Community discussions

MikroTik App
 
kostya8780
just joined
Topic Author
Posts: 4
Joined: Mon Sep 27, 2021 2:46 am

TCP port forwarding not working

Mon Sep 27, 2021 2:55 am

Hello,
I am trying to setup port forwarding. I managed to make UDP forwarding work, but TCP is not working. When I'm trying to connect to my server I see the following incoming packets with ngrep:
T 94.153.49.165:13782 -> 192.168.88.191:25565 [R] #39
  ......
###
T 94.153.49.165:13782 -> 192.168.88.191:25565 [R] #42
  ......
####
T 94.153.49.165:13782 -> 192.168.88.191:25565 [R] #46
  ......
#
I see it every several seconds until the connection times out.

Here is my firewall rules export:

# sep/27/2021 02:48:31 by RouterOS 6.30.2

# software id = UHAF-16I8

#

/ip firewall filter

add chain=input comment="default configuration" protocol=icmp

add chain=input comment="default configuration" connection-state=\

    established,related

add action=drop chain=input comment="default configuration" in-interface=\

    ether1-gateway

add action=fasttrack-connection chain=forward comment="default configuration" \

    connection-state=established,related

add chain=forward comment="default configuration" connection-state=\

    established,related

add action=drop chain=forward comment="default configuration" \

    connection-state=invalid

add action=drop chain=forward comment="default configuration" \

    connection-nat-state=!dstnat connection-state=new in-interface=\

    ether1-gateway

add chain=forward comment="Allow port forwarding" connection-state=new \

    in-interface=ether1-gateway

/ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" \

    out-interface=ether1-gateway

add action=netmap chain=dstnat dst-port=9 in-interface=ether1-gateway \

    protocol=udp to-addresses=192.168.88.191 to-ports=9

add action=dst-nat chain=dstnat dst-port=25565 in-interface=ether1-gateway \

    protocol=tcp to-addresses=192.168.88.191

add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway \

    protocol=tcp to-addresses=192.168.88.191 to-ports=80
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: TCP port forwarding not working

Wed Sep 29, 2021 12:57 pm

The last rule of your filter is a major problem.
The 2nd rule of your Nat is probably screwing you

Default both and start over.

Nat would be pretty simple.

/IP firewall nat
add chain=dst-nat protocol=tcp dst-port=80 in-interface=ether1-gateway action=dst-nat to-address=192.168.88.191
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: TCP port forwarding not working

Wed Sep 29, 2021 3:29 pm

/export hide-sensitive file=anynameyouwish
 
kostya8780
just joined
Topic Author
Posts: 4
Joined: Mon Sep 27, 2021 2:46 am

Re: TCP port forwarding not working

Wed Sep 29, 2021 8:41 pm

I can see that client does not receive SYN-ACK in response to it's SYN packet. Also I see that my server sends SYN-ACK and immediately receives RST packet. So maybe router does not allow SYN-ACK to pass through and resets connection?

Export:
# sep/29/2021 20:34:20 by RouterOS 6.30.2
# software id = UHAF-16I8
#
/interface bridge
add admin-mac=D4:CA:6D:DD:0A:59 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local rx-flow-control=on tx-flow-control=on
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no l2mtu=1600 mode=\
    ap-bridge wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys
add name=profile
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface wireless access-list
add mac-address=B0:68:E6:A8:BB:BB
add mac-address=9C:B6:D0:11:8A:D3
add mac-address=A8:9C:ED:8C:98:1C
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.88.0
/ip arp
add address=192.168.88.202 interface=bridge-local mac-address=\
    F8:D1:11:5C:EF:D5
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.202 client-id=1:f8:d1:11:5c:ef:d5 mac-address=\
    F8:D1:11:5C:EF:D5 server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=9 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.88.202 to-ports=9
add action=netmap chain=dstnat dst-port=25565 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.202
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.202 to-ports=80
/system clock
set time-zone-name=Europe/Kiev
/system leds
set 5 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=wlan1
/tool romon port
add
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: TCP port forwarding not working

Wed Sep 29, 2021 8:50 pm

RouterOS 6.30.2??? Are you joking? Leaving all the security issues aside, no one here remembers what all has been fixed since then. So you may be hunting for a bug that has been solved years ago.
 
kostya8780
just joined
Topic Author
Posts: 4
Joined: Mon Sep 27, 2021 2:46 am

Re: TCP port forwarding not working

Wed Sep 29, 2021 9:00 pm

Router also receives, but does not respond to ping packets. I will try to update software
 
sutrus
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Fri Jun 30, 2017 11:27 pm

Re: TCP port forwarding not working

Wed Sep 29, 2021 9:17 pm

add action=dst-nat chain=dstnat dst-port=9 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.88.202 to-ports=9
add action=netmap chain=dstnat dst-port=25565 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.202
1. Almost 6 years old version :? Urgently update RouteOS and firmware !!!
2. Why do you have port 9 in dstnat rule? That's weird.
3. Change netmap on dst port 25565 to dstnat. Netmap is not dstnat.
 
kostya8780
just joined
Topic Author
Posts: 4
Joined: Mon Sep 27, 2021 2:46 am

Re: TCP port forwarding not working

Wed Sep 29, 2021 9:24 pm

1. Will update it as soon as possible
2. Default port for wake on lan
3. I just forgot to change it back to dstnat after trying different options. It doesn't work with dstnat too
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: TCP port forwarding not working

Wed Sep 29, 2021 9:34 pm

If the machine was ever exposed to internet without the "drop everything except established/related and icmp" rules in filter/input, I'd even recommend to netinstall it, not just upgrade. In the past (6.4x, so even newer versions than your 6.30.2), there used to be vulnerabilities that allowed to download plaintext credentials from the routers, and some malware seems to be able to be invisible in the configuration.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: TCP port forwarding not working

Wed Sep 29, 2021 11:07 pm

Concur netinstall that sucker pronto!!

Who is online

Users browsing this forum: Bing [Bot], giovanniv and 81 guests