Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

forwarding incoming UPD traffic addressed to the router itself

Post Reply
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

forwarding incoming UPD traffic addressed to the router itself

Thu Apr 11, 2024 6:26 pm

Hi. This is my first time working with a mikrotik router and on this forum, so please, take it easy on me.

Setup consist on a Mikrotik L009 with a lot of local networks.

In order to do that I removed most ethernet ports from the bridge.
Each of those interfaces is the gateway for a different network and I can route from the different networks nicely.

In one of those interfaces there is single machine, which does send a UPD stream to the router interface in the same network.
I can not change the machine to a different network, nor change the IP, nor change the destination address of the UDP stream. It is what it is.

The machine IP address is 10.0.10.10
The machine does not have a gateway.
The router IP address on that interface is 10.0.10.1, which is also the destination IP address of the UDP packages.
The destination port is 1234

I can see the incoming traffic using the /tool/torch utility on the expected interface.

I want to send all those UPD packets to a different address in a different machine, also accessible to the router.

The destination machine is 10.0.40.10
The router IP address on that interface probably does not matter, but it is 10.0.40.254
From the router shell I can ping both machines.

After reading a few pages like https://help.mikrotik.com/docs/display/ ... forwarding
and other pages I thought I knew how to make it work.
Code: Select all
/ip/firewall/nat
add chain=dstnat protocol=udp dst-address=10.0.10.1 dst-port=1234 action=dst-nat to-addresses=10.0.40.10 to-ports=1234 log=yes log-prefix="Redirect1234"
but this does not seem to work.

Looking at the Statistics for the NAT rule on the WinBox interface I can see that it gets no packets at all.

So I guess I am doing something wrong here.
Any hints?

Thanks in advance
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Thu Apr 11, 2024 8:10 pm

And from reading these forums I know you will want the configuration.
Oh well. This is not the real configuration, since there is info I can not divulge,
but these are the steps I used to install the system.
Code: Select all
## Reset configuration to default

    /system reset-configuration keep-users=yes

## Remove ports from the bridge

    /interface/bridge
    port/remove [ find interface=ether2 ]
    port/remove [ find interface=ether3 ]

## Name the ethernet ports

    /interface/ethernet
    set [ find default-name=ether2 ] name=STREAM
    set [ find default-name=ether3 ] name=PROCESSOR

## Set the router ip addresses

    /ip/address
    add address=10.0.10.1/24 interface=STREAM
    add address=10.0.40.254/24 interface=PROCESSOR

## Add static routing to remote networks

    /ip/route
    add dst-address=10.40.0.0/24 gateway=10.0.60.1 distance=3 comment=REMOTE_LAN
    add dst-address=0.0.0.0/0 gateway=10.0.60.1

## Add small DHCP pool

    /ip pool
    add name=dhcp-processor ranges=10.0.40.200-10.0.40.220

    /ip dhcp-server 
    add address-pool=dhcp-processor interface=PROCESSOR disabled=no

    /ip/dhcp-server/network
    add address=10.0.40.0/24 dns-server=10.0.40.254 gateway=10.0.40.254

## Enable NTP client

    /system/ntp/client
    set enabled=yes
    set servers=10.0.40.3

## Add filter to allow management from REMOTE_LAN

    /ip/firewall/filter
    add chain=input action=accept protocol=tcp src-address=10.40.0.0/24 src-port="" dst-port=8291 log=yes log-prefix="wb40" comment="winbox"
    add chain=input action=accept protocol=tcp src-address=10.40.0.0/24 src-port="" dst-port=22 log=yes log-prefix="ssh40" comment="ssh"

IMPORTANT: Move the rules before the rule that drops any traffic not coming from LAN

    7    ;;; defconf: drop all not coming from LAN
    chain=input action=drop in-interface-list=!LAN 

