TCP port forwarding not working

Sysxp · Fri May 10, 2024 9:31 pm

Hello!

My TCP port forwarding does not work, but the UDP does!
Checking UDP port forward with "nc -z -v -u mydomain.com 3478" works fine saying:
"Connection to mydomain.com (x.x.x.138) 3478 port [udp/*] succeeded!"
But TCP (nc -z -v -t mydomain.com 3478) fails, it just keep sending packets until it fails because of the timeout.

TCP.JPG

The first entry of the above log works, others (TCP) are not, and nc just keep sending them until timeout.
I checked other ports (5555 - same), checked on different machines (192.168.55.3, 192.168.55.5), different OS, disabled iptables - nothing helped.

I checked everything I could but I just cant understand WHY is is not working as it should?
Any help appreciated with this one - any advice welcome!

My config:

[admin@Mikrotik-3011] > export hide-sensitive 
# may/10/2024 22:34:16 by RouterOS 6.49.15
#
# model = RouterBOARD 3011UiAS
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=\
    established,related
add action=drop chain=forward dst-address-list=Luminati log=yes log-prefix=Luminati
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward dst-address=192.168.10.0/24 log=yes log-prefix=\
    BLOCK-SUBNET- src-address=192.168.255.0/24
add action=drop chain=forward comment=invalid connection-state=invalid log-prefix=\
    invalid-fwd
add action=drop chain=input connection-state=invalid log-prefix=invalid-inp
add action=reject chain=input dst-port=53 in-interface=ether1 protocol=tcp reject-with=\
    icmp-port-unreachable
add action=reject chain=input dst-port=53 in-interface=ether1 log-prefix="block dns" \
    protocol=udp reject-with=icmp-port-unreachable
add action=drop chain=input dst-address=x.x.x.138 dst-port=8080,23,8291,1900 \
    in-interface=ether1 log-prefix=Drop-ports protocol=tcp
add action=accept chain=input comment="Normal Ping ICMP" in-interface=ether1 limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=input comment="drop echo request" disabled=yes icmp-options=8:0 \
    in-interface=ether1 protocol=icmp
add action=drop chain=input comment="drop pptp brute forcers" dst-port=1723,500,4500 \
    in-interface=ether1 protocol=tcp src-address-list=\
    pptp_blacklist
add action=drop chain=input comment="drop pptp brute forcers" dst-port=1723,500,4500 \
    in-interface=ether1 log-prefix=sasai- protocol=tcp src-address=45.78.0.0/16
add action=add-src-to-address-list address-list=pptp_blacklist address-list-timeout=10s \
    chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
    protocol=tcp src-address-list=pptp_stage3
add action=add-src-to-address-list address-list=pptp_stage3 address-list-timeout=20s \
    chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
    protocol=tcp src-address-list=pptp_stage2
add action=add-src-to-address-list address-list=pptp_stage2 address-list-timeout=5m \
    chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
    protocol=tcp src-address-list=pptp_stage1
add action=add-src-to-address-list address-list=pptp_stage1 address-list-timeout=1m \
    chain=input connection-state=new dst-port=1723,500,4500 in-interface=ether1 \
    protocol=tcp 
add action=accept chain=input comment="Accept: Est, Rel" connection-state=\
    established,related log-prefix=inp-est-
add action=accept chain=input dst-port=1723 in-interface=ether1 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=gre
add action=accept chain=input disabled=yes dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=input disabled=yes dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=untracked connection-state=untracked
add action=accept chain=forward connection-state=untracked
add action=accept chain=forward comment="ipsec in-out" ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes \
    in-interface-list=!LAN
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop All Input" in-interface=ether1 log-prefix=\
    drp-inp
add action=drop chain=input in-interface=ppp1 src-address=192.168.88.20
/ip firewall mangle
add action=mark-routing chain=prerouting comment=PKK dst-address-list=PKK \
    new-routing-mark=PKK-VPN passthrough=yes src-address=192.168.255.0/24
add action=change-mss chain=postrouting dst-address-list=PKK new-mss=clamp-to-pmtu \
    out-interface=ppp1 passthrough=yes protocol=tcp routing-mark=PKK-VPN tcp-flags=syn
add action=change-mss chain=forward disabled=yes dst-address-list=PKK new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface=ether1 src-address=192.168.255.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.55.2
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.55.3
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.55.5
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ppp1 src-address=192.168.255.0/24
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=443 log-prefix=443- \
    protocol=tcp to-addresses=192.168.55.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=3478 log=yes \
    log-prefix=TCP-3478- protocol=tcp to-addresses=192.168.55.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=5555 log=yes \
    log-prefix=TCP-5555- protocol=tcp to-addresses=192.168.55.5
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=5555 log=yes \
    log-prefix=UDP-5555- protocol=udp to-addresses=192.168.55.5
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=3478 log=yes \
    log-prefix=UDP-3478- protocol=udp to-addresses=192.168.55.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=80 log-prefix=80- \
    protocol=tcp to-addresses=192.168.255.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=25 protocol=tcp \
    to-addresses=192.168.55.2
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=993 protocol=tcp \
    to-addresses=192.168.255.3
add action=dst-nat chain=dstnat dst-address=x.x.x.138 dst-port=143 protocol=tcp \
    to-addresses=192.168.255.3
add action=dst-nat chain=dstnat dst-address=255.255.255.255 dst-port=67 in-interface=\
    all-ppp log-prefix=VPN-DHCP protocol=udp src-address=192.168.20.0/24 src-port=68 \
    to-addresses=192.168.255.253
add action=masquerade chain=srcnat disabled=yes out-interface=3G src-address=\
    192.168.255.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.20.0/24 dst-port=68 log-prefix=\
    VPN-notrack protocol=udp src-address=192.168.255.253 src-port=67

