Community discussions

MikroTik App
 
kotnik
just joined
Topic Author
Posts: 3
Joined: Thu Sep 16, 2010 1:22 pm

Port Forwarding with PCC

Wed Oct 20, 2010 1:58 pm

I followed PCC tutorial on the wiki to setup PCC with 2 lines (http://wiki.mikrotik.com/wiki/Manual:PCC) and it works as described.

Now, I'm having issues with port forwarding. Packet sniffer revealed that outgoing packets are sent to the wrong interface as you can see here in the attachment:
0035.jpeg
This is my setup:
/ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                                                   
 0   192.168.88.1/24    192.168.88.0    192.168.88.255  lokal                                                                                                       
 1 D 89.216.30.6/24     89.216.30.0     89.216.30.255   sbb                                                                                                         
 2 D 192.168.1.2/24     192.168.1.0     192.168.1.255   telekom             
/ip route print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=89.216.30.1 gateway-status=89.216.30.1 reachable sbb check-gateway=ping distance=1 scope=30 target-scope=10 
        routing-mark=to_sbb 
 1 A S  dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable telekom check-gateway=ping distance=1 scope=30 target-scope=10 
        routing-mark=to_telekom 
 2 A S  dst-address=0.0.0.0/0 gateway=89.216.30.1 gateway-status=89.216.30.1 reachable sbb check-gateway=ping distance=1 scope=30 target-scope=10 
 3   S  dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable telekom check-gateway=ping distance=2 scope=30 target-scope=10 
 4 ADC  dst-address=89.216.30.0/24 pref-src=89.216.30.6 gateway=sbb gateway-status=sbb reachable distance=0 scope=10 
 5 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.2 gateway=telekom gateway-status=telekom reachable distance=0 scope=10 
 6 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=lokal gateway-status=lokal reachable distance=0 scope=10 
/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=mark-connection new-connection-mark=sbb_conn passthrough=yes in-interface=sbb 
 1   chain=input action=mark-connection new-connection-mark=telekom_conn passthrough=yes in-interface=telekom 
 2   chain=output action=mark-routing new-routing-mark=to_sbb passthrough=yes connection-mark=sbb_conn 
 3   chain=output action=mark-routing new-routing-mark=to_telekom passthrough=yes connection-mark=telekom_conn 
 4   chain=prerouting action=accept dst-address=89.216.30.0/24 in-interface=lokal 
 5   chain=prerouting action=accept dst-address=192.168.1.0/24 in-interface=lokal 
 6   chain=prerouting action=mark-connection new-connection-mark=sbb_conn passthrough=yes dst-address-type=!local in-interface=lokal 
     per-connection-classifier=both-addresses:2/0 
 7   chain=prerouting action=mark-connection new-connection-mark=telekom_conn passthrough=yes dst-address-type=!local in-interface=lokal 
     per-connection-classifier=both-addresses:2/1 
 8   chain=prerouting action=mark-routing new-routing-mark=to_sbb passthrough=yes in-interface=lokal connection-mark=sbb_conn 
 9   chain=prerouting action=mark-routing new-routing-mark=to_telekom passthrough=yes in-interface=lokal connection-mark=telekom_conn 
/ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=sbb 
 1   chain=srcnat action=masquerade out-interface=telekom 
 2   chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=22 protocol=tcp dst-address-type=local dst-port=22
Please, help?
You do not have the required permissions to view the files attached to this post.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1731
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Port Forwarding with PCC

Wed Oct 20, 2010 2:22 pm

1) move these rules to mangle chain prerouting just below rules 4 and 5
0   chain=input action=mark-connection new-connection-mark=sbb_conn passthrough=yes in-interface=sbb
1   chain=input action=mark-connection new-connection-mark=telekom_conn passthrough=yes in-interface=telekom 

2) add connection-mark=no-mark to all rules that have action=mark-connection
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
kotnik
just joined
Topic Author
Posts: 3
Joined: Thu Sep 16, 2010 1:22 pm

Re: Port Forwarding with PCC

Wed Oct 20, 2010 2:40 pm

macgaiver, thank you very much!
 