## Change WIFI password

    /interface/wifi
        set wifi1 disabled=no configuration.country=Spain \
        configuration.ssid=MikroTik-Net \
        security.authentication-types=wpa2-psk,wpa3-psk \
        security.passphrase=*******
And these are the firewall rules as exported...
Code: Select all

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=winbox dst-port=8291 log=yes protocol=\
    tcp src-address=10.40.0.0/24 src-port=""
add action=accept chain=input comment=ssh dst-port=22 log=yes log-prefix=\
    ssh40 protocol=tcp src-address=10.40.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add comment=REMOTE_LAN distance=3 dst-address=10.40.0.0/24 gateway=10.0.60.1
add dst-address=0.0.0.0/0 gateway=10.0.60.1

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 196
Joined: Fri Dec 31, 2021 9:13 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Thu Apr 11, 2024 10:42 pm

The address of the router in the 10.0.40.0 range matters a lot because it acts as a gateway. That's why I would divide your NAT rule into two parts: dst-nat to the gateway and dst-nat from the gateway to the client:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.0.10.1 protocol=udp dst-port=1234 to-addresses=10.0.40.254 to-ports=1234
add action=dst-nat chain=dstnat dst-address=10.0.40.254 protocol=udp dst-port=1234 to-addresses=10.0.40.10 to-ports=1234
Not sure if it'll work but we'll see
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 11:51 am

Nopes. It does not seem to make a difference.

Using the WinBox GUI to see the NAT rules, I would expect to see some bytes or packets if the rule matches any packet, regardless of the action taken
but even the first rule comes empty, so my guess is that nothing is being matched for the first rule.

Also, I just found on https://help.mikrotik.com/docs/display/ROS/NAT this comment, which seems relevant, since the UPD package I am trying to forward is addressed to the router itself. Emphasis is mine.
Since RouterOS v7 the firewall NAT has two new INPUT and OUTPUT chains which are traversed for packets delivered to and sent from applications running on the local machine:

input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain.
output - used to process packets that originated from the router and leave it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain.
So I went for it, just to see if i can match incoming traffic.
Code: Select all
/ip/firewall/filter 
add action=accept chain=input dst-address=10.0.10.1 protocol=udp  dst-port=1234 log=yes log-prefix="udpstream"
Then I move this rule before ;;; defconf: drop all not coming from LAN

Then I see the packets matching the rule increase.
However, the actions available to this rule do not include dst-nat or anything like that.

moving forward... if i disable the previous rule, and enter the same rule on the NAT section of the firewall, it gets no hits.
Code: Select all
/ip/firewall/nat
add action=accept chain=input dst-address=10.0.10.1 protocol=udp  dst-port=1234 log=yes log-prefix="udpstream_nat"
Last edited by ycdtosa on Fri Apr 12, 2024 12:54 pm, edited 1 time in total.
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 12:05 pm

Hi there!

The nat rule you sent seems correct. What I cannot say is whether it is high enough to avoid the traffic being matched by another rule.

Can you edit it to add the src-address so it looks like the following line, and move it above whatever other dstnat you may have in place. Also, consider adding the source interface to make sure your rule is as specific as possible.
Code: Select all
/ip/firewall/nat
add chain=dstnat protocol=udp src-address=10.0.10.10 dst-address=10.0.10.1 dst-port=1234 action=dst-nat to-addresses=10.0.40.10 log=yes log-prefix="Redirect1234"
Second: is that interface (STREAM) in the LAN interface-list? Or do you have a forward rule to permit the traffic? Again, it needs to be high enough to avoid another rule matching the traffic.
Code: Select all
 action=accept protocol=udp src-address=10.0.10.10 dst-address=10.0.40.10 dst-port=1234
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 1:16 pm

Hi vingifg.

The nat rule you sent seems correct. What I cannot say is whether it is high enough to avoid the traffic being matched by another rule.

Can you edit it to add the src-address so it looks like the following line, and move it above whatever other dstnat you may have in place. Also, consider adding the source interface to make sure your rule is as specific as possible.

