Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Cannot port forward through dstnat

Post Reply
 
sij415
just joined
Topic Author
Posts: 1
Joined: Fri Feb 03, 2023 7:11 am

Cannot port forward through dstnat

Fri Feb 03, 2023 7:30 am

Hello, i need help in port forwarding i have a cloud server that the mikrotik router is connected to via l2tp but when i try to port forward it doesnt seem to work
Code: Select all
# feb/03/2023 13:21:43 by RouterOS 6.48.6
# software id = 8MWI-YYY1
#
# model = RB750Gr3
# serial number = D5030E32FB8F
/interface bridge
add name=BRIDGE-LAN
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full name=1-ISP-PLDT
set [ find default-name=ether2 ] name=2-ISP-GOMO-GLOBE
set [ find default-name=ether3 ] name=3-ISP-SMART
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes connect-to=192.46.229.235 \
    disabled=no keepalive-timeout=disabled name=l2tp-out1 use-ipsec=yes user=\
    vpnuser
add allow-fast-path=yes connect-to=SERVER_IP keepalive-timeout=disabled \
    name=l2tp-out2 use-ipsec=yes user=vpnuser
/interface vlan
add interface=BRIDGE-LAN name=Guest vlan-id=10
add interface=BRIDGE-LAN name=TEST_VOUCHER_VLAN vlan-id=20
add interface=BRIDGE-LAN name=VOUCHER_HOTSPOT_VLAN21 vlan-id=21
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash login-by=\
    mac,cookie,http-chap,https
add dns-name=pisowifi.home hotspot-address=10.0.3.1 html-directory=\
    flash/hotspot login-by=mac,cookie,http-chap,http-pap name=hsprof2
add dns-name=voucherhotspot.wifi hotspot-address=10.0.3.1 html-directory=\
    flash/hotspot name=hsprof3
add dns-name=voucherhotspot.wifi hotspot-address=10.0.4.1 html-directory=\
    flash/hotspot name=hsprof4
/ip hotspot user profile
set [ find default=yes ] on-login="### enable telegram notification, change fr\
    om 0 to 1 if you want to enable telegram\r\
    \n:local enableTelegram 1;\r\
    \n###replace telegram token\r\
    \n:local telegramToken \"\";\
    \r\
    \n###replace telegram chat id / group id\r\
    \n:local chatId \"1428711220\";\r\
    \n### enable Random MAC synchronizer\r\
    \n:local enableRandomMacSyncFix 1;\r\
    \n### hotspot folder for HEX put flash/hotspot for haplite put hotspot onl\
    y\r\
    \n:local hotspotFolder \"flash/hotspot\";\r\
    \n\r\
    \n\r\
    \n:local com [/ip hotspot user get [find name=\$user] comment];\r\
    \n/ip hotspot user set comment=\"\" \$user;\r\
    \n\r\
    \n:if (\$com!=\"\") do={\r\
    \n\r\
    \n\t:local mac \$\"mac-address\";\r\
    \n\t:local host [/ip dhcp-server lease get [ find mac-address=\$mac ] host\
    -name];\r\
    \n\t:local macNoCol;\r\
    \n\t:for i from=0 to=([:len \$mac] - 1) do={ \r\
    \n\t  :local char [:pick \$mac \$i]\r\
    \n\t  :if (\$char = \":\") do={\r\
    \n\t\t:set \$char \"\"\r\
    \n\t  }\r\
    \n\t  :set macNoCol (\$macNoCol . \$char)\r\
    \n\t}\r\
    \n\t\r\
    \n\t:local validity [:pick \$com 0 [:find \$com \",\"]];\r\
    \n\t\r\
    \n\t:if ( \$validity!=\"0m\" ) do={\r\
    \n\t\t:local sc [/sys scheduler find name=\$user]; :if (\$sc=\"\") do={ :l\
    ocal a [/ip hotspot user get [find name=\$user] limit-uptime]; :local c (\
    \$validity); :local date [ /system clock get date]; /sys sch add name=\"\$\
    user\" disable=no start-date=\$date interval=\$c on-event=\"/ip hotspot us\
    er remove [find name=\$user]; /ip hotspot active remove [find user=\$user]\
    ; /ip hotspot cookie remove [find user=\$user]; /system sche remove [find \
    name=\$user]; /file remove \\\"\$hotspotFolder/data/\$macNoCol.txt\\\";\" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon; :\
    delay 2s; } else={ :local sint [/sys scheduler get \$user interval]; :if (\
    \_\$validity!=\"\" ) do={ /sys scheduler set \$user interval (\$sint+\$val\
    idity); } };\r\
    \n\t}\r\
    \n\t\r\
    \n\t:local infoArray [:toarray [:pick \$com ([:find \$com \",\"]+1) [:len \
    \$com]]];\r\
    \n\t\r\
    \n\t:local totaltime [/ip hotspot user get [find name=\"\$user\"] limit-up\
    time];\r\
    \n\t:local amt [:pick \$infoArray 0];\r\
    \n\t:local ext [:pick \$infoArray 1];\r\
    \n\t:local vendo [:pick \$infoArray 2];\r\
    \n\t:local uactive [/ip hotspot active print count-only];\r\
    \n\t\r\
    \n\t:local getIncome [:put ([/system script get [find name=todayincome] so\
    urce])];\r\
    \n\t/system script set source=\"\$getIncome\" todayincome;\r\
    \n\r\
    \n\t:local getSales (\$amt + \$getIncome);\r\
    \n\t/system script set source=\"\$getSales\" todayincome;\r\
    \n\r\
    \n\t:local getMonthlyIncome [:put ([/system script get [find name=monthlyi\
    ncome] source])];\r\
    \n\t/system script set source=\"\$getMonthlyIncome\" monthlyincome;\r\
    \n\r\
    \n\t:local getMonthlySales (\$amt + \$getMonthlyIncome);\r\
    \n\t/system script set source=\"\$getMonthlySales\" monthlyincome;\r\
    \n\t\r\
    \n\t:local validUntil [/sys scheduler get \$user next-run];\r\
    \n\t\r\
    \n\t/file print file=\"\$hotspotFolder/data/\$macNoCol\" where name=\"dumm\
    yfile\"; \r\
    \n\t:delay 1s; \r\
