Community discussions

MikroTik App
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Port forwarding from a different subnet

Wed Mar 31, 2021 3:17 pm

I have the following double NAT setup: ISP provided Modem/Router connected to Mikrotik Router on 192.198.3.0/24. LAN on Mikrotik is 192.168.1.0/24. LAN includes a couple of DVRs (.71 & .72) with different set of ports. Modem/Router forwards open ports to eth2 of Mikrotik at 192.168.3.5. Then it is forwarded to the DVRs. I was able to setup port forwarding to work both from the outside (internet) as well from clients on the 192.168.1.0/24 (LAN). Now, Wifi access is provided by the Modem/Router. This means that local wifi users are on 192.198.3.0/24. What I am having trouble with is wifi users to access the DVRs. Have even tried with firewall rules disabled for testing purposes but with no luck. Any help would be greatly appreciated...

If you need the whole picture bellow is my full mikrotik configuration:

# mar/31/2021 14:52:45 by RouterOS 6.48.1
# software id = V2G1-I8S1
#
# model = 951Ui-2HnD
# serial number = 45880238E3C3
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2
set [ find default-name=ether3 ] comment=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether3 lease-time=3h name=\
dhcp1
/system logging action
add email-to=xxxxxx@gmail.com name=Email target=email
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
add address=192.168.2.5/24 interface=ether1 network=192.168.2.0
add address=192.168.3.5/24 interface=ether2 network=192.168.3.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
ntp-server=216.239.35.0,216.239.35.4
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.1.72 list=DVR-Ips
add address=192.168.1.71 list=DVR-Ips
add address=216.239.35.4 list=NTP-Servers
add address=216.239.35.0 list=NTP-Servers
/ip firewall filter
add action=accept chain=forward comment="Established & Related" \
connection-state=established,related
add action=accept chain=input comment="LAN Traffic Allowed IP Range" \
src-address-list=allowed_to_router
add action=accept chain=input src-address-list=NTP-Servers
add action=accept chain=input comment=Ping protocol=icmp
add action=jump chain=forward comment="SYN Flood protect FORWARD" \
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" \
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=\
"Syn Flood Drop" protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="Allow port forwarding on ISP2" \
connection-nat-state=dstnat connection-state=established,related,new \
connection-type="" log=yes protocol=tcp
add action=drop chain=forward comment="Drop FIN" log=yes protocol=tcp \
tcp-flags=fin
add action=drop chain=forward comment="Drop RST" log=yes protocol=tcp \
tcp-flags=rst
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix="invalid DROPPED"
add action=drop chain=input comment=Invalid connection-state=invalid log=yes \
log-prefix="Invalid Dropped"
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=ether3 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list=Over-100-Conn \
address-list-timeout=1d chain=input comment="Connections over 100 for IP" \
connection-limit=100,32 protocol=tcp
add action=tarpit chain=input comment="Drop if over 100 Connections" \
connection-limit=3,32 protocol=tcp src-address-list=Over-100-Conn
add action=add-src-to-address-list address-list=Port-Scan \
address-list-timeout=1d chain=forward comment="Port Scan Hamad" log=yes \
log-prefix="Port Scan Fwd" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port-Scan \
address-list-timeout=1d chain=input comment="Port Scan Hamad" log=yes \
log-prefix="Port Scan Input" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop Port Scan Hamad" src-address-list=\
Port-Scan
add action=drop chain=forward comment="Drop Port Scan Hamad" \
src-address-list=Port-Scan
add action=drop chain=forward comment=\
"ISP1 Drop incoming packets that are not NATted" connection-nat-state=\
!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"ISP2 Drop incoming packets that are not NATted" connection-nat-state=\
!dstnat connection-state=new in-interface=ether2 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"ISP1 Drop incoming from internet which is not public IP" in-interface=\
ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"ISP2 Drop incoming from internet which is not public IP" in-interface=\
ether2 log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=input comment=Gmail src-address=74.125.141.108 \
src-address-list=""
add action=drop chain=input comment="Drop All other ISP1" disabled=yes \
in-interface=ether1
add action=drop chain=input comment="Drop All other ISP2" disabled=yes \
in-interface=ether2
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=ether3 log=yes log-prefix=\
!public_from_LAN out-interface=!ether3
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=yes \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=\
yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting dst-address=192.168.3.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN1 \
passthrough=yes per-connection-classifier=both-addresses:2/0 \
src-address-list=!DVR-Ips
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN2 \
passthrough=yes per-connection-classifier=both-addresses:2/1 \
src-address-list=!DVR-Ips
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
ether3 new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
ether3 new-routing-mark=ether2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
ether1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
ether2-mark passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=dst-nat chain=dstnat comment=DVR1 dst-address-type=local dst-port=\
67-68 log=yes protocol=tcp src-port="" to-addresses=192.168.1.71
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type=local dst-port=\
69 log=yes protocol=tcp src-port="" to-addresses=192.168.1.72
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type=local dst-port=\
70 log=yes protocol=tcp src-port="" to-addresses=192.168.1.72
add action=dst-nat chain=dstnat comment=PBX1 disabled=yes dst-port=35356 \
in-interface=ether2 protocol=tcp to-addresses=192.168.1.29 to-ports=5060
add action=dst-nat chain=dstnat comment="DSP2 DSP" disabled=yes dst-port=\
16000-16511 in-interface=ether2 protocol=tcp to-addresses=192.168.1.30 \
to-ports=16000-16511
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=\
ether1-mark
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=\
ether2-mark
add distance=1 gateway=192.168.3.1
add distance=1 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.3.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=VI
/system logging
add action=Email prefix="Mikrotik Router VI" topics=critical
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4
/system scheduler
add disabled=yes interval=10m name=schedule-PingCheck on-event=PingCheck \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=00:00:00
/system script
add dont-require-permissions=no name=PingCheck owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":if ([/ping 1.1.1.1 count=10] = 0) do={\r\
\n /system reboot\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=74.125.141.108 from=xxxxxx@gmail.com port=587 \
start-tls=yes user=xxxxxx@gmail.com
/tool netwatch
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
2.1]\r\
\n:log error \"ISP1 is down\"\r\
\n/ip firewall connection remove [find]" host=8.8.4.4 interval=10s \
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew\
ay=192.168.2.1]\r\
\n:log warning \"ISP1 is up\""
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
3.1]\r\
\n:log error \"ISP2 is down\"\r\
\n/ip firewall connection remove [find]" host=8.8.8.8 interval=10s \
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew\
ay=192.168.3.1]\r\
\n:log warning \"ISP2 is up\""
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding from a different subnet