Yes, I will try that, but I am afraid there it never reach any of those rules, like you said, does not seem to be high enough or it is being killed somewhere else.


Second: is that interface (STREAM) in the LAN interface-list? Or do you have a forward rule to permit the traffic? Again, it needs to be high enough to avoid another rule matching the traffic.
Code: Select all
 action=accept protocol=udp src-address=10.0.10.10 dst-address=10.0.40.10 dst-port=1234
I dont think the address is in the lan interface list.
I will take a look into that too.
As a matter or fact, if I enter the following rule on the /ip/firewall/filter
Code: Select all
/ip/firewall/filter 
add action=accept chain=input dst-address=10.0.10.1 protocol=udp  dst-port=1234 log=yes log-prefix="udpstream"

I have to move it up before the default rule that drops all packets not coming from LAN, otherwise it does not get any hits.
The rule is disabled at the moment.
Code: Select all
[admin@MikroTik] > /ip/firewall/filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; winbox
      chain=input action=accept protocol=tcp src-address=10.40.0.0/24 src-port="" dst-port=8291 log=yes log-prefix="wb40" 

 6    ;;; ssh
      chain=input action=accept protocol=tcp src-address=10.40.0.0/24 dst-port=22 log=yes log-prefix="ssh40" 

 7 X  chain=input action=accept protocol=udp dst-address=10.0.20.1 dst-port=123 log=no log-prefix="UDPSTREAM" 

 8    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

So if i follow you here, I should either add the 10.0.10.0/24 or the 10.0.10.1 interface network to the lan-interface list, right?
Or somehow allow this stream to make it through the input chain in the firewall.
correct?
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 1:19 pm

Right, none of the interfaces are in the LAN interface list.
Code: Select all
/interface/list/member> print
Columns: LIST, INTERFACE
# LIST  INTERFACE
;;; defconf
0 LAN   bridge   
;;; defconf
1 WAN   ether1

Is this enough to add it?

Code: Select all
[admin@MikroTik] /interface/list/member> add interface=STREAM list=LAN 
[admin@MikroTik] /interface/list/member> print                      
Columns: LIST, INTERFACE
# LIST  INTERFACE
;;; defconf
0 LAN   bridge   
;;; defconf
1 WAN   ether1   
2 LAN   STREAM

The /ip/firewall/filter rule can now swap places with the default rule to drop anything not from LAN and I now I get the hits on the rule...
which was not the case before adding that interface to the lan-interface list.

Thanks for the tip.
Code: Select all
 
 7    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 8    chain=input action=accept protocol=udp dst-address=10.0.10.1 dst-port=3260 log=no log-prefix="UDPSTREAM"
So now, I still have a rule that matches the incoming traffic to that port on the filter rules input chain, and accepts it,
but a similar rule on the NAT section of the router does not get any hits.
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 2:08 pm

Note that you can print all the rules for a given chain by using where=<chain to display> in your print statement. For example all the rules in the input chain:
Code: Select all
/ip/firewall/filter/print where chain=input
The dst-nat arrives before the firewall - so as you change the destination for a non-local address, it will go through your firewall: this is handled by the forward chain: input is only for the traffic going to the device itself.

After adding the interface name to the interface list, it will no longer match the rule that contains !LAN, it should fall to the default case, which is accept. I would still add a specific rule for this traffic (remember: chain is forward!) to handle it as an explicit case, but that is just my preference.

Regarding NAT ... I am a bit puzzled: the configuration you sent earlier has only one entry, where you should have at least the dstnat entry. Could you send me the output of the following commands?
Code: Select all
/ip/firewall/nat export
/ip/firewall/filter print where chain=forward
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 2:15 pm

Sure...