Bibo
just joined
Posts: 10
Joined: Wed Oct 27, 2010 1:23 pm

Re: Port Forwarding with PCC

Sun Dec 19, 2010 10:41 pm

I have similar problem. When I'm connecting from some external addresses connections comes in from interface WAN1, but outgoing traffic is going to WAN2.

Changing order in mangle nor adding no-mark didn't helped.
/ip address
add address=89.xxx.xxx.xxx/26 broadcast=89.xxx.xxx.63 comment="" disabled=no \
    interface=WAN2 network=89.xxx.xxx.0
add address=192.168.50.1/24 broadcast=192.168.50.255 comment="" disabled=no \
    interface=LAN network=192.168.50.0
add address=195.xxx.xxx.xxx/24 broadcast=195.xxx.xxx.255 comment="" disabled=no \
    interface=WAN1 network=195.xxx.xxx.0
/ip firewall mangle
add action=mark-routing chain=output comment="" connection-mark=WAN1_CONN \
    disabled=no new-routing-mark=TO_WAN1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=WAN2_CONN \
    disabled=no new-routing-mark=TO_WAN2 passthrough=no
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    195.xxx.xxx.0/24 in-interface=LAN
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    89.xxx.xxx.0/24 in-interface=LAN
add action=mark-connection chain=input comment="" connection-mark=no-mark \
    disabled=no in-interface=WAN1 new-connection-mark=WAN1_CONN passthrough=no
add action=mark-connection chain=input comment="" connection-mark=no-mark \
    disabled=no in-interface=WAN2 new-connection-mark=WAN2_CONN passthrough=\
    no
add action=mark-connection chain=prerouting comment="" connection-mark=\
    no-mark disabled=no dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN1_CONN passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting comment="" connection-mark=\
    no-mark disabled=no dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN2_CONN passthrough=yes per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=WAN1_CONN \
    disabled=no in-interface=LAN new-routing-mark=TO_WAN1 passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=WAN2_CONN \
    disabled=no in-interface=LAN new-routing-mark=TO_WAN2 passthrough=no
/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=89.xxx.xxx.1 routing-mark=TO_WAN2 scope=30 target-scope=\
    10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=195.xxx.xxx.1 routing-mark=TO_WAN1 scope=30 target-scope=\
    10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=195.xxx.xxx.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=89.xxx.xxx.1 scope=30 target-scope=10
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no \
    out-interface=WAN1
add action=masquerade chain=srcnat comment="" disabled=\
    no out-interface=WAN2
add action=dst-nat chain=dstnat comment="" disabled=no \
    dst-address-type=local dst-port=443 protocol=tcp to-addresses=\
    192.168.50.2 to-ports=443
Last edited by Bibo on Sun Dec 19, 2010 11:09 pm, edited 1 time in total.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port Forwarding with PCC

Sun Dec 19, 2010 10:48 pm

add action=mark-connection chain=input comment="" connection-mark=no-mark \
    disabled=no in-interface=WAN1 new-connection-mark=WAN1_CONN passthrough=no
add action=mark-connection chain=input comment="" connection-mark=no-mark \
    disabled=no in-interface=WAN2 new-connection-mark=WAN2_CONN passthrough=\
no
Duplicate those already existing rules and run them in the forward chain. That marks incoming connections that go through the router rather than to the router (which is the case for port forwarding) and sticks them to the right interface.
There are other spots in the config where you could achieve the same thing but that seems easiest.
 
Bibo
just joined
Posts: 10
Joined: Wed Oct 27, 2010 1:23 pm

Re: Port Forwarding with PCC

Sun Dec 19, 2010 11:25 pm

Thank's a lot.

