Community discussions

MikroTik App
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Port forwarding in version 7.6 not working

Sat May 20, 2023 3:28 am

Hello, I searched for this issue and others seem to have similar issues and I tried all the solutions and nothing has worked for me. So here I am with a new entry (my first entry, so please bear with me):

I have an application inside the hAP-AX3 (C53UiG+5HPaxD2HPaxD) running on port 443. I'm trying to use TCP port 4545 to do a port-forwarding to my application:
-hAP-AX3 IP = 10.5.5.1
-Application IP = 10.5.5.8

I have another Mikrotik box with version 6.49 and the DSTNAT entry works just fine. But not on 7.x.
I upgraded to Router OS 7.9 last night in hopes of this issue resolving but it hasn't. Here's the code (pretty default with just the one PortForwarding modification
MikroTik RouterOS 7.9 (c) 1999-2023       https://www.mikrotik.com/

 may/19/2023 20:13:59 by RouterOS 7.9
# software id = 6B6Q-08V7
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxxx
/interface bridge
add admin-mac=48:A9:8A:51:B9:3C auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MYWIFIROUTER disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MYWIFIROUTER disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.5.5.101-10.5.5.219
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.5.5.1/24 comment=defconf interface=bridge network=10.5.5.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.5.5.0/24 comment=defconf dns-server=1.1.1.1,9.9.9.9 gateway=10.5.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.5.5.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="Mesh access from outside" dst-address-type=local dst-port=4545 in-interface=\
    ether1 log=yes protocol=tcp to-addresses=10.5.5.8 to-ports=443
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set memory-limit=1000KiB only-headers=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding in version 7.6 not working

Sun May 21, 2023 4:14 pm

Couple of things to help most port forwarding scenarios work well

(1) Modify forward chain rule from
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


To
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

The funny thing is the first rule, you already had but didnt need as none of your rules blocked lan to wan traffic.
The new drop all ensures good security and all you need to do before the last drop rule is include traffic that needs to flow lan to wan, etc...

(2) Clean up your port forwarding rule.
from
add action=dst-nat chain=dstnat comment="Mesh access from outside" dst-address-type=local dst-port=4545 in-interface=\
ether1 log=yes protocol=tcp to-addresses=10.5.5.8 to-ports=443
TO
add action=dst-nat chain=dstnat comment="Mesh access from outside" dst-port=4545 in-interface=\
ether1 log=yes protocol=tcp to-addresses=10.5.5.8 to-ports=443

++++++++++++++++++++++++++++++++++++++++++++++++

Be advised your setup will allow external users using your WANIP (via a dyddns type name or iP cloud).
Internal users can reach the server directly by LANIP, but not via dyndns type name ( that will take xtra configuration moves ).
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 6:35 am

Your changes were applied (please see the config) but it didn't work. Internal traffic is just by me and I know where to go. Its the external users that needs the connectivity.
MikroTik RouterOS 7.9 (c) 1999-2023       https://www.mikrotik.com/

# may/21/2023 23:23:15 by RouterOS 7.9
# software id = 6B6Q-08V7
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxxx
/interface bridge
add admin-mac=48:A9:8A:51:B9:3C auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MYWIFIROUTER disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MYWIFIROUTER disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.5.5.101-10.5.5.219
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.5.5.1/24 comment=defconf interface=bridge network=10.5.5.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.5.5.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 gateway=10.5.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.5.5.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="Mesh access from outside" dst-address-type="" dst-port=4545 in-interface=\
    ether1 log=yes protocol=tcp to-addresses=10.5.5.8 to-ports=443
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set memory-limit=1000KiB only-headers=yes
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 8:55 am

It looks strange when a post saying "it still doesn't work" is marked as SOLVED. Have you found the issue in the meantime, or have you marked that post as solved by mistake?
 
abbio90
Member Candidate
Member Candidate
Posts: 163
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 9:48 am

I have created a guide on Port forwarding, as although it is a trivial thing, most users do it in a superficial way incurring problems related to the hairpinat

https://foisfabio.it/index.php/2022/12/ ... t-routeros
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 3:50 pm

It looks strange when a post saying "it still doesn't work" is marked as SOLVED. Have you found the issue in the meantime, or have you marked that post as solved by mistake?
No, its not resolved. I don't see the option to unchecked that status. I'll look in more detail in a bit. Sorry for the confusion.
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 7:29 pm

After all the translation and what not, your solution didn't work either.

