
I already have that setting.
[admin@MikroTik] > /interface bridge export
# mar/18/2019 20:00:04 by RouterOS 6.43.8
# software id = MKII-15HB
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = 817E07FC6F48
/interface bridge
add admin-mac=64:D1:54:F6:18:01 auto-mac=no comment=defconf name=bridge
/interface bridge filter
add action=drop chain=forward in-interface=Wifi-5G-Guest
add action=drop chain=forward out-interface=Wifi-5G-Guest
add action=drop chain=forward in-interface=Wifi-Guest
add action=drop chain=forward out-interface=Wifi-Guest
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1-LTE
add bridge=bridge comment=defconf interface=ether2-PoeOut
add bridge=bridge comment=defconf interface=Wifi
add bridge=bridge comment=defconf interface=Wifi-5G
add bridge=bridge interface=Wifi-5G-Guest
add bridge=bridge interface=Wifi-Guest
/interface bridge settings
set use-ip-firewall=yes
[admin@MikroTik] > 
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: cannot port forward on internal LAN

Mon Mar 18, 2019 9:15 pm

OK. Next is to dump all your current NAT rules as they are just a heap of random garbage. Keep only
add action=masquerade chain=srcnat out-interface-list=WAN
If your WAN interface is lte1, then add lte1 to interface list WAN instead of adding another NAT rule.

For making LAN to LAN port translation you have to construct proper dst-nat rule. Something like this:
add action=dst-nat chain=dstnat dst-address=192.168.10.50 protocol=tcp dst-port=445 to-ports=4455

The above rule (or something alike) will only work if traffic passes router both ways ... meaning the return traffic needs to pass router as well. In your case that's true (wired to wireless will pass router), but wired-to-wired might skip router's CPU ...
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: cannot port forward on internal LAN

Mon Mar 18, 2019 10:17 pm

OK. Next is to dump all your current NAT rules as they are just a heap of random garbage. Keep only
add action=masquerade chain=srcnat out-interface-list=WAN
If your WAN interface is lte1, then add lte1 to interface list WAN instead of adding another NAT rule.

For making LAN to LAN port translation you have to construct proper dst-nat rule. Something like this:
add action=dst-nat chain=dstnat dst-address=192.168.10.50 protocol=tcp dst-port=445 to-ports=4455

The above rule (or something alike) will only work if traffic passes router both ways ... meaning the return traffic needs to pass router as well. In your case that's true (wired to wireless will pass router), but wired-to-wired might skip router's CPU ...
thanx, this is almost working but not quite yet.

There is no wired to wireless connection. Everything is wireless. With your rule, slightly modified (to log the results), I see the following in the log, yet Windows still cannot connect to the Samba share:
22:13:31 firewall,info dstnat: in:bridge(Wifi-5G) out:(unknown 0), src-mac 0c:54:15:7f:68:63, proto TCP (SYN), 192.168.10.100:62299->192.168.10.50:4
len 52 
22:13:31 firewall,info dstnat: in:bridge(Wifi-5G) out:(unknown 0), src-mac 0c:54:15:7f:68:63, proto TCP (SYN), 192.168.10.100:62300->192.168.10.50:4
len 52 

The Android media player connects to Wifi (192.168.10.50), while my laptop connects to Wifi-5G (192.168.10.100). Both wireless interfaces are on the same bridge.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: cannot port forward on internal LAN

Tue Mar 19, 2019 1:54 pm

Oh, great, I've never met a guy who's moving his NAS around ... making wired LAN connection unfeasible.

You'll have to set default-forwarding=no on your wifi interfaces ... so that wifi adapter won't directly forward packets between pair of wireless clients. I just hope that RB will, after performing NAT, push packet back to wifi interface (which normally doesn't happen if bridge operates as usual switch).
If it doesn't, then my next idea would be to have NAS on separate subnet ... in that case, no special setup on bridge would be necessary as traffic between two subnets automatically flows via router's CPU.

Who is online

Users browsing this forum: anav, Google [Bot], GoogleOther [Bot], Majestic-12 [Bot], muona, simonefil, TheCat12 and 99 guests