Community discussions

MikroTik App
 
ewu2030
just joined
Topic Author
Posts: 6
Joined: Wed Aug 03, 2016 3:11 pm

Port forwarding not working on 1100 AH x2

Fri Jan 14, 2022 5:55 pm

Hello,
This bugs me from some time (about 4 years) that I never managed to do port forwarding on my router.
I have a VPN active on it so I can access anything inside the LAN from it but sometimes I need a simple port forward for ftp which, for some reason that I can't identify, doesn't work.
(for testing purposes I've tried to hit few computers on RDP, created a dummy port on one of the computers to try and hit that, nothing seems to get back to the WAN request)
I tried multiple ways, I even copied the NAT config from a friend for ftp forwarding
I've read multiple posts here on how to do this and apparently the packet gets to my NAS but nothing comes back from it
(I've added the rules for logging as seen here viewtopic.php?t=116569)
Currently I get to 4th step in the logging trace which means there might be something wrong on the set-up of the NAS .

As I said, I have a IPSEC over l2tp vpn set-up which works, and from that I can access the ftp without issues (the fw rulles log the connection both to the ftp server and out of it)
Not sure what I set up wrong on my router, but below you can see the config (part of it as the whole config has about 400 lines, and some data that I don't want to post publicly )
# jan/14/2022 17:41:22 by RouterOS 6.49.2
# software id = GJD5-47VS
#
# model = 1100AHx2
# serial number = 

/ip firewall address-list
add address=10.0.0.0/8 list="10 network"
add address=10.5.0.0/24 list=LAN
add address=xx.xx.xx.xx list="Public IP"
add address=vpn.xxxx.xx list=host

/ip firewall filter
add action=log chain=forward dst-address=10.5.0.45 dst-port=21 log-prefix=3 \
    protocol=tcp
add action=log chain=forward log-prefix=6 protocol=tcp src-address=10.5.0.45 \
    src-port=21
add action=drop chain=input comment="input Drop invalid packets" \
    connection-state=invalid
add action=drop chain=forward comment="fw drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dstnatted" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="accept forward established related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "accept dstnat from wan established related" connection-nat-state=dstnat \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment="accept dstnat conn" \
    connection-nat-state=dstnat
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=udp src-port=123
add action=accept chain=forward comment="Router fw IPsec in accept" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
    ipsec-policy=out,ipsec
add action=drop chain=input in-interface-list=WAN

/ip firewall mangle
add action=log chain=prerouting dst-address=xx.xx.xx.xx dst-port=21 \
    log-prefix=1 protocol=tcp
add action=log chain=postrouting dst-address=10.5.0.45 dst-port=21 log=yes \
    log-prefix=4 protocol=tcp
add action=log chain=prerouting log-prefix=5 protocol=tcp src-address=\
    10.5.0.45 src-port=21
add action=log chain=postrouting log-prefix=7 protocol=tcp src-address=\
    10.5.0.45 src-port=21
/ip firewall nat
add action=masquerade chain=srcnat out-interface="eth11 - mobile data"
add action=masquerade chain=srcnat out-interface=RCS-RDS
add action=dst-nat chain=dstnat dst-address-list=host dst-port=55536-55663 \
    protocol=tcp to-addresses=10.5.0.45
add action=dst-nat chain=dstnat dst-address-list=host dst-port=21 log=yes \
    log-prefix=2 protocol=tcp to-addresses=10.5.0.45
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding not working on 1100 AH x2

Tue Jan 18, 2022 3:52 am

If you see 1-4, that covers packet passing through router and being sent to NAS. If you don't see 5 and further, nothing came back from NAS. Some possible causes:

- FTP server is not running, but it can't be that if it works from VPN
- FTP server has firewall that accepts connection from VPN addresses, but not from elsewhere
- some misconfigured gateway or netmask, combined with some "creativity" in other parts of config that makes it work with VPN, but not with internet; but it's hard to tell without seeing it (you don't need to post anything you're not comfortable with, it's fine if you censor some data, preferably in some sensible manner)
 
ewu2030
just joined
Topic Author
Posts: 6
Joined: Wed Aug 03, 2016 3:11 pm

Re: Port forwarding not working on 1100 AH x2

Thu Jan 20, 2022 2:03 pm

I finally got it to work. After thinking again and again on what I could've done wrong that this thing would not work and where I could mess up the set-up in the router, I decided to try out something.
I noticed that my ISP has an internal network for 10.0.0.0/8 with the gateway on my pppoe connection on 10.0.0.1 and so I bound one of my 192.x.x.x networks to a port, disabled the port trunking in the nas and connected one of the patch cords to that new network. Remapped the port forwarding with logging to the new IP and the first try went in the ftp server directly, connected to it and everything.
Now the funny thing is, I still can't go to any of the 10.x.x.x networks I have and get a proper answer back but it fixed my 4 years long issue.
Thanks for the help :)

PS: I'll come back as I have another mikrotik on a friends house that won't allow ftp outbound connections (altho if he connects to my vpn he can reach the ftp)
I will need to get the config and maybe have some logs enabled there to find the issue...

Who is online

Users browsing this forum: cmmike, mtkvvv, PBondurant, valeb and 37 guests