Wed Mar 31, 2021 3:35 pm

So let me get this straight.
Your ROUTER/MODEM has assigned a static LANIP (192.168.3.5) to your MT device also acting as a router and the WANIP is of course also 192.168.3.5
Your MT ROUTER has ONE lan subnet subnets for various purposes 192.168.1.0/24
I will ignore your ether1 as its confusing and conflicts with your own wording.

If the wifi is being provided on the modem router it makes sense that you cannot reach the servers from the internet.
You probably have a hairpin nat situation. https://wiki.mikrotik.com/wiki/Hairpin_NAT

As an aside, I think your config is overly complex with little gain. You would be best served by resetting to defaults,
adding in the server rules and configuring hairpin nat. Once up and running then adding in rules that have value.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Port forwarding from a different subnet

Wed Mar 31, 2021 6:32 pm

Looks to me your firewall is doing as it should and your answers should be in your logs.

Hint: prefix=!public
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Port forwarding from a different subnet

Wed Mar 31, 2021 7:48 pm

So let me get this straight.
Your ROUTER/MODEM has assigned a static LANIP (192.168.3.5) to your MT device also acting as a router and the WANIP is of course also 192.168.3.5
Your MT ROUTER has ONE lan subnet subnets for various purposes 192.168.1.0/24
I will ignore your ether1 as its confusing and conflicts with your own wording.

If the wifi is being provided on the modem router it makes sense that you cannot reach the servers from the internet.
You probably have a hairpin nat situation. https://wiki.mikrotik.com/wiki/Hairpin_NAT

As an aside, I think your config is overly complex with little gain. You would be best served by resetting to defaults,
adding in the server rules and configuring hairpin nat. Once up and running then adding in rules that have value.
Servers are reachable from both the internet as well as from 192.168.1.0/24 without any problems. It is devices from 192.168.3.0/24 that cannot reach the servers.... I have tried hairpin mat for this network without success.
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Port forwarding from a different subnet

Wed Mar 31, 2021 9:29 pm

Looks to me your firewall is doing as it should and your answers should be in your logs.

Hint: prefix=!public
The counter shows 0
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Port forwarding from a different subnet

Wed Mar 31, 2021 10:46 pm

Have you tried using 192.168.3.5:67-69 directly? To other devices on this subnet, the it would seem no different if the NVRs were directly attached (if your firewall is not dropping the traffic).

Maybe a misconfiguration on the Modem/Router. Or it needs a hairpin nat.
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Port forwarding from a different subnet

Thu Apr 01, 2021 11:56 am

Have you tried using 192.168.3.5:67-69 directly? To other devices on this subnet, the it would seem no different if the NVRs were directly attached (if your firewall is not dropping the traffic).

Maybe a misconfiguration on the Modem/Router. Or it needs a hairpin nat.
I have totally disabled firewall rules. Directly to 3.5:67-69 does not work even though it did before when I had a tplink router in the place of the Mikrotik. The only thing I have not tried is hairpin on the modem router. The problem with this is that the modem router seems to accept only wan address as the source.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding from a different subnet

Thu Apr 01, 2021 12:17 pm

Regarding : It is devices from 192.168.3.0/24 that cannot reach the servers....

