Community discussions

MikroTik App
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Help me with port forwarding troubleshooting

Fri Nov 08, 2024 7:41 am

1st time Mikrotik user, got CCR2004-1G-12S+2XS.

I connected Mikrotik to ATT Fiber directly on sfp-sfpplus1. Used QuickSet to get started. Had to fix DHCP server network.
Router IP is 192.168.0.2
Networks is 192.168.0.0/24

Also, did few more steps to get access to ATT SFP module web interface:
/ip address add address=192.168.11.2/24 interface=sfp-sfpplus1
/ip route print
    DST-ADDRESS      GATEWAY       DISTANCE
DAc 192.168.0.0/24   bridge1              0
DAc 192.168.11.0/24  sfp-sfpplus1         0
# Clone Mac for ATT
/interface ethernet set sfp-sfpplus1 mac-address=ac:8f:a9:31:**:**
Internet works, I can browser web sites.

Then I added 2 port forwarding rules and I see this:
/ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=masquerade out-interface-list=WAN 
 1    chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=80 protocol=tcp in-interface-list=WAN dst-port=80 
 2    chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=443 protocol=tcp in-interface-list=WAN dst-port=443 
But external requests to port 80 or 443 getting no response.

I tried logs:
/ip firewall nat set [find where chain=dstnat and dst-port=80] log=yes log-prefix="HTTP-FWD "
But getting no logs.

I used Torch and I can see incoming requests (mostly to port 443) - see screenshot. Not sure, how to interpret it.

What do I miss? How can I troubleshoot it?
You do not have the required permissions to view the files attached to this post.
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 7:51 am

By the way, currently I have ATT router, and port forwarding on it works. So, my IP is not CG-NAT'd.

Also, in the logs, I can see that there are requests coming externally to the router, trying to login / brute-force .... So, the requests are coming from outside, just need to figure out how to do port forwarding.
01:02:32 system,error,critical login failure for user root from 112.103.94.202 via telnet
00:24:10 system,error,critical login failure for user admin from 40.118.145.212 via ssh
00:24:31 system,error,critical login failure for user root from 120.240.244.235 via ssh
00:27:49 echo: system,error,critical login failure for user admin from 103.102.230.5 via api
00:27:49 echo: system,error,critical login failure for user admin from 103.102.230.5 via api
 
anovojr
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Nov 15, 2017 9:24 am
Location: Philippines
Contact:

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 8:15 am

Here are a few things you could check:

Firewall Rules: Also ensure you have firewall rules that allow traffic on ports 80 and 443 to the internal IP of your instance, 192.168.0.202. Sometimes just the Firewall rules can prevent the access even if you configured the NAT rules properly.

Interface Lists: Ensure that you briefly verify that sfp-sfpplus1 interface is visible on your WAN side. If it is not the case, the specified NAT rules may not affect the incoming traffic in your network.
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 8:20 am

> Firewall Rules:

I have 0 (Zero) firewall rules. That means, that everything is open (allow). Right?
I understand, that eventually I'll need to close / limit few things, but i'm ok to have everything open while troubleshooting. Right?

> Interface Lists

Does that mean this:
/interface list member print
# LIST  INTERFACE   
0 WAN   sfp-sfpplus1
1 LAN   bridge1
Or anything else?
 
erlinden
Forum Guru
Forum Guru
Posts: 2573
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 9:04 am

Can you show your config?
/export file=anynameyoulike
Remove serial and any other private info, post between code tags by using the </> button.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 2:38 pm


I have 0 (Zero) firewall rules. That means, that everything is open (allow). Right?
I understand, that eventually I'll need to close / limit few things, but i'm ok to have everything open while troubleshooting. Right?
Depends, is your device connected directly to the internet and not behind an ISP router??

If public facing then,
YES to first question, NO to the second question.

Smart move, put back in default firewall rules, adjust them as necessary for needed traffic and then carry on with testing if connected to the network.
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 5:34 pm

Can you show your config?
Here it is:
# 2024-11-08 10:29:44 by RouterOS 7.16.1
# software id = ZAQF-UBCR
#
# model = CCR2004-1G-12S+2XS

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] mac-address=AC:8F:A9:31:**:** \
    sfp-ignore-rx-los=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.0.40-192.168.0.150
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.2/24 interface=bridge1 network=192.168.0.0
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.0.44 comment=ub3090 mac-address=26:25:81:8B:DA:EA
add address=192.168.0.74 comment=t5820 mac-address=98:B7:85:1F:37:B5
add address=192.168.0.83 comment=t7920 mac-address=98:B7:85:1E:DC:F6
add address=192.168.0.88 comment=p5000 mac-address=86:BA:F1:28:E6:D2
add address=192.168.0.90 comment=Amcrest mac-address=9C:8E:CD:24:72:EE
add address=192.168.0.91 comment="RLC-810A street" mac-address=\
    EC:71:DB:0E:1A:BA
add address=192.168.0.101 comment=ds1621xs+ mac-address=00:11:32:EA:FD:03
add address=192.168.0.102 comment="psalm VM" mac-address=02:11:32:2E:95:E9
add address=192.168.0.103 comment=qb-win mac-address=B6:94:6F:A1:67:68
add address=192.168.0.109 comment="edsace loft" mac-address=00:D1:64:0B:0A:09
add address=192.168.0.110 comment=doorbell mac-address=EC:71:DB:2D:55:CF
add address=192.168.0.112 comment="RLC-1212A kitchen" mac-address=\
    EC:71:DB:3C:AB:41
add address=192.168.0.131 comment=Brother mac-address=30:05:5C:8F:6D:02
add address=192.168.0.138 comment=ds1812 mac-address=00:11:32:13:6B:64
add address=192.168.0.147 comment="aruba switch" mac-address=\
    BC:D7:A5:7E:64:E0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.2 gateway=192.168.0.2 \
    netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=web80 dst-port=80 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.0.202 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.0.202 to-ports=443
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
Last edited by slavikf on Fri Nov 08, 2024 5:49 pm, edited 1 time in total.
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 5:47 pm

