Community discussions

MikroTik App
 
NahodnejOtaku
just joined
Topic Author
Posts: 3
Joined: Tue Jan 31, 2023 10:53 am

Port forwarding isn't forwarding

Tue Jan 31, 2023 12:06 pm

I am hosting a website on the 10.0.0.2 address (10.0.0.3 is the NAS). The Mikrotik router is not connected directly to the public ip, there is another one before it, and that one forwards to the Mikrotik (the first router is operated by ISP). The connection doesn't go through and I was trying to find out why. I found out that when I try to connect to router (I use the outside address of the Mikrotik router - 192.168.10.37) on the 80 port it doesn't forward to 10.0.0.2.
# jan/31/2023 10:44:55 by RouterOS 6.48.6
# software id = G7W0-D915
#
# model = RB750Gr3
# serial number = CC210F44AB7A
/interface bridge
add admin-mac=DC:2C:6E:E9:F2:B1 auto-mac=no comment=defconf name=bridge
/caps-man datapath
add bridge=bridge name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=ucitel
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=zak
/caps-man configuration
add country="czech republic" datapath=datapath1 datapath.bridge=bridge name=\
    ucitele_cfg security=ucitel ssid=ZS_Novosedly
add country="czech republic" datapath=datapath1 datapath.bridge=bridge name=\
    zaci_cfg security=zak ssid=ZSN-zaci
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/queue tree
add max-limit=5M name=AP1-5G-zaci
add max-limit=5M name=AP1-2.4G-zaci
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=ucitele_cfg \
    slave-configurations=zaci_cfg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.253 mac-address=CC:2D:21:0F:18:50
add address=10.0.0.3 disabled=yes mac-address=00:11:32:48:CC:39
add address=10.0.0.3 mac-address=00:11:32:48:CC:3A
add address=10.0.0.2 mac-address=D8:5E:D3:AD:AC:F7
add address=10.0.0.254 mac-address=CC:2D:21:0F:19:00
add address=10.0.0.252 comment="ta ne 5. trida" mac-address=18:FD:74:6B:6F:7D
add address=10.0.0.251 comment="5. trida" mac-address=18:FD:74:6B:83:A5
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http-server dst-address=192.168.10.37 \
    dst-port=80 protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=https-server dst-address=\
    192.168.10.37 dst-port=443 protocol=tcp to-addresses=10.0.0.2 to-ports=\
    443
add action=dst-nat chain=dstnat comment=DSM-http dst-address-type=local \
    dst-port=5000 protocol=tcp to-addresses=10.0.0.3 to-ports=5000
add action=dst-nat chain=dstnat comment=DSM-https dst-address-type=local \
    dst-port=5001 protocol=tcp to-addresses=10.0.0.3 to-ports=5001
add action=dst-nat chain=dstnat comment=NAS-http dst-address-type=local \
    dst-port=5005 protocol=tcp to-addresses=10.0.0.3 to-ports=5005
add action=dst-nat chain=dstnat comment=NAS-https dst-address-type=local \
    dst-port=5006 protocol=tcp to-addresses=10.0.0.3 to-ports=5006
/ip route
add disabled=yes distance=1 gateway=192.168.10.3
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Port forwarding isn't forwarding

Tue Jan 31, 2023 2:17 pm

Are you trying to connect to your server, which hosts a website, from your internal LAN or from outside?

In the former case it may be a Hairpin NAT issue.
as for the latter, did you check if port 80 is also open on your ISP router, and then if it forwards any request on port 80 to the Mikrotik first?
 
NahodnejOtaku
just joined
Topic Author
Posts: 3
Joined: Tue Jan 31, 2023 10:53 am

Re: Port forwarding isn't forwarding

Tue Jan 31, 2023 2:38 pm

From LAN. I need to rule the Mikrotik out first, because I can't check the ISP router and I want to be sure before I confront them. When I try from outside I can't get to the server and I don't know how to check if it at least gets to the Mikrotik router.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding isn't forwarding

Tue Jan 31, 2023 3:26 pm

So it is hair-pin NAT ... if you want to test it from LAN, implement hair-pin NAT.

What you probably should do is to connect test machine to the WAN segment of your mikrotik (192.168.10.X) and try to open page from NATed server. That would be true test of NAT as it would be used in reality.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding isn't forwarding

Tue Jan 31, 2023 3:32 pm

Assuming the ISP router/modem forwards all ports or just the port required, then some logging will help........
Since you have a fixed private IP on the Mikrotik, that should help on the rules...
SO WHY do you change from dst-address=your private WANIP to something else dst-type-local crap.????
Also assuming 192.168.10.37 is your WANIP just put that in IP address and disable IP DHCP client.
Also you can change source nat rule as well.
Enable your route.


# model = RB750Gr3
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=192.168.10.37/24 interface=ether1 network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=YES interface=ether1
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.10.37
/ip route
add disabled=NO distance=1 gateway=192.168.10.3 { are you sure its 10.3 and not 10.1 }

++++++++++++++++++++++++++++++++++++++++++++
To check for connectivity........... two ways.


For your dst-nat rules........ Put this in front of the
add action=log chain=dstnat dst-address=192.168.10.37 dst-port=5000 log=yes log-prefix="Test of Connectivity" protocol=tcp to-addresses=10.0.0.3
add action=dst-nat chain=dstnat dst-address=192.168.10.37 dst-port=5000 protocol=tcp to-addresses=10.0.0.3

For the firewall rules.. would change it so it easier to work with.......
FROM:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=log chain=forward connection-nat-state=dstnat log-prefix=Check-Connectivity
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MKX brings up a good point how are you testing.

1. First can you access the server locally using the LANIP of the server?
2. Can you get a friend to connect externally from the WWW
3. Can you go to a coffee shop with your laptop and attempt to connect via WIFI
4. Can you connect with your cell phone using cellular.

5. IF you are trying to test internally by using the WANIP of the router 192.168.10.37 that will not work since the server and users are on the same subnet.
Thus you will need to add an additional source nat rule.......
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 src-address=10.0.0.0/24 comment="hairpin nat"
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.10.37


6. How are you finding out what the public WANIP is on your connection.........
IP cloud address? whatsmyIP?
 
NahodnejOtaku
just joined
Topic Author
Posts: 3
Joined: Tue Jan 31, 2023 10:53 am

Re: Port forwarding isn't forwarding  [SOLVED]

Tue Jan 31, 2023 10:04 pm

I was testing it from a laptop outside of the network and from the server inside. I've found out that it was a very simple mistake, ISP forwarded the ports to another IP because the router had a dynamic address and it changed (when ISP was looking there, the IP was 192.168.10.22). I changed it to this one and made it static thanks to your reply (I tried to make it static before via quickset and it didn't work afterwards). It all works now. I also tied it up the way you suggested.

Thank you all for your help.

Who is online

Users browsing this forum: Bing [Bot] and 54 guests