My TCP port forwarding does not work, but the UDP does!
Checking UDP port forward with "nc -z -v -u mydomain.com 3478" works fine saying:
"Connection to mydomain.com (x.x.x.138) 3478 port [udp/*] succeeded!"
But TCP (nc -z -v -t mydomain.com 3478) fails, it just keep sending packets until it fails because of the timeout.
The first entry of the above log works, others (TCP) are not, and nc just keep sending them until timeout.
I checked other ports (5555 - same), checked on different machines (192.168.55.3, 192.168.55.5), different OS, disabled iptables - nothing helped.
I checked everything I could but I just cant understand WHY is is not working as it should?
Any help appreciated with this one - any advice welcome!
My config:
Code: Select all
[admin@Mikrotik-3011] > export hide-sensitive
# may/10/2024 22:34:16 by RouterOS 6.49.15
#
# model = RouterBOARD 3011UiAS
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=\
established,related
add action=drop chain=forward dst-address-list=Luminati log=yes log-prefix=Luminati
add action=accept chain=forward comment=established,related connection-state=\
established,related
add action=drop chain=forward dst-address=192.168.10.0/24 log=yes log-prefix=\
BLOCK-SUBNET- src-address=192.168.255.0/24
add action=drop chain=forward comment=invalid connection-state=invalid log-prefix=\
invalid-fwd
add action=drop chain=input connection-state=invalid log-prefix=invalid-inp
add action=reject chain=input dst-port=53 in-interface=ether1 protocol=tcp reject-with=\
icmp-port-unreachable
add action=reject chain=input dst-port=53 in-interface=ether1 log-prefix="block dns" \
protocol=udp reject-with=icmp-port-unreachable
add action=drop chain=input dst-address=x.x.x.138 dst-port=8080,23,8291,1900 \
in-interface=ether1 log-prefix=Drop-ports protocol=tcp
add action=accept chain=input comment="Normal Ping ICMP" in-interface=ether1 limit=\
50/5s,2:packet protocol=icmp
add action=drop chain=input comment="drop echo request" disabled=yes icmp-options=8:0 \
in-interface=ether1 protocol=icmp
add action=drop chain=input comment="drop pptp brute forcers" dst-port=1723,500,4500 \
in-interface=ether1 protocol=tcp src-address-list=\
pptp_blacklist
add action=drop chain=input comment="drop pptp brute forcers" dst-port=1723,500,4500 \
in-interface=ether1 log-prefix=sasai- protocol=tcp src-address=45.78.0.0/16
add action=add-src-to-address-list address-list=pptp_blacklist address-list-timeout=10s \
chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
protocol=tcp src-address-list=pptp_stage3
add action=add-src-to-address-list address-list=pptp_stage3 address-list-timeout=20s \
chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
protocol=tcp src-address-list=pptp_stage2
add action=add-src-to-address-list address-list=pptp_stage2 address-list-timeout=5m \
chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
protocol=tcp src-address-list=pptp_stage1
add action=add-src-to-address-list address-list=pptp_stage1 address-list-timeout=1m \
chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
protocol=tcp
add action=accept chain=input comment="Accept: Est, Rel" connection-state=\
established,related log-prefix=inp-est-
add action=accept chain=input dst-port=1723 in-interface=ether1 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=gre
add action=accept chain=input disabled=yes dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=input disabled=yes dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=untracked connection-state=untracked
add action=accept chain=forward connection-state=untracked
add action=accept chain=forward comment="ipsec in-out" ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes \
in-interface-list=!LAN
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop All Input" in-interface=ether1 log-prefix=\
drp-inp
add action=drop chain=input in-interface=ppp1 src-address=192.168.88.20
/ip firewall mangle
add action=mark-routing chain=prerouting comment=PKK dst-address-list=PKK \
new-routing-mark=PKK-VPN passthrough=yes src-address=192.168.255.0/24
add action=change-mss chain=postrouting dst-address-list=PKK new-mss=clamp-to-pmtu \
out-interface=ppp1 passthrough=yes protocol=tcp routing-mark=PKK-VPN tcp-flags=syn
add action=change-mss chain=forward disabled=yes dst-address-list=PKK new-mss=1360 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface=ether1 src-address=192.168.255.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.55.2
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.55.3
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.55.5
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ppp1 src-address=192.168.255.0/24
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=443 log-prefix=443- \
protocol=tcp to-addresses=192.168.55.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=3478 log=yes \
log-prefix=TCP-3478- protocol=tcp to-addresses=192.168.55.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=5555 log=yes \
log-prefix=TCP-5555- protocol=tcp to-addresses=192.168.55.5
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=5555 log=yes \
log-prefix=UDP-5555- protocol=udp to-addresses=192.168.55.5
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=3478 log=yes \
log-prefix=UDP-3478- protocol=udp to-addresses=192.168.55.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=80 log-prefix=80- \
protocol=tcp to-addresses=192.168.255.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=25 protocol=tcp \
to-addresses=192.168.55.2
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=993 protocol=tcp \
to-addresses=192.168.255.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=143 protocol=tcp \
to-addresses=192.168.255.3
add action=dst-nat chain=dstnat dst-address=255.255.255.255 dst-port=67 in-interface=\
all-ppp log-prefix=VPN-DHCP protocol=udp src-address=192.168.20.0/24 src-port=68 \
to-addresses=192.168.255.253
add action=masquerade chain=srcnat disabled=yes out-interface=3G src-address=\
192.168.255.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.20.0/24 dst-port=68 log-prefix=\
VPN-notrack protocol=udp src-address=192.168.255.253 src-port=67