Depends, is your device connected directly to the internet and not behind an ISP router??
What is "direct"?
With Mikrotik, I used this guide to bypass ATT router:
https://pon.wiki/guides/masquerade-as-t ... s-was-110/

So, I'm NOT using ISP router.
I have ATT Fiber line going to WS-110 SFP+ module, which inserted to sfp-sfpplus1 port of Mikrotik.

Internet works, - I'm using it from my laptop, which is connected via Ethernet to sfp-sfpplus7.

Port forwarding doesn't work.
Smart move, put back in default firewall rules, adjust them as necessary for needed traffic and then carry on with testing if connected to the network.
I do not have any firewall rules. Only firewall NAT rules.
 
erlinden
Forum Guru
Forum Guru
Posts: 2573
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Help me with port forwarding troubleshooting

Fri Nov 08, 2024 5:54 pm

/ip address
add address=192.168.0.2/24 interface=bridge1 network=192.168.0.0
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0
/ip dhcp-client
add interface=sfp-sfpplus1
From the above, I get the feeling that on the sfp you set an IP manually and you get an IP through DHCP. As there is no /ip route specified, it is probably dynamically set through DHCP as well.

Your router, or at least services like telnet and ssh are publically available, hence you are either in DMZ or have a public IP.

What you should do:

Add firewall rules:
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
After that, we will continue. Hopefully you haven't been compromised yet (any other users created)?

[Update] Aah, you have confirmed that your router is public facing...without firewall filter rules.
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Tue Nov 12, 2024 7:15 am

I added firewalls rules, as suggessted above, and port forwarding still doesn't work.
Tried few other firewall settings - can't make port forward to work.

Here is how I see connections on Firewall:
 /ip firewall/connection print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; s - SRCNAT; d - DSTNAT
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
  #        PROTOCOL  SRC-ADDRESS            DST-ADDRESS           TCP-STATE    TIMEOUT    ORIG-RATE  REPL-RATE  ORIG-PACKETS  REPL-PACKETS  ORIG-BYTES  REPL-BYTES
  9   C  d tcp       198.13.84.43:56620     104.63.172.143:443    established  4m6s       0bps       0bps                  2             0       2 468           0
 10   C  d tcp       52.183.22.178:36372    104.63.172.143:443    established  4m25s      0bps       0bps                  3             0       3 507           0
 14   C  d tcp       66.249.73.200:37708    104.63.172.143:443    established  4m         0bps       0bps                  1             0          52           0
 15   C  d tcp       66.249.73.200:55028    104.63.172.143:443    established  4m53s      0bps       0bps                  2             0         104           0
 19   C  d tcp       66.249.73.201:43451    104.63.172.143:443    established  4m36s      0bps       0bps                  2             0         104           0
 25   C  d tcp       66.249.73.201:42575    104.63.172.143:443    established  4m36s      0bps       0bps                  2             0         104           0
 37   C  d tcp       108.172.75.226:52364   104.63.172.143:443    established  4m20s      0bps       0bps                  2             0       2 338           0
 41   C  d tcp       66.249.73.200:59266    104.63.172.143:443    established  4m53s      0bps       0bps                  2             0         104           0
 42   C  d tcp       66.249.73.200:61300    104.63.172.143:443    established  4m53s      0bps       0bps                  2             0         104           0
 53   C  d tcp       66.249.74.78:60332     104.63.172.143:443    last-ack     4s         0bps       0bps                  8             0         416           0
 70   C  d tcp       3.142.54.202:39828     104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 71   C  d tcp       57.141.7.22:52794      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 72   C  d tcp       3.142.54.202:6209      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 73   C  d tcp       57.141.7.6:53342       104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 74   C  d tcp       57.141.7.27:34566      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 75   C  d tcp       3.219.81.66:46257      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 76   C  d tcp       54.85.7.119:13306      104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 77   C  d tcp       216.244.66.247:35586   104.63.172.143:80     syn-sent     1s         0bps       0bps                  4             0         240           0
 78   C  d tcp       57.141.7.3:40228       104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 79   C  d tcp       57.141.7.28:41220      104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 80   C  d tcp       184.73.195.18:56731    104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 81   C  d tcp       57.141.7.1:35404       104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 82   C  d tcp       57.141.7.15:37358      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 83   C  d tcp       57.141.7.25:49674      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 84   C  d tcp       57.141.7.16:38876      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 85   C  d tcp       54.221.203.24:5692     104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 86   C  d tcp       57.141.7.19:53314      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 87   C  d tcp       54.147.182.90:54458    104.63.172.143:443    syn-sent     3s         480bps     0bps                  4             0         240           0
 88   C  d tcp       57.141.7.23:54898      104.63.172.143:443    syn-sent     3s         480bps     0bps                  4             0         240           0
...
So, I see that
- connections on port 80/443 correctly getting to DSTNAT
- but never gets to the state " S - SEEN-REPLY; A - ASSURED"

What else can I do?

