New RB5009 router, need help with basic port forwarding

DaSnipe · Mon Jan 17, 2022 6:19 am

Hi everyone, new to the MikroTik world, had build a opnsense box in the past but wanted a smaller package and some nice features so got a rb5009ug+s+in running RouterOS v7.05. Very new to firewall and rules

I switched the WAN port from eth1 to eth8 succesfully (I need that eth1 for my 2.5gbps desktop) but now I'm trying to share a NAS/webserver which is running a reverse proxy via port 80/443 (I moved the web interface from TrueNAS to 81/444 and use Traefik on 80/443) using eth8. I can't use the WAN IP since I have Cable Inernet in Canada and if you reboot/lose power for too long your IP changes so I want to bind it to whatever IP the DHCP client gets from eth8. This seems to be fine since I get an IP from the Cable modem in IP -> Addresses

I googled a bunch of videos/guides, clearest one was from this one https://www.youtube.com/watch?v=jgKgsg9VlhY from Category5 Tech TV, but it's still not working. Externally my WAN IP is not being picked up by my webserver and internally my WAN IP just puts me back to my mikrotik setup screen.

[admin@MikroTik] /ip/firewall/nat> print detail 
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    ;;; Web Server Port 80-81
      chain=dstnat action=dst-nat to-addresses=192.168.88.247 to-ports=80-81 protocol=tcp in-interface=ether8 dst-port=80-81 log=no log-prefix="" 

 2    ;;; Web Server HTTPS 443
      chain=dstnat action=dst-nat to-addresses=192.168.88.247 to-ports=443-444 protocol=tcp in-interface=ether8 dst-port=443-444 log=no log-prefix=""

And as per the video I added filters for local traffic

[admin@MikroTik] /ip/firewall/filter> print detail 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 6    ;;; Firewall port 80
      chain=forward action=accept protocol=tcp dst-address=192.168.88.247 in-interface=ether8 dst-port=80-81 log=no log-prefix="" 

 7    ;;; Firewall 443-444
      chain=forward action=accept protocol=tcp dst-address=192.168.88.247 in-interface=ether8 dst-port=443-444 log=no log-prefix="" 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
 
13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

I hope this is clear, I just feel like something is missing

anav · Mon Jan 17, 2022 5:32 pm

Please post your config
/export hide-sensitive file=anynameyouwish

Your router has IP cloud, enable it and it will keep track of your IP address for you, so dont do anything weird as some work around.
https://help.mikrotik.com/docs/display/ROS/Cloud

In terms of port forwarding, this may prove useful.
viewtopic.php?t=179343

DaSnipe · Mon Jan 17, 2022 5:57 pm

Please post your config
/export hide-sensitive file=anynameyouwish

Your router has IP cloud, enable it and it will keep track of your IP address for you, so dont do anything weird as some work around.
https://help.mikrotik.com/docs/display/ROS/Cloud

In terms of port forwarding, this may prove useful.
viewtopic.php?t=179343

I woke up this AM and found your tread, super informative, has to be something to in there. It's a snowstorm in Quebec so I'm about to take the kids out but here's my config. Thanks for the reply! I used portchecker.co which said ports were open but any LAN traffic wasn't able to access anything.

Let me know if I shoud post the config inline.

anav · Mon Jan 17, 2022 6:36 pm

In Mikrotik RoS,
One only has one port forwarding firewall rule in the forward chain, which is a generic rule that says, we will allow packets through the router (wan to lan) that have a destination port on the router that has an equivalent matching destination NAT rule configured......... I dont particularly like the way they made this rule because they use the !syntax.....
Basically it states drop any traffic from the internet heading towards the LAN except if they are valid dst-nat packets (as I stated above).
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Therefore your rules here are misplaced for starters being in the forward chain, and not in the right format anyway, they need to be removed!
add action=accept chain=forward comment="Firewall port 80" dst-address=\
192.168.88.247 dst-port=80-81 in-interface=ether8 protocol=tcp
add action=accept chain=forward comment="Firewall 443-444" dst-address=\
192.168.88.247 dst-port=443-444 in-interface=ether8 protocol=tcp

Now lets take a look at sourcenat rules.
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\ {good if you intend to use public IP to access server from within the LAN - aka hairpin nat)
192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \ {good, standard needed rule}
ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.88.0/24 src-address=\
192.168.88.0/24 to-addresses=74.58.142.138 {Garbage: Get rid of this rule, }

Now lets take a look at the dst nat port forwarding rules.............
add action=dst-nat chain=dstnat comment="Web Server Port 80-81" dst-port=\
80-81 in-interface=ether8 protocol=tcp to-addresses=192.168.88.247 \
to-ports=80-81
add action=dst-nat chain=dstnat comment="Web Server HTTPS 443" dst-port=\
443-444 in-interface=ether8 protocol=tcp to-addresses=192.168.88.247 \
to-ports=443-444

Anytime users on the same lan as the server will access the server via the routers own public IP address (loopback) as noted above you need to use the hairpin source nat rule.
In addtion, however, if you have a dynamic wanip we cannot use in interface=WAN (ether8) etc, because that blocks users coming from the LAN.

As discussed in the linked article many ways to do this, easiest is to use your own IP cloud service. Also to port not required if same as dst-ports.

add action=dst-nat chain=dstnat comment="WServer Port 80-81" dst-port=80-81 protocol=tcp \
dst-address-list=mycloud to-addresses=192.168.88.247
add action=dst-nat chain=dstnat comment="WServer HTTPS 443" dst-port=443-444 protocol=tcp \
dst-address-lst=mycloud to-addresses=192.168.88.247

Where mycloud is a firewall address list:
name: mycloud
address: mynetname address ( go to IP cloud enable, and copy the address provided here)

DaSnipe · Tue Jan 18, 2022 3:39 am

Thanks, that did the trick, now to figure out what's going on with my domain name and reverse proxy setup, pointing to my IP works, and it's redirecting traffic to the NAS, but something is up with my setup. Appreciate the quick response and help!

New RB5009 router, need help with basic port forwarding [SOLVED]

New RB5009 router, need help with basic port forwarding

Re: New RB5009 router, need help with basic port forwarding

Re: New RB5009 router, need help with basic port forwarding

Re: New RB5009 router, need help with basic port forwarding [SOLVED]

Re: New RB5009 router, need help with basic port forwarding

Who is online