I have created a guide on Port forwarding, as although it is a trivial thing, most users do it in a superficial way incurring problems related to the hairpinat

https://foisfabio.it/index.php/2022/12/ ... t-routeros
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 8:23 pm

It should be working!

(1) Lets tidy up a bit of the firewall.
You have the same rule twice, once correctly in the forward chain and once incorrectly duplicated amongst the input chain rules.
Delete the duplicate.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1


(2) Remove this rule from previous, no longer required.
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 8:24 pm

Can you confirm you are getting a public IP address from the upstream device.

Your WANIP in IP DHCP client settings should be the same as your IP cloud IP and the same as when you browse and go whats my IP.
Can you confirm you are attemtping to reach server with proper syntax.

IPaddress:4545
OR
dyndns_type-name:4545
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 8:48 pm

Before wasting even more time trying to find a mistake in the configuration, which doesn't seem to exist, open a command line window, make it as wide as your screen allows, and run /tool sniffer quick port=4545 in it. Then, try connecting from outside and see whether the connection attempts even arrive to the WAN (ether1). If they do, it's likely a bug unless you have removed some part of the configuration before posting (which doesn't seem to be the case); if they don't, your ISP is filtering traffic or gives you a CGNAT address rather than a public one. Does your WAN IP fit into the 100.64.0.0/10 range?
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 8:49 pm

Yes sir.

Before this hAP AX3 got to me I had the same internal server and the same external clients. The box i was using for the firewall (with the NAT) was a Mikrotik box with OS version 6.49 (as posted in the OP) and everything was working.

Could I have a defective unit maybe? I do see traffic coming from the (right) external clients IPs in my logs, its just not getting thru to my internal server.
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 8:50 pm

Before wasting even more time trying to find a mistake in the configuration, which doesn't seem to exist, open a command line window, make it as wide as your screen allows, and run /tool sniffer quick port=4545 in it. Then, try connecting from outside and see whether the connection attempts even arrive to the WAN (ether1). If they do, it's likely a bug unless you have removed some part of the configuration before posting (which doesn't seem to be the case); if they don't, your ISP is filtering traffic or gives you a CGNAT address rather than a public one. Does your WAN IP fit into the 100.64.0.0/10 range?
I thought there might be a bug and I even tried wiping the config completely and restarted from square 1 and the same thing.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 9:03 pm

Could I have a defective unit maybe? I do see traffic coming from the (right) external clients IPs in my logs, its just not getting thru to my internal server.
It is theoretically possible but very unlikely that the only way such a suspected defect would manifest itself would be a failing dst-nat. It is more likely that there is a bug that only affects this particular routerboard model, not the 7.x as such - I was using dst-nat in 7.6 with no issues on a hAP ac2. But since you do know the IP address of the client, use /tool sniffer quick ip-address=ip.of.the.client instead, it should show you whether the incoming packets do get dst-nated and leave towards the device in LAN, and whether the server responds them. If you cannot see them leave, check whether /ip arp print where ip-address=10.5.5.8 shows a MAC address. Your configuration is so simple that the issue must be caused by something totally unexpected.
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 9:07 pm

I do know the IP's of the external clients and I did try the sniffer command and i'm getting the right traffic hitting the hAP AX3. Please see the attached graphic. (I have removed the IP's but they are what they should be)
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 9:16 pm

I do know the IP's of the external clients and I did try the sniffer command and i'm getting the right traffic hitting the hAP AX3.
I've understood that from your previous post, that's why I suggest that you watch the further fate of the received packets (by matching on the public address of the remote client rather than the local port, because the local port is changed by the dst-nat rule) and see whether they do leave to the LAN after getting dst-nated. But I forgot to say you may have to disable hardware acceleration on the bridge port first to be able to properly sniff the packets on the physical interface.
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 9:30 pm

Something strange is happening. Here's the result of the arp command:

