Community discussions

MikroTik App
 
MicrotikUser
newbie
Topic Author
Posts: 30
Joined: Tue Aug 21, 2018 12:42 am

Can't Make New NAT Rules Work  [SOLVED]

Sat Feb 20, 2021 5:01 pm

redacted
Last edited by MicrotikUser on Sun Feb 28, 2021 11:41 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 5:18 pm

While it may be caused by a bug, it is much more likely that the access to the port is blocked externally or that some other dst-nat rule shadows the newly added one.

So I'd suggest you first run
/tool sniffer quick interface=your-wan-interface-name port=the-port-number
and try to connect to the port; if you see packets arriving, it means they made it to the router, otherwise something has blocked them before they could get there.

If they come, and the dst-nat rule in question counts packets, the packets did reach the rule and either the firewall filter blocks them or they get redirected to a wrong address.

If they come but the dst-nat rule in question doesn't count them, some dst-nat rule before must be matching on those packets.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
erlinden
Long time Member
Long time Member
Posts: 695
Joined: Wed Jun 12, 2013 1:59 pm

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 5:21 pm

Can you please share your NAT rules (/ip firewall nat export)? Do you have the default filter rules (while you are at it: /ip firewall filter export)?
First the problem, then the solution
 
MicrotikUser
newbie
Topic Author
Posts: 30
Joined: Tue Aug 21, 2018 12:42 am

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 5:48 pm

ppp
Last edited by MicrotikUser on Sun Feb 28, 2021 11:41 pm, edited 1 time in total.
 
MicrotikUser
newbie
Topic Author
Posts: 30
Joined: Tue Aug 21, 2018 12:42 am

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 5:50 pm

While it may be caused by a bug, it is much more likely that the access to the port is blocked externally or that some other dst-nat rule shadows the newly added one.

So I'd suggest you first run
/tool sniffer quick interface=your-wan-interface-name port=the-port-number
and try to connect to the port; if you see packets arriving, it means they made it to the router, otherwise something has blocked them before they could get there.

If they come, and the dst-nat rule in question counts packets, the packets did reach the rule and either the firewall filter blocks them or they get redirected to a wrong address.

If they come but the dst-nat rule in question doesn't count them, some dst-nat rule before must be matching on those packets.
In WinBox I see that both the effected NAT rules are counting packets
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 5:51 pm

In WinBox I see that both the effected NAT rules are counting packets
In that case, post the export of /ip firewall filter.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MicrotikUser
newbie
Topic Author
Posts: 30
Joined: Tue Aug 21, 2018 12:42 am

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 5:56 pm

ppp
Last edited by MicrotikUser on Sun Feb 28, 2021 11:40 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6164
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 5:58 pm

Did you check if your Windows firewall or AV at the PC is getting in the way??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
MicrotikUser
newbie
Topic Author
Posts: 30
Joined: Tue Aug 21, 2018 12:42 am

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 6:11 pm

ppp
Last edited by MicrotikUser on Sun Feb 28, 2021 11:42 pm, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 6:13 pm

OK, nothing wrong with filter rules, as initial packets of dst-nated connections are excluded from the "drop all from WAN" rule.

So I'd assume it is a routing or firewall issue at 192.168.88.246 and 192.168.88.249.

/tool sniffer quick port=1194

will show you whether the packet has made it to the LAN interface and whether the server has sent any response.

The fact that you can reach everything internally doesn't necessarily mean that the firewall on the server cannot cause the issue, it may be selective.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MicrotikUser
newbie
Topic Author
Posts: 30
Joined: Tue Aug 21, 2018 12:42 am

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 6:27 pm

ppp
Last edited by MicrotikUser on Sun Feb 28, 2021 11:42 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 7:17 pm

Fine, how does it look like when connecting from outside?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MicrotikUser
newbie
Topic Author
Posts: 30
Joined: Tue Aug 21, 2018 12:42 am

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 8:19 pm

Fine, how does it look like when connecting from outside?
It just never connects... I understand that this issue is vague. I was able to confirm that ufw is not running. I'm not sure what else I can do at this point. Maybe either a RouterOS bug or in need of a full factory reset? I would prefer not to reset the router if possible. Again, I've explored the possibility that its my ISP. Maybe my ISP only allows a set number of ports to be open, no. I've tired to disable a rule and enable another, no luck. I've also tried other port numbers with no luck. The modem itself has no NAT, and no firewall that's effected previous Mikrotik devices in my environment.
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't Make New NAT Rules Work

Sat Feb 20, 2021 9:26 pm

"it never connects" and "I cannot see any packets to get anywhere" are two distinct things.

When you were sniffing while connecting via LAN, you could see a packet with dst-port 1194 to come in via ether3, the same packet to leave via ether 4, and then a response packet with src-port 1194 to come in via ether4 and leave via ether3.

When attempting to connect from the internet, the result of the sniff would look the same (except the WAN port ether1 would replace the ether3) if it worked. But as it doesn't work, you need to identify a device which breaks it.

As the dst-nat rules count, the request packets must be arriving through ether1. The question is whether, while sniffing, you can also see them leaving via ether4 towards the OpenVPN server and if yes, whether you can see also responses from the OpenVPN server. This gives you a clue where the issue is, whether on the Mikrotik (if you can see the request packets at the WAN port but not at ether4) or on the server (if the requests leave through ether4 but no responses come back).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], dserarols, Google [Bot], spmd, yegorovp and 181 guests