Port Forwarding working only on first Nat rule

djboxny · Fri Nov 18, 2011 9:23 am

I have a RB 435g, installed with 5.7 router os, the issue i am having is that i am trying to do port forwarding because i am using it as a home router and onlye the first forwarding rule that i create in the NAT tab works, If i create a second rule it wont work. If i move the second rule to first place it works fine. This is very confusing to me

I have

[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R WAN ether 1500 1524
1 R LAN ether 1500 1524
2 X ether3 ether 1500 1524
3 X wlan1 wlan 1500

TealFrog · Fri Nov 18, 2011 10:35 am

I have to admit I am somewhat new to Tik routers myself; however, I suspect that at a minimum more information will be needed. If I had to take an educated guess, there is something matching the first rule that isn't allowing the next rule to be processed. If you can issue the following commands on the router, copy and paste the results here, then it may help to determine the nature of the issue.

/ip address print detail without-paging
/ip firewall nat print detail without-paging

More information may be needed depending on the results.

Regards.

Feklar · Fri Nov 18, 2011 4:38 pm

Chances are your rules are too general, so they catch everything, instead of just what you are looking for. So order is important, and how specific or general your rules are is also very important.

djboxny · Sat Nov 19, 2011 3:08 am

xxx is my WAN ip

[admin@MikroTik] > ip address print detail without-paging
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; added by setup
address=192.168.1.1/24 network=192.168.1.0 interface=LAN
actual-interface=LAN

1 ;;; added by setup
address=xxx.xxx.xxx.116/24 network=xxx.xxx.xxx.xxx interface=WAN
actual-interface=WAN

wan interface is a static ip provided by my isp. that is working fine

[admin@MikroTik] > / ip firewall nat print detail without-paging
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN

1 ;;; Avermedia 1
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=5550
protocol=tcp dst-address=173.220.110.xxx

2 ;;; Avermedia 2
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=5550
protocol=udp dst-address=xxx.xxx.xxx.xxx

3 ;;; Air Video 1
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=45631
protocol=tcp dst-address=xxx.xxx.xxx.xxx

4 ;;; Air Video 2
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=45631
protocol=udp dst-address=xxx.xxx.xxx.xxx

fewi · Sat Nov 19, 2011 3:35 am

xxx is my WAN ip

[admin@MikroTik] > ip address print detail without-paging
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; added by setup
address=192.168.1.1/24 network=192.168.1.0 interface=LAN
actual-interface=LAN

1 ;;; added by setup
address=xxx.xxx.xxx.116/24 network=xxx.xxx.xxx.xxx interface=WAN
actual-interface=WAN

wan interface is a static ip provided by my isp. that is working fine

[admin@MikroTik] > / ip firewall nat print detail without-paging
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN

1 ;;; Avermedia 1
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=5550
protocol=tcp dst-address=173.220.110.xxx

2 ;;; Avermedia 2
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=5550
protocol=udp dst-address=xxx.xxx.xxx.xxx

3 ;;; Air Video 1
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=45631
protocol=tcp dst-address=xxx.xxx.xxx.xxx

4 ;;; Air Video 2
chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=45631
protocol=udp dst-address=xxx.xxx.xxx.xxx

Everyone else was spot on - your rules are FAR too broad.

chain=dstnat action=dst-nat to-addresses=192.168.1.135 to-ports=5550 
     protocol=tcp dst-address=173.220.110.xxx

That means, translated to English, "forward all TCP traffic destined to 173.220.110.x to 192.168.1.135 on port 5550". Note here that you told the the router to forward ALL TCP traffic to that port, regardless of what port it was originally to. You want to add dst-port=5550 to that - presumably, anyway. Traffic never reaches the second TCP rule because all TCP traffic already matched the previous rule that matched all TCP traffic. Change the other rules accordingly. The router will do exactly what you tell it to, so if you only want to forward traffic to a specific port and IP to a different IP port you need to specify all parts of that.

djboxny · Sat Nov 19, 2011 3:42 am

So where i put my destination wan ip, also put the port? On the nat - General tab?

fewi · Sat Nov 19, 2011 4:12 am

Not sure, I don't have winbox available. It should say "destination port" somewhere near where you pick TCP as a protocol, going by memory.

djboxny · Sat Nov 19, 2011 5:10 am

That worked perfectly, thanks guys