Currently my config export:
# 2024-11-12 00:04:05 by RouterOS 7.16.1
# software id = ZAQF-UBCR
#
# model = CCR2004-1G-12S+2XS
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] mac-address=AC:8F:A9:31:**:** \
    sfp-ignore-rx-los=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.0.40-192.168.0.150
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.2/24 interface=bridge1 network=192.168.0.0
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.0.101 comment=ds1621xs+ mac-address=00:11:32:EA:FD:03
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.2 gateway=192.168.0.2 \
    netmask=24
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.0.101 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.0.101 to-ports=443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with port forwarding troubleshooting

Tue Nov 12, 2024 5:16 pm

How do you expect to port forward if you dont have a public IP address?
If you can access the upstream ISP device and from there forward a port, then it could be done.
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Tue Nov 12, 2024 8:11 pm

How do you expect to port forward if you dont have a public IP address?
I do have public IP address. I'm using Mikrotik INSTEAD of ISP router. So, my Mikrotik gets public IP address on SFP1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with port forwarding troubleshooting

Tue Nov 12, 2024 8:23 pm

1. Your words are not reflected in the config!!!

/ip address
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0

Effectively assigning a private IP to sfp-sfpplus1

You also have this... and this is in conflict as you cannot use BOTH, so recommend you delete the IP address entry!!!
/ip dhcp-client
add interface=sfp-sfpplus1



2. Recommend minor change to firewall rules for better clarity and tighter security
FROM default rule:
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with port forwarding troubleshooting

Tue Nov 12, 2024 8:28 pm

Question: Do you have users on the same LAN subnet also using one or both servers?

If so, how are they connecting to the servers
a. by direct LANIP
b. by DYNDNS URL name etc........
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Wed Nov 13, 2024 2:56 am

1. Your words are not reflected in the config!!!

/ip address
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0

Effectively assigning a private IP to sfp-sfpplus1

You also have this... and this is in conflict as you cannot use BOTH, so recommend you delete the IP address entry!!!
/ip dhcp-client
add interface=sfp-sfpplus1
Hm,
I do have public IP on sfp-sfpplus1 and it's coming from ISP provider (ATT) via dhcp-client.
And I also have private IP sfp-sfpplus1 - it has static private IP for SFP firmware.
Can it be the reason why port forwarding doesn't work?

I'll try to disable that 192.168.11.2 network on sfp-sfpplus1 and test.
Last edited by slavikf on Wed Nov 13, 2024 3:00 am, edited 1 time in total.
 
slavikf
just joined
Topic Author
Posts: 11
Joined: Thu Aug 29, 2024 6:43 pm

Re: Help me with port forwarding troubleshooting

Wed Nov 13, 2024 2:59 am

Question: Do you have users on the same LAN subnet also using one or both servers?

If so, how are they connecting to the servers
a. by direct LANIP
b. by DYNDNS URL name etc........
What do you mean by "both servers"?

Few websites, which I host on web servers in my LAN getting accessed from the Internet and from the LAN, too.
So, NAT loopback (hair-pinning) is my next task, after I'll get port forwarding sorted out.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with port forwarding troubleshooting

Wed Nov 13, 2024 3:06 am

Why are you asking me which servers??
Ahhh so they are both to the same web server?
Why do even you make the unencrypted port 80 available ??

in any case long winded ;-)
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.0.101 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.0.101 to-ports=443

Can be shortened to:
add action=dst-nat chain=dstnat dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.101
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with port forwarding troubleshooting

Wed Nov 13, 2024 3:15 am

Yes get rid of the private IP address you have for sfp-sfpplus1, its bogus!

In terms of hairpin nat.
StepOne: I already showed you what the forward chain firewall rules should look like.

StepTwo: Add sourcenat rule as the FIRST rule in the NAT chain.
add chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.0/24

StepThree: We need to change the in-interface=WAN to something that is inclusive of incoming from both ends.......
If this was a static WANIP then we simply use dst-address=WANIP.
However in the dynamic case, a real easy fix is the following.

/ip firewall address-list
add address=dyndnsURL list=MyWAN comment="the URL, dyndnsname or mynetname users use to reach the router


StepFour: the revised rule:
add action=dst-nat chain=dstnat dst-port=80,443 dst-address-list=MyWAN protocol=tcp to-addresses=192.168.0.101

Who is online

Users browsing this forum: anav, poocman and 25 guests