Community discussions

MikroTik App
  4. RouterOS
  5. General

port forwarding on HEX lite

Post Reply
 
frankazoid
just joined
Topic Author
Posts: 1
Joined: Sat Aug 15, 2020 12:44 am

port forwarding on HEX lite

Sat Aug 15, 2020 12:50 am

Hi people! Been using Mikrotik for a bit but still can't get the magic of port forwarding work. I see packet counter changing on the NAT page when I try to RDP on port 3389 or 13389 but don't see anything on the computer 88.253. How does it manage to escape?

I have removed inactive rules, so some numbers are missing

[root@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept protocol=tcp dst-port=3390,3966,3990,3991,4132,3389,13389 log=no log-prefix=""
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
8 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
11 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
12 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
15 ;;; deny 8.8.4.4 via reserve internet channel
chain=output action=drop dst-address=8.8.4.4 out-interface=ether2 log=no log-prefix=""
16 chain=forward action=accept protocol=tcp dst-port=80,443 log=no log-prefix=""


[root@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; RDP
chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=3389 protocol=tcp dst-port=3390,3966,3990,3991,4132,3389,13389 log=no log-prefix=""

1 ;;; NAT ISP1
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" ipsec-policy=out,none

2 ;;; NAT ISP2
chain=srcnat action=masquerade out-interface=ether2 log=no log-prefix=""
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19357
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: port forwarding on HEX lite

Thu Aug 20, 2020 6:36 pm

Your situation is more complicated due using two WANIPs as we have no clue how you have setup your router.
Also are they fixed or dynamic WANIPs?
Finally, are you concerned about external users accessing your server OR
a. internal users via lanip OR
b. internal users via WANIP

/export hide-sensitive file=anynameyouwish
Top
Post Reply

Who is online

Users browsing this forum: Buckeye, K0NCTANT1N and 102 guests
  4. RouterOS
  5. General