But you do get packet hits on the MT ? Do you get *any* logging hit indicating a station on 192.168.3.x can reach the MT at all ??

So the wireless clients on the ISP-modem/Wifi receive a 192.168.3.x IP and seem "bridged" on the LAN of that ISP device, the same LAN on which the MT is cabled and also has a 192.168.3.x
you would expect that they can hit your DNAT entries representing the NVR's without issues ... certainly if you disabled all FW-rules.
Are you sure these wireless-clients have no sort of "isolation" mode-setting active, so they cannot reach their neighbors (basically dropping all RFC1918 IP space) and only allowing "Internet"
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Port forwarding from a different subnet

Thu Apr 01, 2021 1:29 pm

Regarding : It is devices from 192.168.3.0/24 that cannot reach the servers....
Are you sure these wireless-clients have no sort of "isolation" mode-setting active, so they cannot reach their neighbors (basically dropping all RFC1918 IP space) and only allowing "Internet"
I believe you might be right. During testing I pinged successfully from my phone (3.15) to the Dvr (2.71) so I believed that forwarding should work as well. I should probably go back and torch eth2 (192.168.3.5) to see what is going through. I did not look into this before because as I stated before it was working with a tplink router in the place of the MT
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding from a different subnet

Thu Apr 01, 2021 3:13 pm

Regarding : It is devices from 192.168.3.0/24 that cannot reach the servers....
Are you sure these wireless-clients have no sort of "isolation" mode-setting active, so they cannot reach their neighbors (basically dropping all RFC1918 IP space) and only allowing "Internet"
I believe you might be right. During testing I pinged successfully from my phone (3.15) to the Dvr (2.71) so I believed that forwarding should work as well. I should probably go back and torch eth2 (192.168.3.5) to see what is going through. I did not look into this before because as I stated before it was working with a tplink router in the place of the MT
In a earlier post you said the NVR's are on the LAN-side 192.168.1.x right (*.71 & *.72) ??
In the post above you write something like DVR (2.71) so I guess you mean 192.168.2.71 ??
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Port forwarding from a different subnet

Thu Apr 01, 2021 3:16 pm

My mistake. It is on 192.168.1.71
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding from a different subnet

Thu Apr 01, 2021 3:51 pm

My mistake. It is on 192.168.1.71
Ok so if you can ping them right through the Mikrotik (with all FW policies off) that is already a good thing.
In order to do this you added a static-route on this ISP Modem/Wifi thing??
Because without one you would never be able to reach 192.168.1.x
By default it probably routes you out to Internet and the only "direct connected" network it knows is 192.168.3.x/24

Ok , so that means for sure no client-isolation or other security feature on the ISP-modem/Wifi box else you would not be able to ping the DVR.

Hmm...
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Port forwarding from a different subnet

Fri Apr 02, 2021 12:53 am

No. What I was doing before adding the MT was port forward from 192.168.3.5 to 192.168.1.71. So if I went directly to 192.168.3.5 it would still activate the port forward. Now, with MT, I get an error connection not established....
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding from a different subnet

Fri Apr 02, 2021 9:26 am

No. What I was doing before adding the MT was port forward from 192.168.3.5 to 192.168.1.71. So if I went directly to 192.168.3.5 it would still activate the port forward. Now, with MT, I get an error connection not established....
Perhaps you should try to take a packet capture behind the MT to see if ANY packet arrives there !
Or on the MT itself on the "exiting" interfaces towards your internet LAN.

Did that already?
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Port forwarding from a different subnet

Sat Apr 10, 2021 3:05 pm

No. What I was doing before adding the MT was port forward from 192.168.3.5 to 192.168.1.71. So if I went directly to 192.168.3.5 it would still activate the port forward. Now, with MT, I get an error connection not established....
Perhaps you should try to take a packet capture behind the MT to see if ANY packet arrives there !
Or on the MT itself on the "exiting" interfaces towards your internet LAN.

Did that already?
Have tried to figure out what is going on by looking through the connections, on the firewall, but also using torch on both the in and out interfaces. Nothing. It seems that it is being dropped before exiting the in interface. I even tried with all firewall rules disabled. What made me concentrate on the MT is that it worked before with another router in its place. Anyway, as I got tired trying different things I was able to solve my problem by adding static rules to the ISP provided router. Thank you all for your precious time.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding from a different subnet  [SOLVED]

Sat Apr 10, 2021 3:50 pm

Good to hear, I suspected it has nothing to do with the MT but more so configuring the ISP modem router.

Who is online

Users browsing this forum: GoogleOther [Bot], holvoetn, karlisi and 89 guests