Community discussions

MUM Europe 2020
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Problem due Port Forward

Fri Jul 26, 2013 5:25 pm

Hi,

im trying to forward a Port 80, i got from my ISP a /29 Net.
I can reach the Router of my ISP via 99.99.99.121 (example IP)
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 1 A S  0.0.0.0/0                          83.236.242.121            1
 2 ADC  10.20.50.0/24      10.20.50.6      ether1                    0
 3 ADC  99.99.99.120/29    99.99.99.122    ether7                    0
 4 ADC  172.16.10.0/24     172.16.10.45    ether2                    0

 
 [admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 

    chain=dstnat action=dst-nat to-addresses=172.16.10.18 to-ports=80 protocol=tcp dst-address=99.99.99.123 dst-port=80 
 

 [admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                    
 0   10.20.50.1/24      10.20.50.0      ether1                                                                                                                                       
 1   172.16.10.1/24     172.16.10.0     ether2                                                                                                                                       
 2   99.99.99.120/29    99.99.99.120    ether7    
i dont get it, what ive made wrong, maybe someone find whats wrong here.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Fri Jul 26, 2013 5:32 pm

Is the ip 99.99.99.122 or 99.99.99.123? Usually the pref-src is the ip assigned to the interface.
/ip route
3 ADC 99.99.99.120/29 99.99.99.122 ether7 0

/ip firewall nat
chain=dstnat action=dst-nat to-addresses=172.16.10.18 to-ports=80 protocol=tcp dst-address=99.99.99.123 dst-port=80
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Fri Jul 26, 2013 5:41 pm

Hi Tim,

the 99.99.99.122 is a IP they get SNAT, and for surfing.

the 99.99.99.123 is at the Router on a seperate Port, for DMZ, and the IP are from an /29 IP Block.

99.99.99.121 is in this case my Gateway, because the ISP dont give out ppoe Settings.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Fri Jul 26, 2013 5:45 pm

Anything in your "/ip firewall filter" that might block it?
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Fri Jul 26, 2013 5:48 pm

nope, i cleared all up :-)
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Fri Jul 26, 2013 5:50 pm

OK. What does this mean by "separate port"? Port like port 80? Or port like interface?
the 99.99.99.123 is at the Router on a seperate Port, for DMZ, and the IP are from an /29 IP Block.
...and this?
/ip address
2 99.99.99.120/29 99.99.99.120 ether7
I see no other ip assignment.
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Fri Jul 26, 2013 6:42 pm

Oh, with Port i mean Interface, we call it here in Germany mainly Port.

Interface 1: Internal Network, 10.20.50.0/24
Interface 2: DMZ (With the DNAT Problem)

Interface 7: Uplink to the Router of our ISP, the Router has 99.99.99.121 as IP.

The Internet Connection works with SNAT and im using here the 99.99.99.122 as IP, but the
Webserver should be reachable on 99.99.99.123
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Fri Jul 26, 2013 9:55 pm

So you have 99.99.99.123/29 assigned to ether7 also? That did not show on your "/ip address". All I saw is this, and that does not look right.
2 99.99.99.120/29 99.99.99.120 ether7
Can you ping 99.99.99.123?
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Sat Jul 27, 2013 11:28 am

No, i assigned 99.99.99.120/29 to ether7 (uplink to Router of the ISP), because the ISP uses for his Router 99.99.99.121 as Gateway, so im using 99.99.99.122 for interface 1 and SNAT.

DNAT have to work with 99.99.99.123, but here's the Problem.

and 99.99.99.123 isnt pingable.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Sat Jul 27, 2013 12:03 pm

Can you ping 99.99.99.122? I don't see it assigned to that interface either.

Is there something special about your ISP connection?
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Sat Jul 27, 2013 12:05 pm

Yes the 99.99.99.122 i can ping, in addresses i added with gateway 122. Look at the routes, it routes to 121.

Im sure the Problem is there in assignment 123 to the interface 7, because dnat settings looks good.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Sat Jul 27, 2013 12:15 pm

Post "/ip address".
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Sat Jul 27, 2013 12:17 pm

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                    
 0   10.20.50.1/24      10.20.50.0      ether1                                                                                                                                       
 1   172.16.10.1/24     172.16.10.0     ether2                                                                                                                                       
 2   99.99.99.120/29    99.99.99.120    ether7   
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Sat Jul 27, 2013 12:23 pm

Where is the assignment for 99.99.99.122? Where is the assignment for 99.99.99.123?

I see only 99.99.99.120 assigned to that interface. Is there something else about your ISP connection that would be out of the ordinary?
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Sat Jul 27, 2013 12:26 pm

Yes, but the 99.99.99.120/29 has the Gateway at Mikrotik Router on 99.99.99.122 and on the Router of the ISP on 99.99.99.121.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Sat Jul 27, 2013 12:29 pm

Where is 99.99.99.122 assigned? Not in "/ip address" on that router. ??
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Sat Jul 27, 2013 12:37 pm

yes, its assigned on the router via ip addresses, the 122 works as gateway address
You do not have the required permissions to view the files attached to this post.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Sat Jul 27, 2013 12:42 pm

I don't see that in "/ip address" that you posted for that router.
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Sat Jul 27, 2013 12:44 pm

you see this only in the route with pref source.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem due Port Forward

Sat Jul 27, 2013 12:50 pm

you see this only in the route with pref source.
Why? It should show the correct ip and subnet in "/ip address", and it does. 99.99.99.120/29

Here is what I expected to see:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                    
 0   10.20.50.1/24      10.20.50.0      ether1                                                                                                                                       
 1   172.16.10.1/24     172.16.10.0     ether2                                                                                                                                       
 2   99.99.99.122/29    99.99.99.120    ether7

 3   99.99.99.123/29    99.99.99.120    ether7 
Add: If you are using a masquerade in "/ip firewall nat", you must change that to a srcnat to insure it "masquerades" as the correct ip.
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=99.99.99.122 out-interface=ether7
 
raz
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Problem due Port Forward

Mon Jul 29, 2013 5:26 pm

This was the Solution :-) Thanks Tim.

Who is online

Users browsing this forum: Google [Bot] and 87 guests