    \n\t/file set \"\$hotspotFolder/data/\$macNoCol\" contents=\"\$user#\$vali\
    dUntil\";\r\
    \n\t:local extend\r\
    \n\t:set extend \"YES\";\r\
    \n\t:if (\$ext  = \"0\") do={\r\
    \n\t    :set extend \"NO\";\r\
    \n\t}\r\
    \n\t\r\
    \n\t:if (\$enableTelegram=1) do={\r\
    \n\t\t:local vendoNew;\r\
    \n\t\t:for i from=0 to=([:len \$vendo] - 1) do={ \r\
    \n\t\t  :local char [:pick \$vendo \$i]\r\
    \n\t\t  :if (\$char = \" \") do={\r\
    \n\t\t\t:set \$char \"%20\"\r\
    \n\t\t  }\r\
    \n\t\t  :set vendoNew (\$vendoNew . \$char)\r\
    \n\t\t}\r\
    \n\r\
    \n\t\t/tool fetch url=\"https://api.telegram.org/bot\$telegramToken/sendme\
    ssage\?chat_id=\$chatId&text=<<======New Sales======>> %0A Vendo: \$vendoN\
    ew %0A Voucher: \$user %0A IP: \$address %0A MAC: \$mac %0A Device: \$host\
    \_%0A Amount: \$amt %0A Extended: \$extend %0A Total Time: \$totaltime %0A\
    \_%0AToday Sales: \$getSales %0AMonthly Sales : \$getMonthlySales %0AActiv\
    e Users: \$uactive%0A <<=====================>>\" keep-result=no;\r\
    \n\t}\r\
    \n\r\
    \n};\r\
    \n\r\
    \n:if (\$enableRandomMacSyncFix=1) do={\r\
    \n\t:local cmac \$\"mac-address\"\r\
    \n\t:foreach AU in=[/ip hotspot active find user=\"\$username\"] do={\r\
    \n\t  :local amac [/ip hotspot active get \$AU mac-address];\r\
    \n\t  :if (\$cmac!=\$amac) do={  /ip hotspot active remove [/ip hotspot ac\
    tive find mac-address=\"\$amac\"]; }\r\
    \n\t}\r\
    \n}" on-logout="### hotspot folder for HEX put flash/hotspot for haplite p\
    ut hotspot only\r\
    \n:local hotspotFolder \"flash/hotspot\";\r\
    \n\r\
    \n:local mac \$\"mac-address\";\r\
    \n:local macNoCol;\r\
    \n:for i from=0 to=([:len \$mac] - 1) do={ \r\
    \n  :local char [:pick \$mac \$i]\r\
    \n  :if (\$char = \":\") do={\r\
    \n\t:set \$char \"\"\r\
    \n  }\r\
    \n  :set macNoCol (\$macNoCol . \$char)\r\
    \n}\r\
    \n\t\r\
    \n:if ([/ip hotspot user get [/ip hotspot user find where name=\"\$user\"]\
    \_limit-uptime] <= [/ip hotspot user get [/ip hotspot user find where name\
    =\"\$user\"] uptime]) do={\r\
    \n    /ip hotspot user remove \$user;\r\
    \n\t/file remove \"\$hotspotFolder/data/\$macNoCol.txt\";\r\
    \n\t/system sche remove [find name=\$user];\r\
    \n}" rate-limit=15M/15M
add name=ADMIN_UNLI shared-users=unlimited
/ip ipsec profile
add enc-algorithm=aes-256,3des name=profile1
/ip ipsec peer
add address=34.92.53.252/32 exchange-mode=ike2 name=peer1 profile=profile1
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool5 ranges=10.0.2.2-10.0.2.254
add name=dhcp_pool7 ranges=10.0.3.2-10.0.4.254
add name=dhcp_pool8 ranges=10.0.3.2-10.0.3.254
add name=dhcp_pool9 ranges=10.0.4.2-10.0.4.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=BRIDGE-LAN name=dhcp1
add address-pool=dhcp_pool5 disabled=no interface=Guest name=dhcp2
add address-pool=dhcp_pool7 disabled=no interface=TEST_VOUCHER_VLAN name=\
    dhcp3
add address-pool=dhcp_pool9 disabled=no interface=VOUCHER_HOTSPOT_VLAN21 \
    name=dhcp4
/queue simple
add disabled=yes name=queue1 target=10.0.0.0/24
/queue type
add kind=pcq name="20M up" pcq-classifier=dst-address pcq-limit=20000000KiB \
    pcq-rate=20M pcq-total-limit=2048KiB
add kind=pcq name="20M down" pcq-classifier=dst-address pcq-limit=20000000KiB \
    pcq-rate=20M pcq-total-limit=2048KiB
/queue simple
add disabled=yes name="10M limit" queue="20M up/20M down" target=10.0.0.31/32
add burst-limit=256k/256k burst-threshold=256k/256k burst-time=1s/1s \
    disabled=yes max-limit=256k/256k name=Trial queue="20M up/20M down" \
    target=10.0.0.31/32
/ip hotspot user profile
add insert-queue-before=Trial name=TRIAL rate-limit=15M/15M
/ip hotspot profile
add dns-name=voucherhotspot.wifi hotspot-address=10.0.3.1 html-directory=\
    flash/hotspot html-directory-override=flash/hotspot login-by=\
    mac,cookie,http-chap,http-pap,trial name=hsprof1 trial-uptime-limit=5m \
    trial-user-profile=TRIAL
/interface bridge port
add bridge=BRIDGE-LAN ingress-filtering=yes interface=ether4 tag-stacking=yes \
    trusted=yes
add bridge=BRIDGE-LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=Guest pvid=10 tag-stacking=yes
add bridge=BRIDGE-LAN frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=TEST_VOUCHER_VLAN pvid=20 tag-stacking=yes
add bridge=BRIDGE-LAN frame-types=admit-only-vlan-tagged interface=\
    VOUCHER_HOTSPOT_VLAN21 pvid=21
add bridge=BRIDGE-LAN ingress-filtering=yes interface=ether5 tag-stacking=yes \
    trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=10
/ip address
add address=10.0.0.1/24 interface=BRIDGE-LAN network=10.0.0.0
add address=10.0.2.1/24 interface=Guest network=10.0.2.0
add address=10.0.3.1/24 interface=TEST_VOUCHER_VLAN network=10.0.3.0
add address=10.0.3.1/24 comment="hotspot network" interface=\
    VOUCHER_HOTSPOT_VLAN21 network=10.0.3.0
add address=10.0.4.1/24 comment="hotspot network" interface=\
    VOUCHER_HOTSPOT_VLAN21 network=10.0.4.0
/ip dhcp-client
add add-default-route=no disabled=no interface=1-ISP-PLDT use-peer-dns=no