In Firewall rules I configured port forward, but didn't figured out to do the same in mangle :)
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port Forwarding with PCC

Sun Dec 19, 2010 11:30 pm

What I posted doesn't port forward, it sticks connections. The mangle rules I quoted for the input chain mark connections established from the Internet to the router so that the router can send them out the same port they originally came in through. When you port forward destination NAT changes the destination IP address, and the packets aren't in the input chain, so those rules don't work. Instead the packets will be in the forward chain, so you have to duplicate the existing rules (or ditch the existing ones and write rules for pre-routing that cover both cases, but that's more complicated to do).
 
leonet45
just joined
Posts: 23
Joined: Fri Dec 17, 2010 2:18 am

Re: Port Forwarding with PCC

Mon Dec 20, 2010 9:06 pm

use 1 masquerade without out-interface. This solve the problem
chain=srcnat action=masquerade 
 
Bibo
just joined
Posts: 10
Joined: Wed Oct 27, 2010 1:23 pm

Re: Port Forwarding with PCC

Tue Dec 21, 2010 4:48 pm

use 1 masquerade without out-interface. This solve the problem
chain=srcnat action=masquerade 
This will also change source IP of sender in SMTP logs.

But thanks any way, adding src-address resolves issue with SMTP
chain=srcnat action=masquerade src-address=192.168.50.0/24
 
hjoelr
newbie
Posts: 29
Joined: Mon Apr 28, 2008 11:29 pm

Re: Port Forwarding with PCC

Fri Mar 04, 2011 7:44 pm

1) move these rules to mangle chain prerouting just below rules 4 and 5
0   chain=input action=mark-connection new-connection-mark=sbb_conn passthrough=yes in-interface=sbb
1   chain=input action=mark-connection new-connection-mark=telekom_conn passthrough=yes in-interface=telekom 

2) add connection-mark=no-mark to all rules that have action=mark-connection
I had followed the instructions given here (http://wiki.mikrotik.com/wiki/Manual:PCC) for balancing the load of internet traffic between two internet connections. After following the steps, load balancing worked, but I was having the same issue as kotnik where port forwarding was intermittent. I found this page and followed macgaiver's advice and it worked after I realized that I was supposed to move the two rules from the "input" chain to the "prerouting" chain. Macgaiver, thank you for the help!
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: Port Forwarding with PCC

Tue Mar 08, 2011 1:15 pm

ok have the same problem i am strggeling to understad what needs to be added and what goes where can somone plz help me with my portfowading it seems to go out the other interfsce that it came in from!

here is my conf:

mangel:

0 chain=input action=mark-connection new-connection-mark=wan1_conn
passthrough=no in-interface=ether1-mweb

1 chain=input action=mark-connection new-connection-mark=wan2_conn
passthrough=no in-interface=ether2-is

2 chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=no
connection-mark=wan1_conn

3 chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=no
connection-mark=wan2_conn

4 chain=prerouting action=accept dst-address=41.134.110.0/28
in-interface=ether5-lan

5 chain=prerouting action=accept dst-address=196.212.100.0/28
in-interface=ether5-lan

6 ;;; ''
chain=prerouting action=mark-connection new-connection-mark=wan1_conn
passthrough=yes dst-address-type=!local in-interface=ether5-lan
per-connection-classifier=both-addresses:2/0

7 ;;; ''
chain=prerouting action=mark-connection new-connection-mark=wan2_conn
passthrough=yes dst-address-type=!local in-interface=ether5-lan
per-connection-classifier=both-addresses:2/1

8 chain=prerouting action=mark-routing new-routing-mark=to_wan1
passthrough=no in-interface=ether5-lan connection-mark=wan1_conn

9 chain=prerouting action=mark-routing new-routing-mark=to_wan2
passthrough=no in-interface=ether5-lan connection-mark=wan2_conn


nat:

0 chain=srcnat action=masquerade out-interface=ether1-mweb

1 chain=srcnat action=masquerade out-interface=ether2-is

2 ;;; Loop Back
chain=srcnat action=masquerade src-address=192.168.88.0/24
dst-address=192.168.88.2

3 ;;; FTP-SSH
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-22
protocol=tcp dst-address=41.134.110.111 dst-port=20-22