johnson73 · Fri May 10, 2024 11:00 pm

1) your firewall has one big mix in which there is too much of everything as unnecessary. Always take the default rules as a basis and then you can supplement them with what you need.
2) why are there so many Masquarade rules in the NAT section? This is not correct
3) for the traffic flow to function correctly, the rules must be in the correct order. In the beginning, you don't need to put forward rules, etc. There is always an Input chain first and only then a Forward chain.
The order of the rules is important, the rules are executed in order from top to bottom.

INPUT CHAIN --> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN --> Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN --> From the Router. Directional flow is Router to WAN.

Sysxp · Sat May 11, 2024 11:35 am

johnson73, thank you for your reply!

1) your firewall has one big mix in which there is too much of everything as unnecessary. Always take the default rules as a basis and then you can supplement them with what you need.

Well, it is a very old config but it always worked fine and everything there is actually for a purpose, I would gladly get rid of anything not needed

2) why are there so many Masquarade rules in the NAT section? This is not correct

I have several subnets, and some PC's from these subnets need access to the internet. How do I provide internet access for different subnets (or individual IPs in these subnets) without adding a new Masquarade rule? Removing the rule will disable internet for them.

3) for the traffic flow to function correctly, the rules must be in the correct order. In the beginning, you don't need to put forward rules, etc. There is always an Input chain first and only then a Forward chain.
The order of the rules is important, the rules are executed in order from top to bottom.

I put the Input rules on top of everything else, even created a new one allowing all Input from Ether1 - nothing changed for the better.

I dont understand. This specific problem seems to be affecting nc TCP check specifically, because actual port forwarding works - I mean, from the web browser to 443 it works fine.
But when used from the inside using nc -z TCP check - it FAILS no matter what I do.
This is somewhat frustrating because containers use this check to check if they are available from the outside and showing unhealthy status.
Full chain looks like this nc -z calls for -> mydomain.com:3478 --> cloudflare unproxied DNS points to x.x.x.138 --> Mikrotik 3478 TCP dstnat to 192.168.55.3:3478 - and that is all!
Still, UDP check works, and TCP is not.

This is driving me crazy.

johnson73 · Sat May 11, 2024 12:18 pm

I have several subnets, and some PC's from these subnets need access to the internet. How do I provide internet access for different subnets (or individual IPs in these subnets) without adding a new Masquarade rule? Removing the rule will disable internet for them.

I usually do this by specifying the masquarade for a full subnet, not for a specific IP address as in your example.
I also specify the firewall rules differently. For instance:
LAN1- the first subnet
LAN2- second subnet, etc.

add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN1 protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN1 protocol=tcp
add action=accept chain=input comment="Allow DNS to local-LAN2" dst-port=53 \
    in-interface-list=LAN2 protocol=udp
add action=accept chain=input comment="Allow DNS to local-LAN2" dst-port=53 \
    in-interface-list=LAN2 protocol=tcp

respectively in the forward section:

add action=accept chain=forward comment="Access Internet From LAN1" \
    in-interface-list=LAN1 out-interface-list=WAN
add action=accept chain=forward comment="Access Internet From LAN2" \
    in-interface-list=LAN2 out-interface-list=WAN

But you have to think about TCP.