Code: Select all
[admin@MikroTik] > /ip/firewall/nat export
# 2024-04-12 12:21:56 by RouterOS 7.14.1
# software id = 0TKH-EMPI
#
# model = L009UiGS-2HaxD
# serial number = HFB091RC4HW
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.0.10.1 dst-port=1234 protocol=udp src-address=10.0.10.10 to-addresses=10.0.40.1 to-ports=1234
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
[admin@MikroTik] > /ip/firewall/filter print where chain=forward
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 2    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

 4    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 2:24 pm

Ha HA!

You wrote initially:
...
The machine IP address is 10.0.10.10
The machine does not have a gateway.
The router IP address on that interface is 10.0.10.1, which is also the destination IP address of the UDP packages.
The destination port is 1234

I can see the incoming traffic using the /tool/torch utility on the expected interface.

I want to send all those UPD packets to a different address in a different machine, also accessible to the router.

The destination machine is 10.0.40.10
...
Your DSTNAT rule says 10.0.40.1:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.0.10.1 dst-port=1234 protocol=udp src-address=10.0.10.10 to-addresses=10.0.40.1 to-ports=1234
So that's one to fix. Additionally, consider adding the interface PROCESSOR to the LAN list as well. That way you get the local vs non-local interfaces grouped.
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 3:29 pm

Ha HA!

You wrote initially:
...
The machine IP address is 10.0.10.10
The machine does not have a gateway.
The router IP address on that interface is 10.0.10.1, which is also the destination IP address of the UDP packages.
The destination port is 1234

I can see the incoming traffic using the /tool/torch utility on the expected interface.

I want to send all those UPD packets to a different address in a different machine, also accessible to the router.

The destination machine is 10.0.40.10
...
Your DSTNAT rule says 10.0.40.1:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.0.10.1 dst-port=1234 protocol=udp src-address=10.0.10.10 to-addresses=10.0.40.1 to-ports=1234

OMG! It was meant to happen. To be completely sincere here, those snips have been edited by hand since there is some information that I am not free to divulge, making it more difficult to ask for help and much harder for you to help. I didn't know how to word it before, but there it is. I should have said that earlier.

The original to-address in that rule before editing was the intended one, and I messed it up while editing the snip. It should have read, as you pointed out.
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.0.10.1 dst-port=1234 protocol=udp src-address=10.0.10.10 to-addresses=10.0.40.10 to-ports=1234

Regardless of what the to-address is, the rule still gets no hits, which if I am not mistaken, it is something that does not depend on the to-address, but in this case the dst-address, dst-port and protocol, and it is not affected by the other parameters.

So whether the to-address is right or wrong, the rule should get hits. It does not.

Some rule is preventing this one from being reached.
So that's one to fix. Additionally, consider adding the interface PROCESSOR to the LAN list as well. That way you get the local vs non-local interfaces grouped.

I did add all the interfaces that I removed from the bridge to the LAN list, thus both PROCESSOR and STREAM are in the list.

Thanks, and my most since apology.
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 3:46 pm

That is correct - the to-address will not affect the matching of the rule. If the counters are not incrementing, it means something is getting in the way earlier than the rule.

To confirm, because you had an input rule that said 3260 and not 1234:
  • The source address is 10.0.10.10
  • The destination address is 10.0.10.1 (to dstnat to 10.0.40.10)
  • The protocol/port is udp/1234
Can you send me an export of "/ip/firewall"?
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 4:01 pm

I have been taking shortcuts here. No more. I am building a system that I can freely share, so no mistakes are made on my side, and I don't make you lose your time.
As soon as I have it I will post that output straight from the box itself.

Thanks.
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 4:52 pm

Back to the basis.. I recreated the setup on a spare system with the advertised ips and ports

streamer: 10.0.10.10
destination: 10.0.10.1:1234

and I want to redirect it to 10.0.40.10:1234
Code: Select all

[admin@MikroTik] > /ip/firewall/export 
# 1970-01-02 00:41:26 by RouterOS 7.12.1
# software id = M5CB-IWWQ
#
# model = L009UiGS-2HaxD
# serial number = HFB09F6Z0VH
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="STREAM: input filter" dst-address=10.0.10.1 dst-port=1234 protocol=udp src-address=10.0.10.10
/ip firewall nat
add action=dst-nat chain=dstnat comment="STREAM: nat\?" dst-address=10.0.10.1 dst-port=1234 protocol=udp to-addresses=10.0.40.10 to-ports=1234
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

where the list of lan interfaces is...

