Community discussions

 
cwsupport
just joined
Topic Author
Posts: 4
Joined: Mon Apr 08, 2019 5:30 pm

dst-nat with changing port

Tue May 14, 2019 9:23 pm

I am attempting to forward ssh connections that connect to a Wan side address on one interface at port 8122 and forward to address 172.21.2.3 port 22.

If I change the rule to forward xxx.xxx.xxx.xxx port 22 to 172.21.2.3 port 22, the connection is successful:
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=22 log=\
yes protocol=tcp to-addresses=172.21.2.3 to-ports=22

However, if I change the dst-port on the same rule to 8122 and attempt to connect, it times out:
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=8122 log=\
yes protocol=tcp to-addresses=172.21.2.3 to-ports=22

add action=accept chain=forward dst-address=\
172.21.2.3 dst-port=22 log=yes protocol=tcp

I have also tried allowing forwarding and input to port 22 and 8122 to no avail.

I can provide any other specifics.
Thanks
 
baragoon
Member Candidate
Member Candidate
Posts: 120
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: dst-nat with changing port

Wed May 15, 2019 10:08 am

/ip firewall nat
add action=netmap chain=dstnat dst-address=WAN.IP.ADD.RESS dst-port=8122 protocol=tcp to-addresses=172.21.2.3 to-ports=22
should work
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 944
Joined: Fri Jul 28, 2017 2:53 pm

Re: dst-nat with changing port

Wed May 15, 2019 10:48 am

You should check availability of your changed port from outside, for example, on some web site that can check it. If it closed then your ISP just filtering unknown ports. Also you have to have a global unique IP address, not from private range.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 617
Joined: Fri Nov 10, 2017 8:19 am

Re: dst-nat with changing port

Wed May 15, 2019 11:02 am

@cwsupport: Netmap is not necessary.
It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it.

@baragoon: Is it possible that some other firewall rule interfere with it? I tried to set it up on completely blank lab router and it worked without issue. Following is my config:
/ip firewall filter
add action=accept chain=forward comment="Allow established traffic" connection-state=established,related
add action=accept chain=forward comment="Allow new SSH traffic from WAN to LAN" dst-address=10.245.25.95 dst-port=22 protocol=tcp
add action=accept chain=forward comment="Allow traffic from LAN to WAN" in-interface=ether5 out-interface=ether2
add action=drop chain=forward comment="Drop everything else" log=yes
/ip firewall nat
add action=masquerade out-interface=ether2
add action=dst-nat chain=dstnat dst-address=10.245.24.229 dst-port=8122 protocol=tcp to-addresses=10.245.25.95 to-ports=22
(10.245.24.0/24 is lab's WAN, 10.245.25.0/24 is internal network)

With this, all I need is to run the SSH command (for example on linux):
ssh vecernik@10.245.24.229 -p 8122

Instantly after running this command, I see that both counters on forward rule (allow ssh traffic) and on dstnat rule got increased - that proves that my connection reached router.
It is important to allow forward on the way back, typically using filter (chain forward, allow established/related)

If your counters don't increase, your router is not even being reached on that port number. It is not uncommon for ISP to block some port numbers.
If your counters increase, that proves your router was reached and ip+port were translated.

If you can't figure out, you can either share rest of your config (as always - feel free to mask sensitive info) or you can try to use packet sniffer to see where do you lose your data. there should be clearly visible packet coming into your WAN interface, then out from your LAN interface. After that, there should be reply coming into your LAN interface and again out from WAN interface. If some of these steps does not show up, that's where your problem is :)

@Anumrak: Good point with non-public IP on WAN! I didn't think about that
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 944
Joined: Fri Jul 28, 2017 2:53 pm

Re: dst-nat with changing port

Wed May 15, 2019 11:18 am

We're all here to help ;)
 
cwsupport
just joined
Topic Author
Posts: 4
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Wed May 15, 2019 11:48 pm

Hi, thanks for the replies so far. Here is some more info:

Definitely a public ip and the port is open.
I have rules allowing established/ related packets, etc.
This seems to be a strange issue in this case. I haven't done packet capture yet, but I can see the SYN packet log in the tik on port 8122, but nothing in the log beyond that. If I set it to 22, I see a similar initial packet logged and then I see post nat packets leave. I have a very similar configuration on a CHR running 6.43.2 and just did a quick test and confirmed no issue with the expected configuration. These 2 new CHRs are running 6.44.3. I think I may spin up one running 6.43.2 and migrate the configuration to see if it is just with this version. Thanks for the help so far
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 617
Joined: Fri Nov 10, 2017 8:19 am