add add-default-route=no disabled=no interface=2-ISP-GOMO-GLOBE use-peer-dns=\
    no
add add-default-route=no disabled=no interface=3-ISP-SMART use-peer-dns=no \
    use-peer-ntp=no
add disabled=no
/ip dhcp-server lease
add address=10.0.0.7 client-id=1:2:81:bc:ac:a5:e4 mac-address=\
    02:81:BC:AC:A5:E4 server=dhcp1
add address=10.0.0.2 client-id=1:5c:a6:e6:5c:e:4c mac-address=\
    5C:A6:E6:5C:0E:4C server=dhcp1
add address=10.0.0.4 client-id=1:b0:95:75:f8:e4:ac mac-address=\
    B0:95:75:F8:E4:AC server=dhcp1
add address=10.0.0.6 client-id=1:b4:b0:24:2b:6e:b1 mac-address=\
    B4:B0:24:2B:6E:B1 server=dhcp1
add address=10.0.0.5 client-id=1:b0:95:75:29:f:c mac-address=\
    B0:95:75:29:0F:0C server=dhcp1
add address=10.0.0.3 client-id=1:b0:95:75:f8:e5:70 mac-address=\
    B0:95:75:F8:E5:70 server=dhcp1
add address=10.0.0.99 client-id=1:f4:b1:9c:80:fe:10 mac-address=\
    F4:B1:9C:80:FE:10 server=dhcp1
add address=10.0.0.8 mac-address=70:4F:57:1A:AD:D5 server=dhcp1
add address=10.0.0.9 client-id=1:28:ee:52:c4:b4:1a mac-address=\
    28:EE:52:C4:B4:1A server=dhcp1
add address=10.0.3.2 mac-address=48:55:19:C8:D9:69 server=dhcp3
add address=10.0.4.2 mac-address=40:F5:20:04:90:60 server=dhcp4
add address=10.0.0.10 client-id=1:28:ee:52:c4:b8:74 mac-address=\
    28:EE:52:C4:B8:74 server=dhcp1
add address=10.0.0.52 client-id=\
    ff:e3:9b:1a:1:0:1:0:1:2a:bb:7d:65:96:5:e3:9b:1a:1 mac-address=\
    96:05:E3:9B:1A:01 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=10.0.2.0/24 gateway=10.0.2.1
add address=10.0.3.0/24 gateway=10.0.3.1
add address=10.0.4.0/24 gateway=10.0.4.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9
/ip firewall address-list
add address=10.0.2.2-10.0.2.254 list=GUEST
add address=10.0.3.2-10.0.3.254 list=WIFI-CLIENT
add address=10.0.0.8-10.0.0.254 list=homedns-2
add address=10.0.0.2-10.0.0.254 list=HOME
/ip firewall filter
add action=drop chain=forward disabled=yes out-interface=2-ISP-GOMO-GLOBE \
    src-address=10.0.0.51
add action=drop chain=forward disabled=yes out-interface=3-ISP-SMART \
    src-address=10.0.0.51
add action=accept chain=input disabled=yes src-address=10.0.3.2
add action=accept chain=input in-interface=l2tp-out1 src-address=192.168.42.1
add action=accept chain=forward disabled=yes log=yes out-interface=l2tp-out1
add action=accept chain=output disabled=yes log=yes src-address=192.168.42.1
add action=accept chain=input disabled=yes src-address=10.0.4.2
add action=drop chain=output comment="Drop isp1" disabled=yes dst-address=\
    1.1.1.1 protocol=icmp
add action=drop chain=output comment="Drop isp2" disabled=yes dst-address=\
    9.9.9.9 protocol=icmp
add action=drop chain=output comment="Drop isp3" disabled=yes dst-address=\
    8.8.8.8 protocol=icmp
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=input comment="Block GUEST" disabled=yes dst-address=\
    10.0.2.1 src-address-list=GUEST
add action=accept chain=forward disabled=yes dst-address=10.0.0.7 \
    src-address-list=GUEST
add action=drop chain=input disabled=yes dst-address=10.0.0.0/24 \
    src-address-list=GUEST
add action=reject chain=forward disabled=yes dst-address=10.0.0.0/24 \
    reject-with=icmp-network-unreachable src-address-list=GUEST
add action=drop chain=input comment="Block WIFI_CLIENTS" disabled=yes \
    dst-address=10.0.3.1 src-address-list=WIFI-CLIENT
add action=drop chain=input disabled=yes dst-address=10.0.0.0/24 \
    src-address-list=WIFI-CLIENT
add action=drop chain=forward disabled=yes dst-address=10.0.0.0/24 \
    src-address-list=WIFI-CLIENT
add action=accept chain=forward disabled=yes dst-address=10.0.0.7 \
    src-address-list=WIFI-CLIENT
add action=accept chain=forward disabled=yes dst-address=10.0.3.2 \
    src-address-list=WIFI-CLIENT
add action=fasttrack-connection chain=forward out-interface=1-ISP-PLDT \
    src-address=10.0.0.51
add action=accept chain=input disabled=yes src-address=0.0.0.0
add action=accept chain=output disabled=yes src-address=0.0.0.0
add action=accept chain=forward disabled=yes in-interface=l2tp-out1
add action=accept chain=forward disabled=yes out-interface=l2tp-out1
/ip firewall mangle
add action=accept chain=prerouting comment=accept dst-address=192.168.1.0/24 \
    in-interface=BRIDGE-LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
    BRIDGE-LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
    BRIDGE-LAN
add action=mark-connection chain=prerouting comment=connect connection-mark=\
    no-mark in-interface=1-ISP-PLDT new-connection-mark=ISP1-conn \
    passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=2-ISP-GOMO-GLOBE new-connection-mark=ISP2-conn passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=3-ISP-SMART new-connection-mark=ISP3-conn passthrough=yes
add action=mark-connection chain=prerouting comment=pcc connection-mark=\
    no-mark dst-address-type=!local in-interface=BRIDGE-LAN \
    new-connection-mark=ISP1-conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BRIDGE-LAN new-connection-mark=\
    ISP2-conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BRIDGE-LAN new-connection-mark=\
