Weird behaviour for NAT

Rudios · Mon Mar 16, 2015 10:07 am

Picture the following situation.

ADSL Modem with normal home use, so including NAT and firewall.
IP address inside 192.168.12.1/24

3 nat rules

incoming ports 10022, 10080 and 18291 are forwarded to 192.168.12.2, no change of ports.

Connected Mikrotik with ether1, with IP address 192.168.12.2/24

Second IP address of MikroTik is 192.168.2.1/24

Mikrotik has no Firewall filter rules but does have several NAT rules

Mikrotik has 4 NAT rules (3 x dstnat and 1 masquerading srcnat)

/ip firewall nat
add action=dst-nat chain=dstnat comment="Forward tcp:10022 to tcp:22" dst-port=10022 in-interface=ether1 protocol=tcp to-addresses=192.168.2.1 to-ports=22
add action=dst-nat chain=dstnat comment="Forward tcp:10080 to tcp:80" dst-port=10080 in-interface=ether1 protocol=tcp to-addresses=192.168.2.1 to-ports=80
add action=dst-nat chain=dstnat comment="Forward tcp:18291 to tcp:8291" dst-port=18291 in-interface=ether1 protocol=tcp to-addresses=192.168.2.1 to-ports=8291

two of the mentioned three work, SSH and winbox but the port 80 forward is nagging me.
When I try to open the webpage of the MikroTik I get a message telling "Connection has reset" and I can't get any clue why this is happening.
I have investigated the NAT and input/output chains and all seems normal.

Anybody having some advice here?

Caci99 · Mon Mar 16, 2015 11:41 am

Why are you trying to dstnat to the router itself? In your dstnat rules you have specified as to-addresses the IP of the router, you are doing some kind of redirect here. The dstnat rules on the modem should be sufficient to reach the router services you are trying to reach.
Although I would suggest to turn the modem into bridge and let Mikrotik router handle the WAN connection coming from modem.

Rudios · Mon Mar 16, 2015 2:49 pm

Why are you trying to dstnat to the router itself? In your dstnat rules you have specified as to-addresses the IP of the router, you are doing some kind of redirect here. The dstnat rules on the modem should be sufficient to reach the router services you are trying to reach.
Although I would suggest to turn the modem into bridge and let Mikrotik router handle the WAN connection coming from modem.

I am unable to put the modems in bridge mode because they are shared between me and other people.
And the reason I have dstnat on both the modem (obviously needed to forward to the routerboard) and on the MikroTik itself is because I can not forward to a different port on the modem.
Forwarding 10080 will automatically forward towards 10080.
Because HTTP is running on 80 (duh) on the MikroTik I created an additional rule there.
The strange thing is that for SSH (10022 - 22) and Winbox (18291 - 8291) I did exactly the same, and that is functioning perfect.

Caci99 · Mon Mar 16, 2015 6:49 pm

Have you tried to change the service ports on mikrotik router?

Rudios · Tue Mar 17, 2015 2:37 pm

Changing the port to something else (i tried 81) did not make any difference (Obviously also changed the NAT rules

).

The thing that did help was rebooting the device.
Still I have no clue what went wrong but after reboot http is working again.

Weird behaviour for NAT

Weird behaviour for NAT

Re: Weird behaviour for NAT

Re: Weird behaviour for NAT

Re: Weird behaviour for NAT

Who is online