Community discussions

 
gavinyo
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2019 4:18 am

Port Forwarding Not Working but Shows Packets

Tue Jul 09, 2019 4:22 am

Hi guys,

I'm trying to forward port ports 1701, 500, and 4500 to internal IP 10.0.1.89

I have a NAT rule set up to forward both TCP and UDP for the ports but no matter what I do I simply cannot get the ports to show as open through a port tester, nor can I access them.

I've even tried adding filter rules to accept all three ports, and still nada. Adding screenshots to show what I have set up.

Am I doing something wrong? I can see the packages and data coming in but it just won't go through for some reason. Please help! I'm at the end of my wits
You do not have the required permissions to view the files attached to this post.
 
gavinyo
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2019 4:18 am

Re: Port Forwarding Not Working but Shows Packets

Wed Jul 10, 2019 12:00 am

This is the full export of all of my NAT rules:
/ip firewall nat
add action=dst-nat chain=dstnat comment="Winbox Temple" dst-port=8292 protocol=\
tcp to-addresses=10.0.1.4 to-ports=8291
add action=dst-nat chain=dstnat comment="VPN for the temple" dst-port=1723 \
protocol=tcp to-addresses=10.0.1.4 to-ports=1723
add action=dst-nat chain=dstnat comment="Sonicwall CFG" dst-port=88 protocol=\
tcp to-addresses=10.0.1.9 to-ports=88
add action=dst-nat chain=dstnat comment="Temple From RDP" disabled=yes \
dst-port=3389 protocol=tcp to-addresses=10.0.1.4 to-ports=3389
add action=dst-nat chain=dstnat comment="Temple From RDP" disabled=yes \
protocol=tcp src-port=3389 to-ports=3389
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=4008 protocol=tcp \
to-addresses=10.0.1.9 to-ports=3389
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=4008 protocol=udp \
to-addresses=10.0.1.9 to-ports=3389
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=9001 protocol=tcp \
to-addresses=10.0.1.89 to-ports=9001
add action=dst-nat chain=dstnat comment="EXT BANA UBNT" dst-port=1014 protocol=\
tcp to-addresses=10.0.1.14 to-ports=1014
add action=dst-nat chain=dstnat comment="UniFi Controller" dst-port=8443 \
protocol=tcp to-addresses=10.0.1.9 to-ports=8443
add action=dst-nat chain=dstnat comment=Spiceworks dst-port=9675 protocol=tcp \
to-addresses=10.0.1.89 to-ports=9675
add action=dst-nat chain=dstnat comment="Mfi Controller" dst-port=2323 \
protocol=tcp to-addresses=10.0.1.9 to-ports=2323
add action=dst-nat chain=dstnat comment="Mfi Controller" dst-port=6443 \
protocol=tcp to-addresses=10.0.1.9 to-ports=6443
add action=dst-nat chain=dstnat comment="EXT ROCKET UBNT" dst-port=1002 \
protocol=tcp to-addresses=10.0.1.12 to-ports=1002
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT" dst-port=1003 \
protocol=tcp to-addresses=10.0.1.13 to-ports=1003
add action=dst-nat chain=dstnat comment="EXT TEMPLE MT" dst-port=1008 protocol=\
tcp to-addresses=10.0.1.13 to-ports=1003
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT ROCKET" dst-port=1041 \
protocol=tcp to-addresses=10.0.1.4 to-ports=1041
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT GIFT SHOP" dst-port=\
1042 protocol=tcp to-addresses=10.0.1.4 to-ports=1042
add action=dst-nat chain=dstnat comment="SERVER ALA" dst-port=1278 protocol=tcp \
to-addresses=10.0.1.9 to-ports=1278
add action=dst-nat chain=dstnat comment="EXT BANA Cams" dst-port=7071 protocol=\
tcp to-addresses=10.0.1.21 to-ports=7071
add action=dst-nat chain=dstnat dst-port=7072 protocol=tcp to-addresses=\
10.0.1.21 to-ports=7072
add action=dst-nat chain=dstnat dst-port=7073 protocol=tcp to-addresses=\
10.0.1.21 to-ports=7073
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT GUEST HOUSE" dst-port=\
10411 protocol=tcp to-addresses=10.0.1.4 to-ports=10411
add action=dst-nat chain=dstnat comment="EXT BANA CISCO" dst-port=10141 \
protocol=tcp to-addresses=10.0.1.21 to-ports=10141
add action=dst-nat chain=dstnat dst-port=3389 protocol=udp to-addresses=\
10.0.1.4 to-ports=3389
add action=dst-nat chain=dstnat comment="Temple Power" dst-port=8085 protocol=\
tcp to-addresses=10.0.1.4 to-ports=8085
add action=dst-nat chain=dstnat comment="Temple C Cam" dst-port=8081 protocol=\
tcp to-addresses=10.0.1.4 to-ports=8081
add action=dst-nat chain=dstnat comment="Temple W Cam" dst-port=8082 protocol=\
tcp to-addresses=192.168.1.10 to-ports=8082
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=6666 protocol=tcp to-addresses=\
10.0.1.9 to-ports=6666
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=9002 protocol=tcp \
to-addresses=10.0.1.89 to-ports=9002
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=1701 \
in-interface=ether1-gateway protocol=udp to-addresses=10.0.1.89 to-ports=\
1701
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-address=\
173.187.29.170 dst-port=1701 in-interface=ether1-gateway log=yes protocol=\
tcp to-addresses=10.0.1.89 to-ports=1701
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 \
in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89 \
to-ports=500
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.0.1.89 to-ports=\
500
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 \
in-interface=ether1-gateway protocol=udp to-addresses=10.0.1.89 to-ports=\
4500
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.0.1.89 to-ports=\
4500