    ISP3-conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting comment="routing mark" \
    connection-mark=ISP1-conn in-interface=BRIDGE-LAN new-routing-mark=\
    "to ISP1" passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2-conn \
    in-interface=BRIDGE-LAN new-routing-mark="to ISP2" passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP3-conn \
    in-interface=BRIDGE-LAN new-routing-mark="to ISP3" passthrough=yes
add action=mark-routing chain=output comment=output connection-mark=ISP1-conn \
    new-routing-mark="to ISP1" passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2-conn \
    new-routing-mark="to ISP2" passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3-conn \
    new-routing-mark="to ISP3" passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1-ISP-PLDT
# no interface
add action=masquerade chain=srcnat out-interface=*1C
add action=masquerade chain=srcnat out-interface=2-ISP-GOMO-GLOBE
add action=masquerade chain=srcnat dst-address-list="" out-interface=\
    3-ISP-SMART
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=yes src-address=10.0.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=10.0.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=10.0.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=10.0.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=10.0.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=10.0.4.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=8081 log=yes protocol=\
    tcp to-addresses=10.0.0.51 to-ports=8888
add action=netmap chain=dstnat dst-port=8081 log=yes protocol=tcp \
    to-addresses=10.0.0.51 to-ports=8888
/ip hotspot ip-binding
add address=10.0.3.2 mac-address=48:55:19:C8:D9:69 to-address=10.0.3.2 type=\
    bypassed
add address=10.0.3.3 mac-address=40:F5:20:04:90:60 to-address=10.0.3.3 type=\
    bypassed
/ip hotspot user
add name=admin profile=ADMIN_UNLI
add email=new@gmail.com limit-uptime=10m name=P1657
add email=new@gmail.com limit-uptime=20m name=P9173
add email=new@gmail.com limit-uptime=1h name=P3446
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=149.154.160.0/20 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=149.154.164.0/22 !dst-address-list \
    !dst-port protocol=udp !src-address !src-address-list
add action=accept disabled=no dst-address=91.108.4.0/22 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=91.108.56.0/22 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=91.108.8.0/22 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=95.161.64.0/20 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept comment=vendo disabled=no dst-address=10.0.4.2 \
    !dst-address-list !dst-port !protocol !src-address !src-address-list
add action=accept comment=vendo disabled=no dst-address=10.0.3.2 \
    !dst-address-list !dst-port !protocol !src-address !src-address-list
/ip ipsec identity
add peer=peer1
/ip route
add check-gateway=ping distance=1 gateway=1.1.1.1 scope=10
add check-gateway=ping distance=2 gateway=9.9.9.9 scope=10
add check-gateway=ping distance=3 gateway=8.8.8.8 scope=10
add distance=1 dst-address=1.1.1.1/32 gateway=192.168.1.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.3.1 scope=10
add distance=1 dst-address=9.9.9.9/32 gateway=192.168.2.1 scope=10
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Asia/Manila
/system logging
add action=disk prefix=-> topics=hotspot,info,debug
/system package update
set channel=testing
/system scheduler
add comment="WinboxMobile push stats v4, DO NOT CHANGE" interval=5m name=\
    WinboxMobile-push-stats on-event=WinboxMobile-push-stats policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/03/2022 start-time=00:10:49
add interval=129w2d20h name=P1730 on-event="/ip hotspot user remove [find name\
    =P1730]; /ip hotspot active remove [find user=P1730]; /ip hotspot cookie r\
    emove [find user=P1730]; /system sche remove [find name=P1730]; /file remo\
    ve \"flash/hotspot/data/4EF90D4449F8.txt\";" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jul/01/2022 start-time=12:11:11
add interval=1d name="Reset Daily Income" on-event=\
    "/system script set source=\"0\" todayincome " policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/28/2021 start-time=00:00:00
add interval=4w2d name="Reset Monthly Income" on-event=\
    "/system script set source=\"0\" monthlyincome " policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/28/2021 start-time=00:00:00
/system script
add comment="WinboxMobile push stats v4, DO NOT CHANGE" \
    dont-require-permissions=no name=WinboxMobile-push-stats owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# WinboxMobile push stats v4\r\
    \n# RouterOS 6.39+/7.0+ required. \r\
    \n\r\
    \n:global wmUrlEncode do={\r\
    \n  :local Chars {\" \"=\"%20\";\"!\"=\"%21\";\"\\\"\"=\"%22\";\"#\"=\"%23\
    \";\"\$\"=\"%24\";\"%\"=\"%25\";\"&\"=\"%26\";\"'\"=\"%27\";\"(\"=\"%28\";\
    \")\"=\"%29\";\"*\"=\"%2A\";\"+\"=\"%2B\";\",\"=\"%2C\";\"-\"=\"%2D\";\".\
    \"=\"%2E\";\"/\"=\"%2F\";\":\"=\"%3A\";\";\"=\"%3B\";\"<\"=\"%3C\";\"=\"=\