Code: Select all
[admin@MikroTik] > /interface/list/export 
# 1970-01-02 00:27:00 by RouterOS 7.12.1
# software id = M5CB-IWWQ
#
# model = L009UiGS-2HaxD
# serial number = HFB09F6Z0VH
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=STREAM list=LAN
add interface=PROCESSOR list=LAN

I can also confirm that I get hits on the STREAM: input filter rule.
but no hits on the STREAM: nat? rule


plus... I just learnt to use sniffer just a bit.
Code: Select all
[admin@MikroTik] /tool/sniffer> set filter-dst-port=1234
[admin@MikroTik] /tool/sniffer> start
[admin@MikroTik] /tool/sniffer> stop
[admin@MikroTik] /tool/sniffer> save
file-name: pp
[admin@MikroTik] /tool/sniffer> packet/print
Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU
 #  TIME   INTERFACE  SRC-ADDRESS       DST-ADDRESS     IP-PROTOCOL  SIZE  CPU
 0  0.089  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 1  0.189  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 2  0.289  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 3  0.389  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 4  0.489  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 5  0.589  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 6  0.689  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 7  0.789  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 8  0.889  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
 9  0.989  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
10  1.089  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
11  1.189  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
12  1.289  STREAM     10.0.10.10:60004  10.0.10.1:1234  udp           718    0
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 5:39 pm

That is ... weird.

I created a test rule -
Code: Select all
Flags: X - disabled, I - invalid; D - dynamic 
 0 X  ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    ;;; Test
      chain=dstnat action=dst-nat to-addresses=172.29.0.1 protocol=udp src-address=192.168.2.0/24 dst-address=192.168.2.1 dst-port=1234 log=no log-prefix=""
And here is my capture.
Code: Select all
Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU
#  TIME    INTERFACE  SRC-ADDRESS        DST-ADDRESS       IP-PROTOCOL  SIZE  CPU
0  30.713  wifi8      192.168.2.6:62190  192.168.2.1:1234  udp            42    3
1  30.713  bridge     192.168.2.6:62190  192.168.2.1:1234  udp            46    3
2  30.713  vlan.10    192.168.2.6:62190  192.168.2.1:1234  udp            42    3
3  30.713  vlan.4000  192.168.2.6:62190  172.29.0.1:1234   udp            42    3
4  30.713  bridge     192.168.2.6:62190  172.29.0.1:1234   udp            46    3
5  30.713  wifi3      192.168.2.6:62190  172.29.0.1:1234   udp            46    3
Can you post the detailed packet capture (command below)?
Code: Select all
/tool/sniffer/packet/print detail
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 5:53 pm

Code: Select all
set filter-dst-port=1234
[admin@MikroTik] /tool/sniffer> start
[admin@MikroTik] /tool/sniffer> stop
[admin@MikroTik] /tool/sniffer> packet print detail     
 0 time=0.096 num=1 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14602 fragment-offset=0 ttl=64 

 1 time=0.196 num=2 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14620 fragment-offset=0 ttl=64 

 2 time=0.296 num=3 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14642 fragment-offset=0 ttl=64 

 3 time=0.395 num=4 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14654 fragment-offset=0 ttl=64 

 4 time=0.496 num=5 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14667 fragment-offset=0 ttl=64 

 5 time=0.596 num=6 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14691 fragment-offset=0 ttl=64 

 6 time=0.696 num=7 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14697 fragment-offset=0 ttl=64 

 7 time=0.796 num=8 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14701 fragment-offset=0 ttl=64 

 8 time=0.896 num=9 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14722 fragment-offset=0 ttl=64 