Re: dst-nat with changing port

Thu May 16, 2019 1:38 am

Thanks for update.
Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). To understand, how process of packet forwarding works, you might be interested in following article: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
As you are tracking your packet going through flow diagram, you can relatively easily log it with Mangle (prerouting/forward/postrouting chains), Filter (forward chain) and NAT (dstnat chain). Just be careful to interpret results correctly - rules which occur before "dstnat" block (mangle-prerouting and raw-prerouting) needs to be set up with your public IP and public port, while rules which occur after "dstnat" block (all remaining) needs to be set up with your internal IP and internal port. (just making sure because it is common to misunderstand packet flow and misconfigure the rules)
Also keep in mind that rules in each table are evaluated according to their number so it matters, which rule come first and which is second. Some of your existing rules might be preventing you to do this.
 
rbnewfan
just joined
Posts: 23
Joined: Sat Oct 22, 2016 5:23 pm

Re: dst-nat with changing port

Thu May 16, 2019 10:11 am

On 6.44.3 I have NAT rules that change ports from outside to inside and they work Ok.
There is something else in your config(s) (not necessarily in your tick devices) for sure that screw things up.
 
anav
Forum Guru
Forum Guru
Posts: 2613
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: dst-nat with changing port

Thu May 16, 2019 3:33 pm

Post your config
/export hide-sensitive file=yourconfigmay16
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
cwsupport
just joined
Topic Author
Posts: 4
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Thu May 16, 2019 5:33 pm

Here it is.

# may/16/2019 08:51:21 by RouterOS 6.44.3
# software id =
#
#
#
/interface bridge
add name=lo
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-Lan
set [ find default-name=ether2 ] disable-running-check=no name=ether2-Wan
set [ find default-name=ether3 ] disable-running-check=no name=\
ether3-IntraNet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=172.21.0.8
/ip address
add address=172.19.19.2/29 disabled=yes interface=ether2-Wan network=\
172.19.19.0
add address=172.19.19.10/30 interface=ether3-IntraNet network=172.19.19.8
add address=172.21.0.8 interface=lo network=172.21.0.8
add address=172.21.2.1/28 interface=ether1-Lan network=172.21.2.0
add address=aaa.bb.ccc.218/29 interface=ether2-Wan network=aaa.bb.ccc.216
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.22.0.0/24 list=CW_Mgmt
add address=aa.aa.aa.4 list=CW_Mgmt
add address=aa.aa.aa.10 list=CW_Mgmt
add address=172.22.0.0/24 list=InternalNets
add address=172.21.0.0/16 list=InternalNets
/ip firewall filter
add action=drop chain=input comment=Inv connection-state=invalid
add action=drop chain=forward comment=Inv connection-state=invalid
add action=accept chain=input comment=Est/Rel connection-state=\
established,related
add action=accept chain=forward comment=Est/Rel connection-state=\
established,related
add action=accept chain=input comment=CW_Mgmt src-address-list=CW_Mgmt
add action=accept chain=forward comment=CW_Mgmt src-address-list=CW_Mgmt
add action=accept chain=forward comment="PWC SSH Access" dst-address=\
172.21.2.3 dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="Drop SSH brute force" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment="SSH Block stage 3" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="SSH Block stage 2" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="SSH Block stage 1" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="SSH Block stage 0" \
connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop ftp brute force if ftp is enabled" \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="Limit bad ftp attempts to 10/min" \
content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=\
tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment=\
"Add ftp brute force ip to address list" content="530 Login incorrect" \
protocol=tcp
add action=accept chain=input comment=WinboxExternalAccess dst-port=8291 \
protocol=tcp src-address-list=CW_Mgmt
add action=accept chain=input comment=TimeService protocol=udp src-port=15252
add action=accept chain=input comment=SSHExternalAccess dst-port=22 protocol=\
tcp
add action=accept chain=input comment=ospfExternalAccess protocol=ospf
add action=accept chain=input comment=SSLWebConfigExternalAccess dst-port=\
10101 protocol=tcp
add action=accept chain=forward comment=LocalOut src-address=172.21.2.0/28
add action=accept chain=forward comment="DNS Server Access" dst-address=\
172.21.2.2 dst-port=53 protocol=udp
add action=drop chain=forward comment=DropElse
add action=drop chain=input comment=DropElse
/ip firewall nat
add action=dst-nat chain=dstnat comment="PWC SSH" dst-address=aaa.bb.ccc.218 \
dst-port=8122 log=yes protocol=tcp to-addresses=172.21.2.3 to-ports=22
add action=masquerade chain=srcnat comment="Masq Out" out-interface=\
ether2-Wan
/ip route
add distance=1 gateway=aaa.bb.ccc.217
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing ospf interface
add interface=ether3-IntraNet network-type=point-to-point
/routing ospf network
add area=backbone network=172.19.19.8/30
add area=backbone network=172.21.2.0/28
add area=backbone network=172.21.0.0/24
/system clock
set time-zone-name=America/Denver
/system identity
set name=nashCWchrFW01
 
cwsupport
just joined
Topic Author
Posts: 4
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Sat May 18, 2019 3:56 am

Bump due to forum issue yesterday

Who is online

Users browsing this forum: No registered users and 93 guests