    \"%3D\";\">\"=\"%3E\";\"\?\"=\"%3F\";\"@\"=\"%40\";\"[\"=\"%5B\";\"\\\\\"=\
    \"%5C\";\"]\"=\"%5D\";\"^\"=\"%5E\";\"`\"=\"%60\";\"{\"=\"%7B\";\"|\"=\"%7\
    C\";\"}\"=\"%7D\";\"~\"=\"%7E\"}\r\
    \n  :local URLEncodeStr\r\
    \n  :local Char\r\
    \n  :local EncChar\r\
    \n  :for i from=0 to=([:len \$1]-1) do={\r\
    \n    :set Char [:pick \$1 \$i]\r\
    \n    :set EncChar (\$Chars->\$Char)\r\
    \n    :if (any \$EncChar) do={\r\
    \n      :set URLEncodeStr (\$URLEncodeStr . \$EncChar)\r\
    \n    } else={\r\
    \n      :set URLEncodeStr (\$URLEncodeStr . \$Char)\r\
    \n    }\r\
    \n  }\r\
    \n  :return \$URLEncodeStr\r\
    \n}\r\
    \n\r\
    \n:global wmInterfaceMonit do={\r\
    \n  :global wmUrlEncode;\r\
    \n\r\
    \n  :local data; :local item; :local encodedName; :local linkDown; :local \
    linkDownTime;\r\
    \n  :foreach i in=[/interface find type=\$1 disabled=no] do={\r\
    \n    :set linkDown [/interface get \$i link-downs];\r\
    \n    :set linkDownTime [\$wmUrlEncode [/interface get \$i last-link-down-\
    time]];\r\
    \n\r\
    \n    /interface monitor-traffic \$i once do={\r\
    \n      :set encodedName [\$wmUrlEncode \$name];\r\
    \n      :set item \"traffic[]=\$1||\$i||\$encodedName||\$\"tx-bits-per-sec\
    ond\"||\$\"rx-bits-per-second\"||\$\"tx-packets-per-second\"||\$\"rx-packe\
    ts-per-second\"||\$linkDown||\$linkDownTime\"\r\
    \n      :set data ( \$data . \"&\" . \$item);\r\
    \n    }\r\
    \n  }\r\
    \n  :return \$data\r\
    \n}\r\
    \n\r\
    \n:local packageRouting true\r\
    \n:local packagePpp true\r\
    \n:local packageSecurity true\r\
    \n:local packageDhcp true\r\
    \n:local packageWireless true\r\
    \n:local packageHotspot true\r\
    \n:local majarVersion [:pick [/system resource get version] 0 1]\r\
    \n:if (\$majarVersion = \"6\") do={\r\
    \n  :if ([/system package find name=routing disabled=no] = \"\") do={\r\
    \n    :set packageRouting false\r\
    \n  }\r\
    \n  :if ([/system package find name=ppp disabled=no] = \"\") do={\r\
    \n    :set packagePpp false\r\
    \n  }\r\
    \n  :if ([/system package find name=security disabled=no] = \"\") do={\r\
    \n    :set packageSecurity false\r\
    \n  }\r\
    \n  :if ([/system package find name=dhcp disabled=no] = \"\") do={\r\
    \n    :set packageDhcp false\r\
    \n  }\r\
    \n  :if ([/system package find name=wireless disabled=no] = \"\") do={\r\
    \n    :set packageWireless false\r\
    \n  }\r\
    \n  :if ([/system package find name=hotspot disabled=no] = \"\") do={\r\
    \n    :set packageHotspot false\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local dataParams;\r\
    \n:set dataParams \"push_stats_version=4&did=F72DBDC3-C5F5-4E8C-A2F6-D303C\
    893495E&pid=\";\r\
    \n\r\
    \n:put \"Collecting Board data...\"\r\
    \n:do {\r\
    \n  :local serialNumber [/system routerboard get serial-number];\r\
    \n  :set dataParams   ( \$dataParams . \"&\" . \"serial_number=\$serialNum\
    ber\");\r\
    \n} on-error={ :put \"Collecting Board data 1 error\"};\r\
    \n:do {\r\
    \n  :local systemId     [/system license get system-id];\r\
    \n  :set dataParams   ( \$dataParams . \"&\" . \"system_id=\$systemId\");\
    \r\
    \n} on-error={ :put \"Collecting Board data 2 error\"};\r\
    \n:do {\r\
    \n  :local softwareId   [/system license get software-id];\r\
    \n  :set dataParams   ( \$dataParams . \"&\" . \"software_id=\$softwareId\
    \");\r\
    \n} on-error={ :put \"Collecting Board data 3 error\"};\r\
    \n\r\
    \n:put \"Collecting Performance data...\"\r\
    \n:do {\r\
    \n  :local cpuLoad    [/system resource get cpu-load];\r\
    \n  :local memFree    [/system resource get free-memory];\r\
    \n  :local memTotal   [/system resource get total-memory];\r\
    \n  :local hddFree    [/system resource get free-hdd-space];\r\
    \n  :local hddTotal   [/system resource get total-hdd-space];\r\
    \n  :local userActive [/user active print count-only];\r\
    \n  :local perfData   \"cpu_load=\$cpuLoad&mem_free=\$memFree&mem_total=\$\
    memTotal&hdd_free=\$hddFree&hdd_total=\$hddTotal&user_active_count=\$userA\
    ctive\"\r\
    \n  :set dataParams ( \$dataParams . \"&\" . \$perfData);\r\
    \n} on-error={ :put \"Collecting Performance error\"};\r\
    \n\r\
    \n:put \"Collecting Health data...\"\r\
    \n:do {\r\
    \n  :local voltage    [/system health get voltage];\r\
    \n  :local current    [/system health get current];\r\
    \n  :local powerCons  [/system health get power-consumption];\r\
    \n  :local temp       [/system health get temperature];\r\
    \n  :local cpuTemp    [/system health get cpu-temperature];\r\
    \n  :local fanSpeed   [/system health get fan1-speed];\r\
    \n  :local healthData \"voltage=\$voltage&current=\$current&power_consumpt\
    ion=\$powerCons&temperature=\$temp&cpu_temperature=\$cpuTemp&fan_speed=\$f\
    anSpeed\"\r\
    \n  :set dataParams ( \$dataParams . \"&\" . \$healthData);\r\