Here's the filter rules. They were originally set to forward but I changed them to input to see if that would help.
/ip firewall filter
add action=accept chain=input src-address=71.31.249.84
add action=accept chain=input disabled=yes dst-port=1701 in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input disabled=yes dst-port=500 in-interface=ether1-gateway log=yes protocol=udp
add action=accept chain=input disabled=yes dst-port=500 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=forward dst-port=1701 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related disabled=yes
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1-gateway
add action=accept chain=forward dst-address=10.0.1.89 dst-port=5309 protocol=tcp src-port=5309
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 183
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Port Forwarding Not Working but Shows Packets

Wed Jul 10, 2019 12:20 am

When you create dst-nat rule, is not important to specify in interface, but need to specify destination address (WAN IP [Public])
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
mkx
Forum Guru
Forum Guru
Posts: 3190
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port Forwarding Not Working but Shows Packets

Wed Jul 10, 2019 6:52 am

Are you sure that firewall on 10.0.1.89 is not freaking out on inbound VPN connections?
BR,
Metod
 
gavinyo
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2019 4:18 am

Re: Port Forwarding Not Working but Shows Packets

Wed Jul 10, 2019 7:47 am

Affirmative. I'm SSHed into the USG pro at 10.0.1.89 and am running a sniff on those three ports and I don't see any packets coming in
 
User avatar
AminYounessi
Trainer
Trainer
Posts: 53
Joined: Wed Nov 23, 2016 7:39 am

Re: Port Forwarding Not Working but Shows Packets

Wed Jul 10, 2019 8:14 am

Hi,

Please specify your right destination address in general tab.
 
gavinyo
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2019 4:18 am

Re: Port Forwarding Not Working but Shows Packets

Wed Jul 10, 2019 8:41 am

Thank you! I've updated the dst address but they still wont show as open
 
giriv
just joined
Posts: 6
Joined: Mon Dec 07, 2015 6:39 pm

Re: Port Forwarding Not Working but Shows Packets

Fri Jul 12, 2019 8:31 pm

I've tried everything I can think of and can't get the traffic to passthrough. Does anyone have any ideas?
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Port Forwarding Not Working but Shows Packets

Fri Jul 12, 2019 9:09 pm

Your NAT rules do not need a to-port unless your are changing ports. They should look like this:
/ip firewall nat
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=1701 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
Or you can combine them in one rule like:
]/ip firewall nat
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500,1701,4500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
And your Filter rule need to be for chain=forward: (or enable the default drop rule)
/ip firewall filter
add action=accept chain=forward dst-port=5200,1701,4500 in-interface=ether1-gateway protocol=udp
Here is some other things that might be a factor
  • If your USG's WAN is behind NAT and has a private IP, it is necessary to configure port forwarding on the upstream router to forward UDP ports 500, 1701, and 4500 to the USG's WAN address.
  • In pre-4.3.41 USG firmware, L2TP remote access VPN will not work if there are already one or more site-to-site IPsec VPNs configured. Please update to the latest firmware.
  • In controller versions prior to 5.7.22, if UPnP is configured on the USG, an ACL will need to be created to deny UDP ports 500/4500. See this Community post for more. This community post is in the Early access section of our Community, see this article to learn How to Sign Up for Early Access.
https://help.ubnt.com/hc/en-us/articles ... Access-VPN
 
giriv
just joined
Posts: 6
Joined: Mon Dec 07, 2015 6:39 pm

Re: Port Forwarding Not Working but Shows Packets

Sun Jul 14, 2019 6:37 am

Thank you! I've consolidated the rules as you recommended.

I also changed the filter rule to chain=forwrad.

I also did follow that ubiiquiti guide. Actually those parts are what I'm trying to configure forwarding for.

The USG and controller firmware is up to date so those two warnings shouldnt apply
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port Forwarding Not Working but Shows Packets

Sun Jul 14, 2019 11:19 pm

I would echo 2frogs recommendation for dst-nat rules.
/ip firewall nat
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=1701 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89

However I do not agree with his assessment of moving them to forward filter rules. They are dst nat rules period.
What is correct is with these dst nat rules in place you still need a forward filter rules to allow that traffic past the firewall.
This can be accomplished by:
/firewall filter
{forward chain}
add chain=forward action=accept comment="Allow port forwarding" /
in-interface=wan connection-state=new connect-nat-state=dstnat

This single rule permits all port forwarding rules from dst-nat to get through the firewall.
So get rid of any other filter rules you have in the forward chain for port forwarding.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Port Forwarding Not Working but Shows Packets

Mon Jul 15, 2019 3:02 am

@anav
hmm, so glad we can agree it could be done with a single rule:
"And your Filter rule need to be for chain=forward: (or enable the default drop rule)"

Who is online

Users browsing this forum: MSN [Bot] and 119 guests