Page 1 of 1

Port forwarding through two layers

Posted: Thu Sep 04, 2008 7:25 am
by jd6strings
Hello all:

I've been using Mikrotik for a good while now and I've finally come to a scenario that I cannot get to work properly. The diagram below illustrates the basics of the setup. What I'm trying to achieve is logically simple BUT my configs are not working.

Image

I'm trying to port forward 5900 to a system behind a router and that router is behind another router.

Here's the NAT configs of the respective systems:

MT1:
0 chain=srcnat action=masquerade

1 chain=dstnat action=dst-nat to-addresses=172.0.0.2 to-ports=5900
dst-address=123.456.789.1 dst-port=5900 protocol=tcp

2 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=5900
dst-address=123.456.789.1 dst-port=5900 protocol=udp

MT2:
0 chain=srcnat action=masquerade

1 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=5900
dst-address=172.0.0.2 dst-port=5900 protocol=tcp

2 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=5900
dst-address=172.0.0.2 dst-port=5900 protocol=udp

The problem is that when I attempt connection from outside the network...the 192.168.0.2 client does NOT properly respond. What could be wrong?

It should be noted that Internet connectivity from the 192.168.0.0/24 network works fine...

Thanks my friends!!!

Re: Port forwarding through two layers

Posted: Thu Sep 04, 2008 9:13 am
by macgaiver
DO you really need double masquerade??? if it is your inner network - just route in it. and have only one dst-nat in your main router MT1

Re: Port forwarding through two layers

Posted: Fri Sep 05, 2008 4:37 am
by dsobin
Your nat entries look correct. I do this all the time and it works fine.

When it doesn't work, the problem is usually that the client or the innermost router is
missing it's default route. In that case, the packets go in to the client, but they don't know how to go back out.

You said the client can get out to the Internet, that does not seem to be the problem

To debug, use winbox and open ip->firewall->nat.

Click reset all counters.

Try to reach your client and watch the packet count on the nat rule. It should count up.
This will give you an indication if your rules are firing as expected.

If not, look more carefully. If they are firing,
run packet sniffer and look for the client address on MT2. You should a packet go in, and a packet go back out.

If so, trace back to the MT1. If not, look more carefully and try to figure out why.

BTW, be sure connection tracking is on in ip->firewall->connections->Tracking.