    \n} on-error={ :put \"Collecting Health error\"};\r\
    \n\r\
    \n:put \"Collecting Bridge data...\"\r\
    \n:local bridgeData; :local bridgeHostCount; :local bridgeDataItem;\r\
    \n:do {\r\
    \n  :set bridgeHostCount  [/interface bridge host print count-only];\r\
    \n  :set bridgeData       \"bridge_host[][bridge]=ALL&bridge_host[][count]\
    =\$bridgeHostCount\"\r\
    \n\r\
    \n  :set dataParams       (\$dataParams . \"&\" . \$bridgeData);\r\
    \n} on-error={ :put \"Collecting Bridge error\"};\r\
    \n\r\
    \n:put \"Collecting IP data...\"\r\
    \n:local routerData; :local ipRouteCount; :local ipARPCount; :local ipPool\
    UsedCount; :local ipFwCount;\r\
    \n:do {\r\
    \n  :set ipRouteCount     [/ip route print count-only];\r\
    \n  :set ipARPCount       [/ip arp print count-only];\r\
    \n  :set ipPoolUsedCount  [/ip pool used print count-only];\r\
    \n  :set ipFwCount        [/ip firewall connection print count-only];\r\
    \n  :set routerData       \"ip_route_count=\$ipRouteCount&ip_arp_count=\$i\
    pARPCount&ip_pool_used_count=\$ipPoolUsedCount&firewall_connection_count=\
    \$ipFwCount\"\r\
    \n  :set dataParams     (\$dataParams . \"&\" . \$routerData);\r\
    \n} on-error={ :put \"Collecting IP error\"};\r\
    \n\r\
    \n:if (\$packageRouting = false) do={\r\
    \n  :put \"routing package is not installed.\"\r\
    \n} else={\r\
    \n  :put \"Collecting Routing data...\"\r\
    \n  :local routingData; :local bgpPeerCount; :local ospfNeighborCount;\r\
    \n  :do {\r\
    \n    :set bgpPeerCount       [/routing bgp peer print count-only];\r\
    \n    :set ospfNeighborCount  [/routing ospf neighbor print count-only];\r\
    \n    :set routingData        \"bgp_peer_count=\$bgpPeerCount&ospf_neighbo\
    r_count=\$ospfNeighborCount\"\r\
    \n    :set dataParams         (\$dataParams . \"&\" . \$routingData);\r\
    \n  } on-error={ :put \"Collecting Routing error\"};\r\
    \n}\r\
    \n\r\
    \n:put \"Collecting VPN data...\";\r\
    \n:local vpnData; :local vpnPppCount; :local vpnIpsecPeerCount; :local vpn\
    IpsecPolicyCount;\r\
    \n:do {\r\
    \n  :if (\$packagePpp = false) do={\r\
    \n    :set vpnPppCount            0;\r\
    \n  } else={\r\
    \n    :set vpnPppCount            [/ppp active print count-only];\r\
    \n  }\r\
    \n\r\
    \n  :if (\$packageSecurity = false) do={\r\
    \n    :set vpnIpsecPeerCount      0;\r\
    \n    :set vpnIpsecPolicyCount    0;\r\
    \n  } else={\r\
    \n    :set vpnIpsecPeerCount      [/ip ipsec active-peers print count-only\
    ];\r\
    \n    :set vpnIpsecPolicyCount    [/ip ipsec policy print count-only];\r\
    \n  }\r\
    \n\r\
    \n  :set vpnData                \"ppp_active_count=\$vpnPppCount&ipsec_rem\
    ote_peer_count=\$vpnIpsecPeerCount&ipsec_policy_count=\$vpnIpsecPolicyCoun\
    t\";\r\
    \n  :set dataParams ( \$dataParams . \"&\" . \$vpnData);\r\
    \n} on-error={ :put \"Collecting VPN error\"};\r\
    \n\r\
    \n:if (\$packageDhcp = false) do={\r\
    \n  :put \"dhcp package is not installed.\"\r\
    \n} else={\r\
    \n  :put \"Collecting DHCP data...\";\r\
    \n  :local dhcpData;\r\
    \n  :do {\r\
    \n    :local leaseCount   [/ip dhcp-server lease print count-only];\r\
    \n    :set dhcpData       \"dhcp_server_lease[][server]=ALL&dhcp_server_le\
    ase[][count]=\$leaseCount\";\r\
    \n\r\
    \n    :set dataParams ( \$dataParams . \"&\" . \$dhcpData);\r\
    \n  } on-error={ :put \"Collecting DHCP error\"};\r\
    \n}\r\
    \n\r\
    \n:if (\$packageWireless = false) do={\r\
    \n  :put \"wireless package is not installed.\"\r\
    \n} else={\r\
    \n  :put \"Collecting Wireless data...\";\r\
    \n  :local wirelessData; :local wirelessDataItem;\r\
    \n  :do {\r\
    \n    :local wirelessCount    [/interface wireless registration-table prin\
    t count-only];\r\
    \n    :set wirelessData       \"wireless_registration[][interface]=ALL&wir\
    eless_registration[][count]=\$wirelessCount\";\r\
    \n\r\
    \n    :set dataParams ( \$dataParams . \"&\" . \$wirelessData);\r\
    \n  } on-error={ :put \"Collecting Wireless error\"};\r\
    \n\r\
    \n  :put \"Collecting CAPsMan data...\";\r\
    \n  :local capsmanData; :local capsmanDataItem;\r\
    \n  :do {\r\
    \n    :local capsmanCAPCount      [/caps-man remote-cap print count-only];\
    \r\
    \n    :local capsmanRegisCount    [/caps-man registration-table print coun\
    t-only];\r\
    \n    :local capsmanRadioCount    [/caps-man radio print count-only];\r\
    \n    :set capsmanData            \"capsman_remote_cap_count=\$capsmanCAPC\
    ount&capsman_registration[][interface]=ALL&capsman_registration[][count]=\
    \$capsmanRegisCount&capsman_radio[][interface]=ALL&capsman_radio[][count]=\
    \$capsmanRadioCount\";\r\
    \n\r\
    \n    :set dataParams ( \$dataParams . \"&\" . \$capsmanData);\r\
    \n  } on-error={ :put \"Collecting CAPsMan error\"};\r\
    \n}\r\
    \n\r\
    \n:if (\$packageHotspot = false) do={\r\
    \n  :put \"hotspot package is not installed.\"\r\
    \n} else={\r\