4 ;;; FTP-SSH
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-22
protocol=tcp dst-address=196.212.100.111 dst-port=20-22

5 ;;; WEB-APP
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=80-81
protocol=tcp dst-address=41.134.110.111 dst-port=80-81

6 ;;; WEB-APP
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=80-81
protocol=tcp dst-address=196.212.100.111 dst-port=80-81

7 ;;; HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=443
protocol=tcp dst-address=41.134.110.111 dst-port=443

8 ;;; HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=443
protocol=tcp dst-address=196.212.100.111 dst-port=443

9 ;;; CASHFREE
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3203-3206
protocol=tcp dst-address=41.134.110.111 dst-port=3203-3206

10 ;;; CASHFREE
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3203-3206
protocol=tcp dst-address=196.212.100.111 dst-port=3203-3206

11 ;;; VNC
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=5900-5935
protocol=tcp dst-address=41.134.110.111 dst-port=5900-5935

12 ;;; VNC
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=5900-5935
protocol=tcp dst-address=196.212.100.111 dst-port=5900-5935

13 ;;; CASHFREE
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6000-6020
protocol=tcp dst-address=41.134.110.111 dst-port=6000-6020

14 ;;; CASHFREE
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6000-6020
protocol=tcp dst-address=196.212.100.111 dst-port=6000-6020

15 ;;; KODE-PROGRAM
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=7000
protocol=tcp dst-address=41.134.110.111 dst-port=7000

16 ;;; KODE-PROGRAM
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=7000
protocol=tcp dst-address=196.212.100.111 dst-port=7000

17 ;;; ECS-COMMUNICATOR
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=8080-8082
protocol=tcp dst-address=41.134.110.111 dst-port=8080-8082

18 ;;; ECS-COMMUNICATOR
chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=8080-8082
protocol=tcp dst-address=196.212.100.111 dst-port=8080-8082

routes:

B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 41.134.110.110 1
1 A S 0.0.0.0/0 196.212.100.110 1
2 A S 0.0.0.0/0 41.134.110.110 1
3 S 0.0.0.0/0 196.212.100.110 2
4 ADC 41.134.110.0/28 41.134.110.111 ether1-mweb 0
5 ADC 192.168.88.0/24 192.168.88.1 ether5-lan 0
6 ADC 196.212.100.112/28 196.212.100.111 ether2-is 0

plz if aneyone can point the problem out plz tell me how to fix this problem?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port Forwarding with PCC

Tue Mar 08, 2011 4:26 pm

Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: Port Forwarding with PCC

Tue Mar 08, 2011 4:41 pm

ok got konfuzed with the two closed the one window and accidently posted it on both!

ok my problem is when i enable my second interface i.s one then all my portforading rules stop working on my mweb interface and all my portfowading rules only works on my second out interface my i.s one and all my incoming connections that the rules are setted up for mweb eth1 seems to be leving eth3 i.s interfece.

/ip address print detail:

0 ;;; Mweb-router
address=41.134.110.10/28 network=41.134.110.0 broadcast=41.134.110.15 interface=ether1-mweb actual-interface=ether1-mweb

1 ;;; internet solutions
address=196.212.100.148/28 network=196.212.100.144 broadcast=196.212.100.159 interface=ether2-is actual-interface=ether2-is

2 ;;; lan
address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255 interface=ether5-lan actual-interface=ether5-lan

/ip route print detail:

0 A S dst-address=0.0.0.0/0 gateway=41.134.110.9 gateway-status=41.134.110.9 reachable ether1-mweb check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_wan1

1 A S dst-address=0.0.0.0/0 gateway=196.212.100.145 gateway-status=196.212.100.145 reachable ether2-is check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_wan2

2 A S dst-address=0.0.0.0/0 gateway=41.134.110.9 gateway-status=41.134.110.9 reachable ether1-mweb check-gateway=ping distance=1 scope=30 target-scope=10

3 S dst-address=0.0.0.0/0 gateway=196.212.100.145 gateway-status=196.212.100.145 reachable ether2-is check-gateway=ping distance=2 scope=30 target-scope=10

