Community discussions

MikroTik App
 
fraxen
just joined
Topic Author
Posts: 5
Joined: Mon May 08, 2023 2:16 pm

Simple port mapping

Mon May 08, 2023 2:27 pm

Hi,
I have an ac^3 running ROS 6.49.7, and it is working out very well. Now I have set up a pihole DNS server for local use, and it is running on port 53053 (tcp/udp) on a host on the LAN 192.168.88.218.
I had to run it on port 53053 due to a conflict on the host.
Now I want to remap all traffic on port 53 to 192.168.88.218 to port 53053 on that same host, for any traffic that is originating from within the NAT (192.168.88.0/24)
I have experimented a bit with different NAT-rules, but I can't get it to work, could someone please point me in the right direction?
Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple port mapping

Mon May 08, 2023 7:10 pm

A. You need to ensure the pihole/aguard can reach the main cloud DNS to initiate the connection
THUS keep
/ip dns
set allow-remote-requests=yes servers=1.1.1.2

On the ip dhcp-server network
put DNS-server=IP of the pihole

On the NAT settings
action=dst-nat chain=dstnat dst-port=53 protocol=tcp in-interface-list=LAN src-address=list=!excluded to-addresses=IPofpiihole to ports=53053
action=dst-nat chain=dstnat dst-port=53 protocol=udp in-interface-list=LAN src-address=list=!excluded to-addresses=IPofpihole to-ports=53053

Where the firewall address list is comprised of
add address=IPofAdguars list=excluded
add address=anyUSER/DEVICE not requiring forcing list=excluded
add address=anysubnet not required forcing list=excluded

+++++++++++++++++++++++++++++++++++++++++++++++++++++

something like that anyway.
 
fraxen
just joined
Topic Author
Posts: 5
Joined: Mon May 08, 2023 2:16 pm

Re: Simple port mapping

Mon May 08, 2023 11:40 pm

Thanks!

I thought I'd focus on the actual port (re)mapping, I have been running pi-hole without problem on another host on the same network previously. As a first stage I am looking at the mapping of tcp traffic on this port, but it doesn't seem to work, and the page for the rule shows 0 Bytes/Packets, even though I am testing queries...
add action=dst-nat chain=dstnat dst-address=192.168.88.218 dst-port=53\
    in-interface-list=LAN protocol=tcp src-port="" to-addresses=192.168.88.218\
    to-ports=53053
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple port mapping

Mon May 08, 2023 11:57 pm

Your rule is wrong, you have to-address, no requirement for dst-address!!
You also forgot the excluded list.
 
fraxen
just joined
Topic Author
Posts: 5
Joined: Mon May 08, 2023 2:16 pm

Re: Simple port mapping

Tue May 09, 2023 9:53 am

Ok, how about this then?
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN log=yes protocol=tcp src-address-list=!excluded to-addresses=192.168.88.218 to-ports=53053
telnet 192.168.88.218 53 (no response)
portqry -n 192.168.88.218 -e 53 -p TCP (response: FILTERED)
If I try the above commands on port 53053 I get the expected response (talking to a listening service)

The Bytes/Packets on the rule list in Winbox is still 0/0...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Simple port mapping

Tue May 09, 2023 11:07 am

When doing port forwarding (or mapping as you call it), then from client's perspective you have to target the NAT device, i.e. your router. If you're targeting server directly, and server and client are on the same LAN, then NAT device generally won't interfere (even if both cleint and server are physically connected to NAT device ... as those ports are most probably part of bridge and traffic between bridge ports bypasses the L3 machinery - routing and firewalling).

Assuming router's LAN address is 192.168.88.1, try with command
telnet 192.168.88.1 53
 
fraxen
just joined
Topic Author
Posts: 5
Joined: Mon May 08, 2023 2:16 pm

Re: Simple port mapping

Tue May 09, 2023 2:46 pm

Thanks @mkx I wasn't aware of the fact that the traffic would be skipping NAT rules if they are in the same subnet.
I feel that I am so close now! I can see that the traffic counters increment now, if I try to communicate with 192.168.88.1 on port 53 (and I can see it in the log, when I activate log of the traffic on this rule) - but I still don't get any response when I try e.g. telnet (or portqry).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Simple port mapping

Tue May 09, 2023 6:53 pm

Another gotcha: if all three devices (client, router and server) are in same subnet, then there's a routing triangle (which means that server sends replies back to client directly and thus bypasses router which has to undo the DST NAT magic). This mighty upsets both client (which is receiving replies from third-party device) and router (which doesn't see replies and thus considers connection not properly established).
In this case hairpin NAT has to be configured. The drawback is that every LAN client connection will appear to server as if the router was connecting (so you loose observability, functionality is fine).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple port mapping

Tue May 09, 2023 7:14 pm

Disagree mKX.