    \n  :put \"Collecting Hotspot data...\";\r\
    \n  :local hotspotData; :local hotspotDataItem;\r\
    \n  :do {\r\
    \n    :local cookieCount        [/ip hotspot cookie print count-only]\r\
    \n    :local activeCount        [/ip hotspot active print count-only]\r\
    \n    :local hostCount          [/ip hotspot host print count-only]\r\
    \n    :set hotspotData          \"hotspot_cookie_count=\$cookieCount&hotsp\
    ot_active[][server]=ALL&hotspot_active[][count]=\$activeCount&hotspot_host\
    [][server]=ALL&hotspot_host[][count]=\$hostCount\";\r\
    \n\r\
    \n    :set dataParams ( \$dataParams . \"&\" . \$hotspotData);\r\
    \n  } on-error={ :put \"Collecting Hotspot error\"};\r\
    \n}\r\
    \n\r\
    \n:put \"Collecting Interface data...\";\r\
    \n:do {\r\
    \n  /interface monitor-traffic aggregate once do={\r\
    \n    :local aggregateData \"traffic[]=aggregate||0||aggregate||\$\"tx-bit\
    s-per-second\"||\$\"rx-bits-per-second\"||\$\"tx-packets-per-second\"||\$\
    \"rx-packets-per-second\"\"\r\
    \n    :set dataParams ( \$dataParams . \"&\" . \$aggregateData);\r\
    \n  }\r\
    \n\r\
    \n  :set dataParams ( \$dataParams . \"&\" . [\$wmInterfaceMonit \"ether\"\
    ]);\r\
    \n  :set dataParams ( \$dataParams . \"&\" . [\$wmInterfaceMonit \"wlan\"]\
    );\r\
    \n  :set dataParams ( \$dataParams . \"&\" . [\$wmInterfaceMonit \"cap\"])\
    ;\r\
    \n} on-error={ :put \"Collecting Interface error\"};\r\
    \n\r\
    \n:do {\r\
    \n  :local identity   [\$wmUrlEncode [/system identity get name]];\r\
    \n  :set dataParams ( \$dataParams . \"&\" . \"identity=\$identity\");\r\
    \n\r\
    \n  :local model      [\$wmUrlEncode [/system routerboard get model]];\r\
    \n  :set dataParams ( \$dataParams . \"&\" . \"model=\$model\");\r\
    \n\r\
    \n  :local version    [\$wmUrlEncode [/system resource get version]];\r\
    \n  :set dataParams ( \$dataParams . \"&\" . \"version=\$version\");\r\
    \n\r\
    \n  :local uptime     [\$wmUrlEncode [/system resource get uptime]];\r\
    \n  :set dataParams ( \$dataParams . \"&\" . \"uptime=\$uptime\");\r\
    \n} on-error={ :put \"Collecting Board string data error\"};\r\
    \n\r\
    \n:put \$dataParams;\r\
    \n\r\
    \n:local finalURL \"https://septudio.com/mik_push_stats\"\r\
    \n/tool fetch url=\"\$finalURL\" http-method=post http-data=\"\$dataParams\
    \" mode=https keep-result=no\r\
    \n"
add dont-require-permissions=no name=todayincome owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=0
add dont-require-permissions=no name=monthlyincome owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=0
/tool netwatch
add down-script="/ip route disable [fin dst-adress=0.0.0.0/0 gateway=1.1.1.1]\
    \r\
    \n/ip firewall connection remove [find]" host=1.1.1.1 interval=6s \
    timeout=400ms up-script=\
    "/ip route enable [fin dst-adress=0.0.0.0/0 gateway=1.1.1.1]\r\
    \n"
add down-script="/ip route disable [fin dst-adress=0.0.0.0/0 gateway=9.9.9.9]\
    \r\
    \n/ip firewall connection remove [find]" host=9.9.9.9 interval=6s \
    timeout=400ms up-script=\
    "/ip route enable [fin dst-adress=0.0.0.0/0 gateway=9.9.9.9]\r\
    \n"
add down-script="/ip route disable [fin dst-adress=0.0.0.0/0 gateway=8.8.8.8]\
    \r\
    \n/ip firewall connection remove [find]" host=8.8.8.8 interval=6s \
    timeout=400ms up-script=\
    "/ip route enable [fin dst-adress=0.0.0.0/0 gateway=8.8.8.8]\r\
    \n"
add comment="NETWATCH TELEGRAM" down-script=":local CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ISP1-PLDT is DOWN\"\r\
    \n\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;" host=1.1.1.1 timeout=400ms \
    up-script=":local CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ISP1-PLDT is UP\"\r\
    \n\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;"
add comment="NETWATCH TELEGRAM" down-script=":local CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ISP2-GOMO-Globe is DOWN\"\r\
    \n\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;" host=9.9.9.9 timeout=400ms \
    up-script=":local CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ISP2-GOMO-Globe is UP\"\r\
    \n\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;"
add down-script=":local CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ODIN is DOWN\"\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;" host=10.0.0.51 up-script=":loc\
    al CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ODIN is UP\"\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;"
add comment="NETWATCH TELEGRAM" down-script=":local CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ISP3-SMART is DOWN\"\r\
    \n\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;" host=8.8.8.8 timeout=400ms \
    up-script=":local CHID \"1428711220\"\r\
    \n:local BotID \"5406175021:AAH14AvW1ZN-ZwxYcjIiSLBMP6m2e6ykAyY\"\r\
    \n:local Message \"ISP3-SMART is UP\"\r\
    \n\r\
    \n/tool fetch url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_\
    id=\$CHID&text=\$Message\" keep-result=no;"
]
Top
 