4 ADC dst-address=41.134.110.0/28 pref-src=41.134.110.10 gateway=ether1-mweb gateway-status=ether1-mweb reachable distance=0 scope=10

5 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether5-lan gateway-status=ether5-lan reachable distance=0 scope=10

6 ADC dst-address=196.212.100.144/28 pref-src=196.212.100.148 gateway=ether2-is gateway-status=ether2-is reachable distance=0 scope=10


/interface print:

0 R ether1-mweb ether 1500 1526
1 R ether2-is ether 1500 1524
2 ether3 ether 1500 1524
3 ether4 ether 1500 1524
4 R ether5-lan ether 1500 1524

/ip firewall export:

# mar/08/2011 16:39:14 by RouterOS 4.17
# software id = RKB6-95FL
#
/ip firewall connection tracking
set enabled=yes generic-timeout=15m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=1m10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=\
1m10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=ether1-mweb new-connection-mark=wan1_conn passthrough=no
add action=mark-connection chain=input comment="" disabled=no in-interface=ether2-is new-connection-mark=wan2_conn passthrough=no
add action=mark-routing chain=output comment="" connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=no
add action=accept chain=prerouting comment="" disabled=no dst-address=41.134.110.0/28 in-interface=ether5-lan
add action=accept chain=prerouting comment="" disabled=no dst-address=196.212.100.0/28 in-interface=ether5-lan
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether5-lan new-connection-mark=wan1_conn passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether5-lan new-connection-mark=wan2_conn passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn disabled=no in-interface=ether5-lan new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn disabled=no in-interface=ether5-lan new-routing-mark=to_wan2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1-mweb
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether2-is
add action=masquerade chain=srcnat comment="Loop Back" disabled=no dst-address=192.168.88.2 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=FTP-SSH disabled=no dst-address=41.134.110.10 dst-port=20-22 protocol=tcp to-addresses=192.168.88.2 to-ports=20-22
add action=dst-nat chain=dstnat comment=FTP-SSH disabled=no dst-address=196.212.100.148 dst-port=20-22 protocol=tcp to-addresses=192.168.88.2 to-ports=20-22
add action=dst-nat chain=dstnat comment=WEB-APP disabled=no dst-address=41.134.110.10 dst-port=80-81 protocol=tcp to-addresses=192.168.88.2 to-ports=80-81
add action=dst-nat chain=dstnat comment=WEB-APP disabled=no dst-address=196.212.100.148 dst-port=80-81 protocol=tcp to-addresses=192.168.88.2 to-ports=80-81
add action=dst-nat chain=dstnat comment=HTTPS disabled=no dst-address=41.134.110.10 dst-port=443 protocol=tcp to-addresses=192.168.88.2 to-ports=443
add action=dst-nat chain=dstnat comment=HTTPS disabled=no dst-address=196.212.100.148 dst-port=443 protocol=tcp to-addresses=192.168.88.2 to-ports=443
add action=dst-nat chain=dstnat comment=CASHFREE disabled=no dst-address=41.134.110.10 dst-port=3203-3206 protocol=tcp to-addresses=192.168.88.2 to-ports=3203-3206
add action=dst-nat chain=dstnat comment=CASHFREE disabled=no dst-address=196.212.100.148 dst-port=3203-3206 protocol=tcp to-addresses=192.168.88.2 to-ports=3203-3206
add action=dst-nat chain=dstnat comment=VNC disabled=no dst-address=41.134.110.10 dst-port=5900-5935 protocol=tcp to-addresses=192.168.88.2 to-ports=5900-5935
add action=dst-nat chain=dstnat comment=VNC disabled=no dst-address=196.212.100.148 dst-port=5900-5935 protocol=tcp to-addresses=192.168.88.2 to-ports=5900-5935
add action=dst-nat chain=dstnat comment=CASHFREE disabled=no dst-address=41.134.110.10 dst-port=6000-6020 protocol=tcp to-addresses=192.168.88.2 to-ports=6000-6020
add action=dst-nat chain=dstnat comment=CASHFREE disabled=no dst-address=196.212.100.148 dst-port=6000-6020 protocol=tcp to-addresses=192.168.88.2 to-ports=6000-6020
add action=dst-nat chain=dstnat comment=KODE-PROGRAM disabled=no dst-address=41.134.110.10 dst-port=7000 protocol=tcp to-addresses=192.168.88.2 to-ports=7000
add action=dst-nat chain=dstnat comment=KODE-PROGRAM disabled=no dst-address=196.212.100.148 dst-port=7000 protocol=tcp to-addresses=192.168.88.2 to-ports=7000
add action=dst-nat chain=dstnat comment=ECS-COMMUNICATOR disabled=no dst-address=41.134.110.10 dst-port=8080-8082 protocol=tcp to-addresses=192.168.88.2 to-ports=8080-8082
add action=dst-nat chain=dstnat comment=ECS-COMMUNICATOR disabled=no dst-address=196.212.100.148 dst-port=8080-8082 protocol=tcp to-addresses=192.168.88.2 to-ports=8080-8082
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=yes
set sip disabled=no ports=5060,5061
set pptp disabled=yes
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port Forwarding with PCC