 9 time=0.996 num=10 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14729 fragment-offset=0 ttl=64 

10 time=1.096 num=11 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14743 fragment-offset=0 ttl=64 

11 time=1.196 num=12 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14753 fragment-offset=0 ttl=64 

12 time=1.296 num=13 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14777 fragment-offset=0 ttl=64 

13 time=1.396 num=14 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14794 fragment-offset=0 ttl=64 

14 time=1.496 num=15 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14798 fragment-offset=0 ttl=64 

15 time=1.596 num=16 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14811 fragment-offset=0 ttl=64 

16 time=1.696 num=17 direction=rx src-mac=00:0B:AB:B9:E0:72 dst-mac=78:9A:18:AB:EF:EB interface=STREAM src-address=10.0.10.10:60004 dst-address=10.0.10.1:1234 protocol=ip ip-protocol=udp size=718 cpu=0 ip-packet-size=704 ip-header-size=20 dscp=0 
   identification=14828 fragment-offset=0 ttl=64 
...
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 5:59 pm

I must say, at this point there is nothing else connected to the machine.
It is just my PC via wifi, in order to access to using WinBox
and a fake STREAMer sending the UPD packets to the Router itself.

There is still nothing in the 10.0.40.0/24 nor the 10.0.40.10, but I don't think this does matter for the Router to do the NATing.
or does it?
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 6:44 pm

What might play is if the ethernet interface on the router (the one with IP 10.0.40.254) is itself down because of link-down. Can you connect something to it, like a mini-switch or anything that will make the link go up?

For the non-existent host, my gut feeling is no, but I am about to do a test.
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 6:51 pm

Well, paint me green and call me a pickle ...
Code: Select all
Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU
#  TIME   INTERFACE  SRC-ADDRESS        DST-ADDRESS       IP-PROTOCOL  SIZE  CPU
0  6.192  wifi8      192.168.2.6:35454  192.168.2.1:1234  udp            42    3
1  6.192  bridge     192.168.2.6:35454  192.168.2.1:1234  udp            46    3
2  6.192  vlan.10    192.168.2.6:35454  192.168.2.1:1234  udp            42    3
3  6.292  wifi8      192.168.2.6:35456  192.168.2.1:1234  udp            42    3
4  6.292  bridge     192.168.2.6:35456  192.168.2.1:1234  udp            46    3
5  6.292  vlan.10    192.168.2.6:35456  192.168.2.1:1234  udp            42    3
But still, the packet goes all the way to the egress interface. So, if the host is non-existent AND the interface is down, then dstnat might go out the window.
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 7:02 pm

Done. But no luck.

I have connected my PC to the 10.0.40.0/24, and it get an IP on the expected range...
Code: Select all
Ethernet adapter Ethernet 9:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::79e8:f9ec:ffc9:dedc%26
   IPv4 Address. . . . . . . . . . . : 10.0.40.200
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.40.254

I can see traffic there when using /ip/torch on the PROCESSOR interface, but nothing coming from the 10.0.10.10, nothing on port 1234
Meanwhile I still get hits on the input rule, but none on the NAT rule.
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 7:27 pm

That's uncanny. Can you post the whole config (remove the private bits)?
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 7:31 pm


The dst-nat arrives before the firewall - so as you change the destination for a non-local address, it will go through your firewall: this is handled by the forward chain: input is only for the traffic going to the device itself.
Does this mean that mikrotik should try to match the dst-nat chain first, and then the firewall filters?
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 7:35 pm