Sysxp · Sat May 11, 2024 5:05 pm

Ok, I decided to bring the "big guns" and captured everything while testing port forward.
UDP port forward looks like this (and works fine):

W-UDP.JPG

TCP port forward looks like this and NOT working correctly:

Tcp1.JPG

Unfortunately, while I understand that something is wrong, I don't understand what exactly is wrong and what prevents it from working normally.
If you understand WHAT it wants and WHY it keeps retransmitting please let me know.

Many thanks in advance!

P.S. I'm testing port 5555 with "nc -z -v -v -t mydomain.com 5555" - not working.
UDP with "nc -z -v -v -u mydomain.com 5555" works fine.
Any other port behaves the same way.

OMG. I think I just go scream into the pillow, I guess.

Sysxp · Sun May 12, 2024 12:44 pm

I finally did it!!
Haha, yes, it is now working!! I almost rip my a$$ in 2 halves while diagnosing this, but now it does not matter - it is working!

And all because of this forum with very useful information on the matter!
It is simple, and I KNEW it would be simple from the start!
---
From my observed behavior it looks like I have SYNs working ok all the way, but it never gets the corresponding ACK back.
What are the conditions for this to happen?
1. Incorrect Gateway setting (in my case GWs are set correctly for all the involved subnets)
2. Interface section of dstnat rule is messed up.
3. Interface section of masquerade rule is messed up.
In my case the dst VM (and the entire subnet) is behind another Cisco L3 router. Apparently, the UDP and TCP routing works very different - this caused the most confusion.
UDP packets goes all the way outside and then come through WAN on ether1. But TCP tries do do everything internally, and if the check is initiated from the inside it never leaves the internal network.

So my rule:

add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.55.3

is not working, because TCP packets never goes through ether1.

The correct working rule is:

add action=masquerade chain=srcnat src-address=192.168.55.3

This way it works no matter what. (and also very fast too).

nc -z -v -v -t mydomain.com 3478
Connection to mydomain.com (x.x.x.138) 3478 port [tcp/*] succeeded!

In conclusion, I would like to say that I love Mikrotik, love this forum and I love you all guys!
Thank you!

mkx · Sun May 12, 2024 1:00 pm

Apparently, the UDP and TCP routing works very different

No, routing is exactly the same for whole L3 family ... in your case IP. When it comes to routing, L4 (TCP vs. UDP) is a payload which doesn't affect the decissions. (it does matter when it comes to firewalling though, which obviously includes NAT)

What is truly difference between TCP and UDP is that UDP is inherently connection-less protocol and things may seem fine from protocol point of view (netmap!) even if path is broken and there are no replies (netmap only checks for ICMP error messages and if there are none, then it can't complain). TCP, OTOH, is a true connection protocol, it needs to successfully complete a two-way handhake before things can proceed (even if only to tear connection down which is what netmap does ... and proper termination of connection is again a two-way handshake) and if the two-way handshake fails, client can detect problems.

So the problem in your diagnostics was that traces were not taken in all the relevant places to find the point of failure. That includes server (which would likely reveal that NAT was not made properly also for UDP).
Also it seems to me that you are testing connectivity from very same host ... which comes with a few further (conceptual) problems, such as the need for hair-pin NAT (which you eventually implemented in form of masquerade rule).

Sysxp · Sun May 12, 2024 1:10 pm

mkx
So, this means that I'm even more stupid than I think I was, because my UDP connection was ALSO NOT WORKING properly, while I think it works. (becasue of the successful nc output)

Connection to mydomain.com (x.x.x.138) 3478 port [udp/*] succeeded!

When in reality it was only checking if the port is open.
Thank you very much for the clarification!
This is even better than I think it was.

TCP port forwarding not working [SOLVED]

TCP port forwarding not working

Re: TCP port forwarding not working

Re: TCP port forwarding not working

Re: TCP port forwarding not working

Re: TCP port forwarding not working

Re: TCP port forwarding not working [SOLVED]

Re: TCP port forwarding not working

Re: TCP port forwarding not working

Who is online