Tue Mar 08, 2011 5:02 pm

Read the thread I linked to in the other post you made.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: Port Forwarding with PCC

Tue Mar 08, 2011 7:01 pm

ok i did take a look and tryed to configure it but no luck? what is spiciffically missing in my config?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port Forwarding with PCC

Tue Mar 08, 2011 7:03 pm

The part where you're marking connections based on where they come in from.

It really doesn't get much clearer than the thread I linked to.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: Port Forwarding with PCC

Tue Mar 08, 2011 7:09 pm

ok but why firewall filter do i really need it? or is there a simpler way? like just add the mangel and nat rules?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port Forwarding with PCC

Tue Mar 08, 2011 7:20 pm

Filters are not required. You only need mangle and NAT rules.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: Port Forwarding with PCC

Tue Mar 08, 2011 7:25 pm

its this like right? http://forum.mikrotik.com/viewtopic.php?f=2&t=49581 theis part im missing=

# don't mark traffic going to directly connected WAN networks
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local
# mark web server connections established from WAN to LAN coming in wlan1 accordingly. If you have static IPs, you can also refer to them here as dst-address.
add chain=prerouting connection-state=new in-interface=wlan1 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=wlan1_conn
# mark web server connections established from WAN to LAN coming in wlan2 accordingly
add chain=prerouting connection-state=new in-interface=wlan2 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=wlan2_conn
# force traffic to 1.1.1.1/32 out wlan1
add chain=prerouting dst-address=1.1.1.1/32 in-interface=Local action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
# force traffic to 2.2.2.2/32 out wlan2
add chain=prerouting dst-address=2.2.2.2/32 in-interface=Local action=mark-connection new-connection-mark=wlan2_conn passthrough=yes

am i correct?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port Forwarding with PCC

Tue Mar 08, 2011 7:52 pm

Yes. Also you need to edit the PCC lines as indicated in that post.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: Port Forwarding with PCC

Fri Mar 11, 2011 6:47 am

well it works beautifully! now all the forwarding is working good thanx hey this is awsome!
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: Port Forwarding with PCC

Wed Mar 23, 2011 12:09 pm

ok well new problem just stuck it's head up onto my table when i remove my mt rb750 and im using my normal clearos firewall and just forwarded port 21 to my ftp server ftp still works and lftp works when downloading file ELITE GRP_MR1_PROCESSING_201103180900985.csv but when i put my rb750 back all my port forwarding works and i can ftp it with lftp and i try to do an nlist it hangs snd does not display anything but when renaming the file to ELITE MR1_PROCESSING_201103180900985.csv and i do nlist then it works why is that because lfot works with my programs my programmer has written and he uses nlist command to display files to get copied.

Who is online

Users browsing this forum: Google [Bot] and 66 guests