Code: Select all
/export hide-sensitive
# 2024-04-12 18:34:09 by RouterOS 7.12.1
# software id = M5CB-IWWQ
#
# model = L009UiGS-2HaxD
# serial number = HFB09F6Z0VH
/interface bridge
add admin-mac=78:9A:18:AB:EF:EB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] name=PROCESSOR
set [ find default-name=ether2 ] name=STREAM
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=Spain .mode=ap .ssid=MikroTik-Network disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-processor ranges=10.0.40.200-10.0.40.220
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp-processor interface=PROCESSOR name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=STREAM list=LAN
add interface=PROCESSOR list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.10.1/24 interface=STREAM network=10.0.10.0
add address=10.0.40.254/24 interface=PROCESSOR network=10.0.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.40.0/24 dns-server=10.0.40.254 gateway=10.0.40.254
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="STREAM: input filter" dst-address=10.0.10.1 dst-port=1234 protocol=udp src-address=10.0.10.10
/ip firewall nat
add action=dst-nat chain=dstnat comment="STREAM: nat\?" dst-address=10.0.10.1 dst-port=1234 protocol=udp to-addresses=10.0.40.10 to-ports=1234
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-dst-port=1234
[admin@MikroTik] >
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 196
Joined: Fri Dec 31, 2021 9:13 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 8:31 pm

At this point I'll suggest the following combination:
Code: Select all
/ip firewall filter
add acfion=accept chain=forward src-address=10.0.10.1 dst-address=10.0.40.10 protocol=udp dst-port=1234 connection-nat-state=dstnat

/ip firewall nat add action=dst-nat chain=dstnat dst-address=10.0.10.1 dst-port=1234 protocol=udp to-addresses=10.0.40.10 to-ports=1234
Last edited by TheCat12 on Sat Apr 13, 2024 12:48 pm, edited 1 time in total.
Top
 
User avatar
vingjfg
Member
Member
Posts: 362
Joined: Fri Oct 20, 2023 1:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Fri Apr 12, 2024 8:35 pm

Last one for today. If that doesn't work, I will make a lab tomorrow: can you give the 10.0.40.10 ip to your pc and check again?
Top
 
ycdtosa
just joined
Topic Author
Posts: 15
Joined: Fri Apr 05, 2024 7:45 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Sat Apr 13, 2024 11:20 am

Last one for today. If that doesn't work, I will make a lab tomorrow: can you give the 10.0.40.10 ip to your pc and check again?

Done, and it works. No need for making a lab.
Code: Select all
Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU
  #  TIME   INTERFACE  SRC-ADDRESS       DST-ADDRESS      IP-PROTOCOL  SIZE  CPU
  0  0.076  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
  1  0.076  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
  2  0.176  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
  3  0.176  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
  4  0.276  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
  5  0.276  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
  6  0.376  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
  7  0.376  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
  8  0.476  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
  9  0.476  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
 10  0.576  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
 11  0.576  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
 12  0.676  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
 13  0.676  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
 14  0.776  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
 15  0.776  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
 16  0.876  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
 17  0.876  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
 18  0.976  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1
 19  0.976  PROCESSOR  10.0.10.10:36147  10.0.40.10:1234  udp           718    1
 20  1.076  STREAM     10.0.10.10:36147  10.0.10.1:1234   udp           718    1

Which is exactly what was intended.
I have even fired wireshark on the 10.0.40.10 to confirm.
Thanks.

NOTE: After rebooting, I tested it all again, same static IP con Processor machine ( 10.0.40.10 ). UPD stream fired from STREAM interface, etc.
For a moment I thought the rule was not working or that it stopped somehow, because after a few hits, I could no see more hits on the rules.

However, On the 10.0.40.10, wireshark was showing me all this incoming traffic on 10.0.40.10:1234.

Maybe the rules are not hit anymore because it is considering it a established connection, thus it is hitting a different rule?

Thanks a lot.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11791
Joined: Thu Mar 03, 2016 10:23 pm

Re: forwarding incoming UPD traffic addressed to the router itself

Sat Apr 13, 2024 4:23 pm

NATed traffic also gets fasttracked if appropriate rules are set. And in this case indeed rules, which handle traffic initially, don't get hit any more and thus counters don't increment.
Top
Post Reply

Who is online

Users browsing this forum: mmkty and 5 guests
  4. RouterOS
  5. Beginner Basics