Community discussions

MikroTik App
 
devrand
just joined
Topic Author
Posts: 5
Joined: Fri Mar 13, 2020 12:09 am

Port forwarding: dst-address vs in-interface-list

Thu Jan 19, 2023 1:08 pm

Hello,
I'm trying to figure out how to correctly port forward in my case.
I'd like to expose a ftp server and a ssh server on a high port on my WAN.

It seems there are two options with the NAT; specify a dst-address and/or specify an in-interface-list

specifying dst-address:
/ip firewall nat add chain=dstnat action=dst-nat dst-address=1.2.3.4 dst-port=1234 to-addresses=10.0.0.3 protocol=tcp to-ports=21

specifying in-interface-list:
/ip firewall nat add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=1234 to-addresses=10.0.0.3 protocol=tcp to-ports=21

Both of them should result in a functioning setup.
But does setting the dst-address (public IP) have any benefits here?

If you have two WAN/IPs it will make a difference because one will only work on one IP while the other will work on all public IPs.
But is there any other security concern of just setting the in-interface-list?

Thanks a lot in advance!
I read through the wiki but did not find any answers to those questions yet.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding: dst-address vs in-interface-list

Thu Jan 19, 2023 1:10 pm

It doesn't matter if it's just a WAN or not, better restrict the rule to the expected IP.
Otherwise any spoofed IP coming from the WAN can pass the rule...

I'll spare you the usual comments about opening unsafe services (ftp) to the outside...

Through other rules it is better that you also limit the simultaneous connections to the internal server already from here
(search in the documentation and in the forum how to do it)
otherwise a brute force attack or a DDoS can create you problems...

Better if you create one address list of allowed outside addresses and use on the rule the list as allowed src-address-list.
 
devrand
just joined
Topic Author
Posts: 5
Joined: Fri Mar 13, 2020 12:09 am

Re: Port forwarding: dst-address vs in-interface-list

Thu Jan 19, 2023 1:15 pm

It doesn't matter if it's just a WAN or not, better restrict the rule to the expected IP.
Otherwise any spoofed IP coming from the WAN can pass the rule...

Thanks for your answer!
I don't know the IP of the clients as those are dynamic.
So I can't really restrict it to the expected IP if I understand it correct?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding: dst-address vs in-interface-list

Thu Jan 19, 2023 1:16 pm

don't read what I didn't write
rather read the message again and don't invent or deduce anything else...

(syntax errors aside...)
¯\_(ツ)_/¯
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding: dst-address vs in-interface-list

Thu Jan 19, 2023 1:55 pm

In a nutshell.........

1) Use of dst-address=WANIP makes sense for fixed/static WANIPs
2) Use of in-interface-list=WAN or in-interface=WAN1 etc, makes sense for dynamic WANIPs

In the case of hairpin nat, where the admin requires users to reach the server and the users are in the same subnet as the server then 2) the dynamic case wont work and you need to find an alternative approach. ( users are not coming in from the WAN so the rule is no longer relevant ) The most common is dst-address-list=DYNWAN ( any name will do ) where

firewall address list
add address=myipcloudaddress list=DYNWAN


- viewtopic.php?t=179343

++++++++++++++++++++++++++++++++++++++++++++++

Security thoughts,
Running servers on the LAN invites interest and its best to, on the dst-nat rules, includes source addresses --> list of who is allowed to access your servers......
THis is doable considering you need users IP addresses, so they either have fixed WANIPs and if they have dynamic WANIPs, they can get free domain names on the net to associate their WANIP and you can use the domain name in firewall address lists........

Finally, there is something called Zero Trust Tunnel which is a way of completely avoiding the use of your WANIP for port forwarding to servers on the LAN. Sadly, Mikrotik had decided not to make this functionality available in ROS proper or in a separate package, it is something a limited amount of MT devices can do, (those can can host dockers/containers), with a lot of added complexity and of course the counter-intuitive (in this case ) security risk containers bring.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding: dst-address vs in-interface-list

Thu Jan 19, 2023 2:56 pm

1) Use of dst-address=WANIP makes sense for fixed/static WANIPs
2) Use of in-interface-list=WAN or in-interface=WAN1 etc, makes sense for dynamic WANIPs

Variant 1) has additional advantage: makes configuring hairpin NAT a home run. So yes, if WAN IP is truly static (i.e. it's configured under /ip address), then 1) is the way to go.

Performance wise, I expect both variants to be equally resource demanding.
 
robtor
newbie
Posts: 39
Joined: Sat Dec 09, 2023 3:27 pm
Location: Germany, Hessen
Contact:

Re: Port forwarding: dst-address vs in-interface-list

Sun Mar 03, 2024 10:04 pm

If you have a dynamic public ip-address there's a trick to solve this problem.

You can add a address-list and specify your domain/dynamic dns here and can match agains this address list. The address list looks-up your correct public IP and you can match agains this.

Who is online

Users browsing this forum: No registered users and 59 guests