> /ip arp print where ip-address=10.5.5.8
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
# ADDRESS MAC-ADDRESS INTERFACE
0 DC 10.5.5.102 00:04:4B:E9:88:09 bridge
1 DC 10.5.5.116 7C:2E:BD:F3:C6:D8 bridge
2 DC 10.5.5.11 00:0C:29:97:54:D5 bridge
3 DC 10.5.5.130 2C:AA:8E:AF:2E:40 bridge
4 DC 10.5.5.25 34:E8:94:F8:76:C6 bridge
5 DC 10.5.5.144 0C:80:63:03:01:22 bridge
6 DC 10.5.5.172 00:0C:29:7D:55:4B bridge
7 DC 10.5.5.109 34:29:8F:15:80:04 bridge
8 DC 10.5.5.123 48:D6:D5:E9:84:86 bridge
9 DC 10.5.5.137 D8:0D:17:19:29:99 bridge
10 DC 10.5.5.207 80:5E:C0:20:32:68 bridge
11 DC 10.5.5.112 00:0C:29:97:54:DF bridge
12 D 10.5.5.126 82:EC:4E:53:06:8F bridge
13 DC 10.5.5.140 D8:0D:17:19:2C:7F bridge
14 DC 10.5.5.154 00:90:A9:A1:F5:89 bridge
15 DC 10.5.5.105 18:FD:74:BA:19:19 bridge
16 DC public_ip 00:C8:8B:D7:C4:19 ether1
17 DC 10.5.5.119 18:B4:30:E9:43:CF bridge
18 DC 10.5.5.133 44:61:32:5E:55:34 bridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 9:37 pm

EDIT, already at 7.9,
Last edited by anav on Mon May 22, 2023 10:02 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 9:46 pm

Something strange is happening. Here's the result of the arp command:
OK, leaving aside my fault (it should have been just address, not ip-address) and that ROS 7 apparently just silently ignores an invalid condition rather than throwing an error, the 10.5.5.8 is obviously not in the ARP table. So the next step is to ping 10.5.5.8 from the router and see whether a corresponding record appears in the arp table afterwards.
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 10:59 pm

It does show the right MAC

/ip arp print where address=10.5.5.8
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
# ADDRESS MAC-ADDRESS INTERFACE
58 DC 10.5.5.8 00:0C:29:18:8A:19 bridge
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 11:07 pm

It does show the right MAC
But nevertheless, when you sniff and set the filter to the ip-address of the client, you can only see packets coming in via ether1 to port "4545" but not packets from the same source to 10.5.5.8:443, is that correct? Can you see the packet counter at the dst-nat rule to increase as you make new connection attempts?

If not, please remove the dst-address-type="" match condition from the dst-nat rule, or change it to dst-address-type=local. I've missed that before, and it may well be the root cause.
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 11:10 pm

Is downgrading this box to 6.x an option? Maybe I can try that ...

I am a pfSense guy and discovered Mikrotik and was intrigued and initially things were working ok. But now this.
Once I resolve this part I have to move on to the more challenging OpenVPN setup. I was having a tough time with that too on box # 1.
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 11:20 pm

It does show the right MAC
But nevertheless, when you sniff and set the filter to the ip-address of the client, you can only see packets coming in via ether1 to port "4545" but not packets from the same source to 10.5.5.8:443, is that correct? Can you see the packet counter at the dst-nat rule to increase as you make new connection attempts?

If not, please remove the dst-address-type="" match condition from the dst-nat rule, or change it to dst-address-type=local. I've missed that before, and it may well be the root cause.
I tried both,removing the dst-address-type, and putting in "local". Neither worked.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding in version 7.6 not working

Mon May 22, 2023 11:25 pm

Does the rule count or not?
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working

Tue May 23, 2023 2:32 am

Does the rule count or not?
Yes, it does. Like it has been earlier. The traffic is definitely hitting the AX3 box. Its just not getting to the server on the inside
 
tlak
just joined
Topic Author
Posts: 13
Joined: Fri May 19, 2023 6:46 am

Re: Port forwarding in version 7.6 not working  [SOLVED]

Tue May 23, 2023 2:57 am

It does show the right MAC
But nevertheless, when you sniff and set the filter to the ip-address of the client, you can only see packets coming in via ether1 to port "4545" but not packets from the same source to 10.5.5.8:443, is that correct? Can you see the packet counter at the dst-nat rule to increase as you make new connection attempts?
Ok, so your point about the return packets from the server got me thinking. I installed a packets in/out utility on the server and it seemed that packets were getting to the server. There seems to have been a setting change after which the server wasn't rebooted. I rebooted the server and it cleared up all the hiccups that were stuck in its throat.

I'm sorry for dragging this on before cleaning out my garbage. The server is now responding properly and all is well. Now I have to figure out which setting actually did the trick. There were a lot of changes that i made on the AX3 box.

Thanks sindy and anav for sticking with me. Really appreciate the help.

Who is online

Users browsing this forum: korg, stevencameron16 and 94 guests