Not required if the dns-server is set to the adguard IP address.
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.218 gateway=192.168.88.1


action=dst-nat chain=dstnat dst-port=53 protocol=tcp in-interface-list=LAN src-address=list=!excluded to-addresses=192.168.88.218 to ports=53053
action=dst-nat chain=dstnat dst-port=53 protocol=udp in-interface-list=LAN src-address=list=!excluded to-addresses=192.168.88.218 to-ports=53053

Where excluded includes 192.168.88.218 as a minimum and may include other user/devices/subnets as required (those not forced through adguard).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This keeps the visibility of adguard into seeing/reporting the Dns queries per individual user.
Concur that if you use dns-server=192.168.88.1, then you need hairpin nat but I think you lose the adguard visibility into which user has which queries in adguard.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple port mapping

Tue May 09, 2023 7:15 pm

In any case we can speculate further but no point,
You need to post your config...........
/export file=anynameyouwish (minus router serial number and any public WANIP information)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Simple port mapping

Tue May 09, 2023 10:29 pm

Disagree mKX.

My impression, based in post #1, is that OP is trying to run some sort of DNS server on LAN server and is trying to make other LAN devices to use it ... but hidden behind NAT ... probably because usual DNS clients expect to connect on standard port (53) while @OP can't use it on local DNS server. And because there's NAT in the game, hairpin NAT is needed as well.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple port mapping

Tue May 09, 2023 11:07 pm

Nope, I have it working without hairpin nat using an adguard on a pi server on the LAN.
Want to add more fun, its four vlans, three including adguard vlan also go out wireguard tunnel for internetl ;-)
Fourth vlan uses DOH dns on MT router for DNS.

In other words three vlans using adguard on router -->> users on all three vlans work just fine, no hairpin.
Key in mind is to use adguard IP address for ip dhcp-server network settings for DNS server.

If you set the dns server to gateway IP then you need hairpin sourcenat rule. Dont ask me why though, will leave to the experts.
I thought the same as you until I was shown otherwise. The difference is you will understand why, I just accepted it.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Simple port mapping

Tue May 09, 2023 11:20 pm

Nope, I have it working without hairpin nat using an adguard on a pi server on the LAN.

On a non-standard port? Read opening post again, @OP is doing some funky stuff here.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple port mapping

Tue May 09, 2023 11:34 pm

Nope, I have it working without hairpin nat using an adguard on a pi server on the LAN.

On a non-standard port? Read opening post again, @OP is doing some funky stuff here.
Yes, concur, the difference between the two cases is the port translation. Hairpin was never about port translation though it was IP centric so I assumed that this additional wrinkle would not upset the apple cart.

In any case the OP has two suggestions to try.
a. dns-server set to 192.168.88.218 for all vlans/lans including the one that pihole is on, and no hairpin nat
b. dns-server set to 192.18.88.1 with hairpin nat rule only for vlan/lan pihole is on, all other vlans/lans use 192.168.88.218 (if any) and the necessary hairpin nat rule.
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24

In both cases he still needs.
action=dst-nat chain=dstnat dst-port=53 protocol=tcp in-interface-list=LAN src-address=list=!excluded to-addresses=192.168.88.218 to ports=53053
action=dst-nat chain=dstnat dst-port=53 protocol=udp in-interface-list=LAN src-address=list=!excluded to-addresses=192.168.88.218 to-ports=53053
 
fraxen
just joined
Topic Author
Posts: 5
Joined: Mon May 08, 2023 2:16 pm

Re: Simple port mapping

Wed May 10, 2023 1:41 pm

And now it works! I think it was the hairpin NAT rule that did the trick, thanks!
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=53 protocol=tcp to-addresses=192.168.88.218 to-ports=53053
add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=53 protocol=udp to-addresses=192.168.88.218 to-ports=53053
I added dst-address in the rule on the advice of a friend, then I shouldn't need to exclude anything, right - only the dns lookups headed for the router on port 53 will be forwarded.

Who is online

Users browsing this forum: FlowerShopGuy, nepotu, tangent and 59 guests