Community discussions

MikroTik App
 
aantonio86
just joined
Topic Author
Posts: 8
Joined: Wed May 04, 2022 2:49 pm

Same port with different networks

Tue Nov 29, 2022 3:45 pm

Hello guys.
When I create a NAT rule to open a port (let's use 1433/SQL Server as example) for external access, it works normally and people can connect to the SQL through it.
However, when I connect to a public ip where the same port is being used, I can't. Everything seems to indicate that the port I opened, and the way I did the rule prevents me from using the same port to connect from inside my network to outside.

This is the rule:

add action=dst-nat chain=dstnat dst-port=1433 protocol=tcp to-addresses=192.168.0.252 to-ports=1433

So people connect to SQL through port 1433 outside my internal network.
And I need to connect to a SQL outside my network that also uses port 1433.
How do I solve it?
Thx
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Same port with different networks

Tue Nov 29, 2022 4:00 pm

hairpin nat............
viewtopic.php?t=179343
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Same port with different networks

Tue Nov 29, 2022 5:23 pm

Different problem, wrong dstnat rule. Only two conditions are protocol=tcp and dst-port=1433. So incoming connection from internet matches. And outgoing connection to internet matches too. Oops. You need to fix that. Adding dst-address-type=local is probably good enough.
 
aantonio86
just joined
Topic Author
Posts: 8
Joined: Wed May 04, 2022 2:49 pm

Re: Same port with different networks

Tue Nov 29, 2022 7:18 pm

Different problem, wrong dstnat rule. Only two conditions are protocol=tcp and dst-port=1433. So incoming connection from internet matches. And outgoing connection to internet matches too. Oops. You need to fix that. Adding dst-address-type=local is probably good enough.
Could u show me an example how to do it? Im knew on Mikrotik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Same port with different networks

Tue Nov 29, 2022 8:16 pm

please post your config.

/export file=anynameyouwish ( minus router serial# and any public WANIP information )
 
aantonio86
just joined
Topic Author
Posts: 8
Joined: Wed May 04, 2022 2:49 pm

Re: Same port with different networks

Thu Dec 01, 2022 2:54 pm

please post your config.

/export file=anynameyouwish ( minus router serial# and any public WANIP information )
/interface ethernet
set [ find default-name=ether1 ] comment=" :::Algar Telecom:::" name=ether1-ISP1-Algar
set [ find default-name=ether2 ] comment=" :::Embratel:::" name=ether2-ISP2-Secundario
set [ find default-name=ether4 ] comment=" :::Rede Local:::" name=ether4-LAN
/interface pppoe-client
add add-default-route=yes comment=PRIMARIO disabled=no interface=ether1-ISP1-Algar name=pppoe-out1-Algar user=algar@algar
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.240
/ip dhcp-server
add address-pool=dhcp interface=ether4-LAN name=dhcp1
/snmp community
add addresses=::/0 name=016it
/interface list member
add interface=ether1-ISP1-Algar list=WAN
add list=LAN
/ip address
add address=0.0.0.0/0 interface=ether2-ISP2-Secundario network=0.0.0.0
add address=192.168.0.254/24 interface=ether4-LAN network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1 gateway=192.168.0.254 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall address-list
add address= list=WAN-IP
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=" :::LINK ISP1-Algar:::" out-interface=pppoe-out1-Algar
add action=masquerade chain=srcnat comment=" :::LINK ISP2-Secundario:::" out-interface=ether2-ISP2-Secundario
add action=dst-nat chain=dstnat comment=" :::1433 SQL SERVER:::" dst-address-list=!WAN-IP dst-port=1433 protocol=tcp to-addresses=192.168.0.252 to-ports=1433
add action=dst-nat chain=dstnat comment=" :::1434 SQL SERVER:::" dst-address-list=!WAN-IP dst-port=1434 protocol=udp to-addresses=192.168.0.252 to-ports=1434
/ip route
add comment=" ::::LINK-SECUNDARIO::::" distance=2 gateway=
add comment=" :::Monitora ISP2-Secundario:::" distance=1 dst-address=193.0.14.129/32 gateway=ether2-ISP2-Secundario
add comment=" :::Monitora ISP1-Algar:::" distance=1 dst-address=199.7.83.42/32 gateway=ether1-ISP1-Algar
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name="0"
/tool netwatch
add comment="MONITORA LINK ISP1-Algar" down-script="/ip route disable [find comment=PRIMARIO]\r\
\n/log error message=\"O LINK ALGAR CAIU\"" host=199.7.83.42 up-script="/ip route enable [find comment=PRIMARIO]\r\
\n/log error message=\"O LINK ALGAR VOLTOU\""
add comment=" :::MONITORA LINK ISP2-Secundario:::" down-script="/ip route disable [find comment=SECUNDARIO]\r\
\n/log erro message=\"O LINK SECUNDARIO VOLTOU\"" host=193.0.14.129 up-script=\
"/ip route enable [find comment=SECUNDARIO]\r\
\n/log erro message=\"O LINK SECUNDARIO VOLTOU\""
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Same port with different networks

Thu Dec 01, 2022 4:21 pm

(1) FROM
/interface list member
add interface=ether1-ISP1-Algar list=WAN
add list=LAN
{ incomplete }

TO:
/interface list member
add interface=ether1-ISP1-Algar list=WAN
add interface=ether4-LAN list=LAN

(2) Not quite
/firewall address-list { Missing interface ! }
add address= list=WAN-IP interface=???????
add action=dst-nat chain=dstnat comment=" :::1433 SQL SERVER:::" dst-address-list=!WAN-IP dst-port=1433 protocol=tcp to-addresses=192.168.0.252 to-ports=1433
add action=dst-nat chain=dstnat comment=" :::1434 SQL SERVER:::" dst-address-list=!WAN-IP dst-port=1434 protocol=udp to-addresses=192.168.0.252 to-ports=1434


If you read the LINK provided in a previous post, the advice gave you many options how to do this...........
Since the router comes with IP cloud and a dnydns name, then use this method.

a. ENABLE IP CLOUD
b. COPY IPCLOUD NAME (DNS NAME) > 1d3475ifk8.sn.mynetname.net

c. create address list
/ip firewall address list
add address=1d3475ifk8.sn.mynetname.net list=WAN-IP


d. make port forwarding rules (dont need to ports if same as dst ports)
add action=dst-nat chain=dstnat comment=" :::1433 SQL SERVER:::" dst-address-list=WAN-IP dst-port=1433 protocol=tcp to-addresses=192.168.0.252
add action=dst-nat chain=dstnat comment=" :::1434 SQL SERVER:::" dst-address-list=WAN-IP dst-port=1434 protocol=udp to-addresses=192.168.0.252

Who is online

Users browsing this forum: carcuevas and 29 guests