Community discussions

MikroTik App
 
agroszer
just joined
Topic Author
Posts: 14
Joined: Sun Feb 05, 2023 9:38 pm

something wrong with dstnat

Tue Jun 06, 2023 9:33 pm

Hi,

I've setup a dstnat to access a webserver behind the router from the internet. Something is wrong.
Layout is:

internet
|
ISP router
Port forwarding setup for port 80, 1194 to mikrotik's 'WAN' IP.
|
192.168.0.0 subnet
|
mikrotik router, WAN: 192.168.0.27
|
internal subnets, see attached rsc
webserver running at 10.1.111.2

See also the dstnat config in the rsc:
add action=dst-nat chain=dstnat comment="HTTP serving" dst-port=80 \
    in-interface-list=WAN log=yes protocol=tcp to-addresses=10.1.111.2
That should-just-work.

The webserver is accessible from a 10.1.0.0 client.
The webserver can access the internet fine. Generally internet access works fine.
The webserver is INaccessible from a 192.168.0.0 client. Requesting http://192.168.0.27.
Of course then the webserver is INaccessible from the internet.
openvpn access from the internet works fine.
When trying to access the ISP routers WAN IP, port 80, the mikrotik NAT "HTTP serving" rule counter increases, so the router gets the packet.
The LOG has an entry:
Message		dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac ****, proto TCP (SYN), 45.134.144.212:47012->192.168.0.27:80, len 40
What the heck is wrong?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: something wrong with dstnat

Tue Jun 06, 2023 10:05 pm

Default firewall rules include something like this:
add action=accept chain=forward comment="allow dst-nat connections from WAN" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN

I didn't notice anything like it in your implementation.

Generally it's wise to start off default config (because it makes very decent base) and make minimum required changes.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: something wrong with dstnat

Tue Jun 06, 2023 10:11 pm

mkx beat me to it while I was typing...
Unless I missed something (certainly possible), you have a firewall rule to allow the server LAN to access the internet, but nothing to allow the Internet to access the server LAN. The common way to accomplish that is something like this:
/ip firewall filter
add action=accept chain=forward comment="Accept all that is DST NATed" \
    connection-nat-state=dstnat connection-state=new
This will allow destination NAT traffic through the firewall.
If desired, you can specify interfaces or interface lists.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: something wrong with dstnat

Tue Jun 06, 2023 10:20 pm

mkx beat me to it while I was typing...

Yesssss 8)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: something wrong with dstnat  [SOLVED]

Wed Jun 07, 2023 2:10 am

The easy rule which is specifically for dstnat is better, don't listen to the two previous clowns ( said affectionately of course ) that want to try and stick two rules in one default rule whereas its simpler to understand
and cleaner to separate them.

add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat

One has to be careful also when talking about how the server is accessed.
Your dstnat rule is fine ( assuming added firewall rule ) for most cases.
a. LAN users accessing server via the local server LANIP
b. External users coming in from the WAN side, using the WANIP and if dynamic, then some domain dyndns URL type name ( such as the Mikrotik IP cloud name for example ).

Where your setup falls short is for LOOPBACK, in MT vernacular hairpin nat.
For local LAN users to use the server via the URL, dyndns name, we have other considerations to account for.
Best that you read this before tackling.....
viewtopic.php?t=179343
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: something wrong with dstnat

Wed Jun 07, 2023 2:20 pm

... stick two rules in one default rule ...

Which two rules are "sticked together" in the rule both @k6ccc and myself posted? As far as I understand (not far enough obviously) it's only one rule but with very narrowly selected packets on which it is effective.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: something wrong with dstnat

Wed Jun 07, 2023 5:13 pm

The new avatar has depleted the # of brain cells at your disposal.

A. block all traffic from WAN
B. allow dst traffic from WAN

Great for newbie using default rules but should be modified once the config starts changing..........

Because the default rules imply allow everything except what one states should be blocked, it works for someone not making changes or for someone that doesnt yet understand rules.
However its much better to then change the firewall concept to block everything by deafult and ONLY allow traffic needed. Much easier to define.

Hence remove the default rule and replace with
Needed traffic rule 1
Needed traffic rule 2
Needed traffic rule 3
Drop all else.

Needed rules are typically
lan to wan
admin to all subnets
port forwarding
+++++++++++++++++
Drop all else.

////////////////////////////////////////////////////////////
I hope I have replenished/stimulated the empty brain cells.

Next time, and its much safer to respond with; "Brilliant, couldn't agree more! :-)

PS. Llama's eat cats for brekfast, except Italian cats, they give me indigestion!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: something wrong with dstnat

Wed Jun 07, 2023 9:42 pm

A. block all traffic from WAN
B. allow dst traffic from WAN

Oh, common, try harder. Disect the rule, posted by @k6ccc and me and show which part of this rule contains traces of case A from your list above. And don't bring up default rule ... not after you called us "clowns" in post #5 above.
 
agroszer
just joined
Topic Author
Posts: 14
Joined: Sun Feb 05, 2023 9:38 pm

Re: something wrong with dstnat

Wed Jun 07, 2023 10:12 pm


add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
Thank you Sir, that worked. I thought I was missing something.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: something wrong with dstnat

Wed Jun 07, 2023 11:18 pm

Dissect?, the only thing that needs removal are the ineffective claws you wield. ;-)
 
agroszer
just joined
Topic Author
Posts: 14
Joined: Sun Feb 05, 2023 9:38 pm

Re: something wrong with dstnat

Thu Jun 08, 2023 12:32 pm

Went with the DNS method hairpin NAT, seemed like the easiest for my config with lotsa VLANs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: something wrong with dstnat

Thu Jun 08, 2023 3:43 pm

Many ways to skin orange cats, as long as its working for you, all good!

Who is online

Users browsing this forum: cloud45, loloski and 76 guests