Page 1 of 1

Problem due Port Forward

Posted: Fri Jul 26, 2013 5:25 pm
by raz
Hi,

im trying to forward a Port 80, i got from my ISP a /29 Net.
I can reach the Router of my ISP via 99.99.99.121 (example IP)
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 1 A S  0.0.0.0/0                          83.236.242.121            1
 2 ADC  10.20.50.0/24      10.20.50.6      ether1                    0
 3 ADC  99.99.99.120/29    99.99.99.122    ether7                    0
 4 ADC  172.16.10.0/24     172.16.10.45    ether2                    0

 
 [admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 

    chain=dstnat action=dst-nat to-addresses=172.16.10.18 to-ports=80 protocol=tcp dst-address=99.99.99.123 dst-port=80 
 

 [admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                    
 0   10.20.50.1/24      10.20.50.0      ether1                                                                                                                                       
 1   172.16.10.1/24     172.16.10.0     ether2                                                                                                                                       
 2   99.99.99.120/29    99.99.99.120    ether7    
i dont get it, what ive made wrong, maybe someone find whats wrong here.

Re: Problem due Port Forward

Posted: Fri Jul 26, 2013 5:32 pm
by SurferTim
Is the ip 99.99.99.122 or 99.99.99.123? Usually the pref-src is the ip assigned to the interface.
/ip route
3 ADC 99.99.99.120/29 99.99.99.122 ether7 0

/ip firewall nat
chain=dstnat action=dst-nat to-addresses=172.16.10.18 to-ports=80 protocol=tcp dst-address=99.99.99.123 dst-port=80

Re: Problem due Port Forward

Posted: Fri Jul 26, 2013 5:41 pm
by raz
Hi Tim,

the 99.99.99.122 is a IP they get SNAT, and for surfing.

the 99.99.99.123 is at the Router on a seperate Port, for DMZ, and the IP are from an /29 IP Block.

99.99.99.121 is in this case my Gateway, because the ISP dont give out ppoe Settings.

Re: Problem due Port Forward

Posted: Fri Jul 26, 2013 5:45 pm
by SurferTim
Anything in your "/ip firewall filter" that might block it?

Re: Problem due Port Forward

Posted: Fri Jul 26, 2013 5:48 pm
by raz
nope, i cleared all up :-)

Re: Problem due Port Forward

Posted: Fri Jul 26, 2013 5:50 pm
by SurferTim
OK. What does this mean by "separate port"? Port like port 80? Or port like interface?
the 99.99.99.123 is at the Router on a seperate Port, for DMZ, and the IP are from an /29 IP Block.
...and this?
/ip address
2 99.99.99.120/29 99.99.99.120 ether7
I see no other ip assignment.

Re: Problem due Port Forward

Posted: Fri Jul 26, 2013 6:42 pm
by raz
Oh, with Port i mean Interface, we call it here in Germany mainly Port.

Interface 1: Internal Network, 10.20.50.0/24
Interface 2: DMZ (With the DNAT Problem)

Interface 7: Uplink to the Router of our ISP, the Router has 99.99.99.121 as IP.

The Internet Connection works with SNAT and im using here the 99.99.99.122 as IP, but the
Webserver should be reachable on 99.99.99.123

Re: Problem due Port Forward

Posted: Fri Jul 26, 2013 9:55 pm
by SurferTim
So you have 99.99.99.123/29 assigned to ether7 also? That did not show on your "/ip address". All I saw is this, and that does not look right.
2 99.99.99.120/29 99.99.99.120 ether7
Can you ping 99.99.99.123?

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 11:28 am
by raz
No, i assigned 99.99.99.120/29 to ether7 (uplink to Router of the ISP), because the ISP uses for his Router 99.99.99.121 as Gateway, so im using 99.99.99.122 for interface 1 and SNAT.

DNAT have to work with 99.99.99.123, but here's the Problem.

and 99.99.99.123 isnt pingable.

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:03 pm
by SurferTim
Can you ping 99.99.99.122? I don't see it assigned to that interface either.

Is there something special about your ISP connection?

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:05 pm
by raz
Yes the 99.99.99.122 i can ping, in addresses i added with gateway 122. Look at the routes, it routes to 121.

Im sure the Problem is there in assignment 123 to the interface 7, because dnat settings looks good.

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:15 pm
by SurferTim
Post "/ip address".

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:17 pm
by raz
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                    
 0   10.20.50.1/24      10.20.50.0      ether1                                                                                                                                       
 1   172.16.10.1/24     172.16.10.0     ether2                                                                                                                                       
 2   99.99.99.120/29    99.99.99.120    ether7   

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:23 pm
by SurferTim
Where is the assignment for 99.99.99.122? Where is the assignment for 99.99.99.123?

I see only 99.99.99.120 assigned to that interface. Is there something else about your ISP connection that would be out of the ordinary?

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:26 pm
by raz
Yes, but the 99.99.99.120/29 has the Gateway at Mikrotik Router on 99.99.99.122 and on the Router of the ISP on 99.99.99.121.

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:29 pm
by SurferTim
Where is 99.99.99.122 assigned? Not in "/ip address" on that router. ??

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:37 pm
by raz
yes, its assigned on the router via ip addresses, the 122 works as gateway address

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:42 pm
by SurferTim
I don't see that in "/ip address" that you posted for that router.

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:44 pm
by raz
you see this only in the route with pref source.

Re: Problem due Port Forward

Posted: Sat Jul 27, 2013 12:50 pm
by SurferTim
you see this only in the route with pref source.
Why? It should show the correct ip and subnet in "/ip address", and it does. 99.99.99.120/29

Here is what I expected to see:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                    
 0   10.20.50.1/24      10.20.50.0      ether1                                                                                                                                       
 1   172.16.10.1/24     172.16.10.0     ether2                                                                                                                                       
 2   99.99.99.122/29    99.99.99.120    ether7

 3   99.99.99.123/29    99.99.99.120    ether7 
Add: If you are using a masquerade in "/ip firewall nat", you must change that to a srcnat to insure it "masquerades" as the correct ip.
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=99.99.99.122 out-interface=ether7

Re: Problem due Port Forward

Posted: Mon Jul 29, 2013 5:26 pm
by raz
This was the Solution :-) Thanks Tim.