Community discussions

MikroTik App
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 754
Joined: Wed Mar 25, 2020 4:04 am

Doing a simple port forwarding

Thu Jun 11, 2020 6:20 pm

I have two routers in series. The 1st router does NAT, the 2nd router does not do NAT.
On the 1st router I'm port-forwarding to the 2nd router, and on the following
2nd router with IP 192.168.1xx (its "WAN" port) I'm trying to port-forward it further to the final destination LAN-IP 192.168.2xx:
.
/system routerboard print 
       routerboard: yes
        board-name: hAP ac^2
             model: RBD52G-5HacD2HnD
     serial-number: XXXXXXXX
     firmware-type: ipq4000L
  factory-firmware: 6.44
  current-firmware: 6.47
  upgrade-firmware: 6.47
.
/ip firewall nat
add chain=dstnat dst-address=192.168.1xx.xxx dst-port=xxxx action=dst-nat protocol=tcp to-address=192.168.2xx.xxx to-port=xxxx  
print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=dstnat action=dst-nat to-addresses=192.168.2xx.xxx to-ports=xxxx protocol=tcp dst-address=192.168.1xx.xxx dst-port=xxxx
.
Question:
Why does the print output say "to-ports", ie. plural?
Is it possible to forward a port to multiple ports at all, and would it make any sense?
Or is this just a minor bug in the print output?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13750
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Doing a simple port forwarding

Thu Jun 11, 2020 6:36 pm

add chain=dstnat action=dst-nat protocol=tcp dst-port=xxxx,yyyy,zzzz to-addresses=192.168.88.5

add chain=dstnat action=dst-nat protocol=tcp dst-port=xxxx-yyyy to-addresses=192.168.88.5 (where xxxx-yyyy describes a range of 10 IPs)

add chain=dstnat action=dst-nat protocol=tcp dst-port=xxxx-yyyy to-addresses=192.168.88.5 to-ports=aaaa-bbbb (Where aaaa-bbbb describes a range of 10 IPs)
Last edited by anav on Thu Jun 11, 2020 7:28 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 754
Joined: Wed Mar 25, 2020 4:04 am

Re: Doing a simple port forwarding

Thu Jun 11, 2020 6:49 pm

add chain=dst-nat action=dstnat protocol=tcp dst-port=xxxx,yyyy,zzzz to-addresses=192.168.88.5

add chain=dst-nat action=dstnat protocol=tcp dst-port=xxxx-yyyy to-addresses=192.168.88.5 (where xxxx-yyyy describes a range of 10 IPs)

add chain=dst-nat action=dstnat protocol=tcp dst-port=xxxx-yyyy to-addresses=192.168.88.5 to-ports=aaaa-bbbb (Where aaaa-bbbb describes a range of 10 IPs)
Can you proof-read your posting as you introduced even more inconsistencies, IMO?
For example "action=dstnat": should that not be "action=dst-nat"?
And in the 2nd you say "where xxxx-yyyy describes a range of 10 IPs". What? It doesn't match the rest as the xxxx-yyyy belongs to dst-port=..., IMO.
Similar case in the 3rd.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 754
Joined: Wed Mar 25, 2020 4:04 am

Re: Doing a simple port forwarding

Thu Jun 11, 2020 7:14 pm

The inconsistencies come from the examples on this wiki page, which I had used:
https://wiki.mikrotik.com/wiki/Manual:I ... forwarding
There "to-address=" and "to-port=" are given.
The CLI says "to-addresses=" and "to-ports=", but seems to accept both variants.
But I still wonder about what practical sense it makes to forward to more than one destination...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13750
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Doing a simple port forwarding  [SOLVED]

Thu Jun 11, 2020 7:28 pm

Yes, thanks, I always mix those up from memory. Fixed on my post!

Practicality I suppose,
Any time you have multiple ports or a range of ports, going to the same LANIP, it is an opportunity to create a single rule (assuming same protocol).
Up to the admin if one wants to do so or not. The to-ports plural simply recognizes that at least for a range of ports, one may wish to translate them.

The example I have not used yet is multiple IP addresses (to-addresses). I would like to see how that would be used.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 754
Joined: Wed Mar 25, 2020 4:04 am

Re: Doing a simple port forwarding

Thu Jun 11, 2020 8:13 pm

The port forwarding works ok:
iperf speed (iperf server in LAN, iperf client in Internet; Internet link is Gigabit):
[ ID] Interval        Transfer    Bandwidth       Reads   Dist(bin=16.0K)
[SUM] 0.00-10.09 sec  1.10 GBytes   938 Mbits/sec  89613    54856:34617:50:2:5:2:2:79
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 754
Joined: Wed Mar 25, 2020 4:04 am

Re: Doing a simple port forwarding

Thu Jun 11, 2020 8:23 pm

Any time you have multiple ports or a range of ports, going to the same LANIP, it is an opportunity to create a single rule (assuming same protocol).
Yes, indeed, makes sense.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13750
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Doing a simple port forwarding

Thu Jun 11, 2020 9:23 pm

Some people like to keep them separate, with comments so that they know more easily what is configured on the router. If not concerned about CPU usage and #rules, I prefer less.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!

Who is online

Users browsing this forum: Baidu [Spider], holvoetn, Panbambaryla, Semrush [Bot] and 24 guests