User avatar
r0berts
newbie
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 9:47 am

Hey, did you manage to solve your problem? I am stuck on something very similar
Top
 
catsir
just joined
Posts: 19
Joined: Sat Mar 11, 2023 8:24 am

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 12:28 pm

I'm in a very similar situation, but still no solution.
Top
 
p3rad0x
Long time Member
Long time Member
Posts: 637
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:
Contact p3rad0x

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 12:48 pm

Are you getting a public IP address from your ISP?

Your dst-nat rules seems to be correct, but you can add your public IP address in the dst-address=
Top
 
User avatar
r0berts
newbie
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 3:03 pm

Thanks, p3rad0x,

My rules are a bit different. I have a setup where I am behind carrier grade NAT and need to SSH into my debian server.

This is an illustration. My static IP is 100.100.100.100/32 and it has a L2TP connection on l2tp client interface l2tp-aa which has 100.100.50.50 as a gateway.

For some time I was able to see incoming ssh connection on my debian server when I connected from my laptop connected to internet via my mobile phone with tcpdump and saw that the tcp connection stopped at handshake (no synack packets making their way back to ssh client) but now I cannot see even that. I am not using IPv6 at all. Interestingly - connection happens well if I change my laptop to LAN wifi. Despite the connection being made to the 100.100.100.100:55552 (so DNAT and SRCNAT work well in that case - which I can see on TCPDUMP)

Where have I gone wrong?

Image

Code: Select all
# 2023-06-29 12:41:57 by RouterOS 7.10
# sanitized version of config acquired by /export

add admin-mac=48:8F:5A:17:4B:44 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=G-ciems2 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=6 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=G-ciems5 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] use-peer-dns=no
add apn=wap.isp.co.uk authentication=pap name="ISP internet" use-peer-dns=no user=web
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles="ISP internet" band=""
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/interface l2tp-client
add allow=chap,mschap1,mschap2 connect-to=100.100.100.50 disabled=no name=l2tp-aa profile=default user=user1
/routing table
add comment="for incoming connections to external ip via l2tp-aa connection" disabled=no fib name=l2tp-table
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add comment=myconf interface=l2tp-aa list=WAN
/interface lte settings
set external-antenna=auto
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-relay
add dhcp-server=192.168.88.27 interface=ether1 name=dhcp-relay1
/ip dns
set allow-remote-requests=yes servers=192.168.88.27
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark incoming new (SSH) connection" dst-port=55552 in-interface=l2tp-aa new-connection-mark=L2TP_CONN passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="mark for returning SSH communication for l2tp routing table" connection-mark=L2TP_CONN new-routing-mark=l2tp-table passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNAT to the ssh server on LAN" dst-address=100.100.100.100 dst-port=55552 log=yes log-prefix=SSH-DNAT-from-EXT: protocol=tcp to-addresses=192.168.88.18 \
    to-ports=22
add action=src-nat chain=srcnat comment="SNAT for the SSH connection" dst-address=192.168.88.18 log=yes log-prefix=SRCNAT-TRIGGER: protocol=tcp to-addresses=100.100.100.100
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=192.168.88.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=100.100.50.50 pref-src="" routing-table=l2tp-table scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2244
set www-ssl certificate=*1 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no dst-address=100.100.100.100/32 routing-mark=l2tp-table table=l2tp-table
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 routing-mark=l2tp-table src-address="" table=l2tp-table
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/system upgrade upgrade-package-source
add address=159.148.147.204
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Top
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1021
Joined: Sun Jun 28, 2015 7:36 pm

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 3:27 pm

The first and most important question is: I'm behind a NAT by my ISP?

To check it, do a trace to your public IP address, if you get more than 1 hop, most probably you are behind a NAT. If you are behind a NAT by your ISP, DST-NAT will not works.

Regards.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 4:33 pm

For some time I ... saw that the tcp connection stopped at handshake (no synack packets making their way back to ssh client)
This happens because you assign the routing mark l2tp-table to all packets belonging to connections bearing the connection mark L2TP_CONN regardless their direction, so the router sends received the SYN packet via the gateway of the default route in table l2tp-table, i.e. back to the tunnel rather than delivering it to LAN, as there is no route to 192.168.88.0/24 in routing table l2tp-table.

So you have to add another match condition to the action=mark-routing rule - such as in-interface=!l2tp-aa.

For some time I was able to see incoming ssh connection on my debian server when I connected from my laptop connected to internet via my mobile phone with tcpdump ... but now I cannot see even that.
This must have been before the rules started behaving the way above.

Interestingly - connection happens well if I change my laptop to LAN wifi. Despite the connection being made to the 100.100.100.100:55552 (so DNAT and SRCNAT work well in that case - which I can see on TCPDUMP)
Of course, because you only assign the connection mark L2TP_CONN to client requests that arrive via l2tp-aa, which is not the case when the laptop is connected to LAN. And since you have that strange action=src-nat ... dst-address=192.168.88.18 log=yes ... to-addresses=100.100.100.100 rule in place, the request packet from the client gets src-nated to the public address, so the Debian machine responds via the default gateway rather than directly to the client's 192.168.88.x address (which it cannot see), so the router gets the response, un-src-nats it and then un-dst-nats it, and the client is happy. This is called "hairpin NAT" and you only need it if the client and the server are in the same subnet but you want the client to access the same publci address of the server all the time, even if it sits next to it. Otherwise this rule only prevents the server from seeing the public addresses of the clients.
Top
 
User avatar
r0berts
newbie
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 5:25 pm

Hi sindy,

Many thanks this briliiantly explains where I was mistaken. 5 minutes before reading your very helpful reply I also was able to connect by replacing the routing-mark rule with one that was simply based on the 'souce address = my debian server address on LAN with source port 22' - which is less than optimal as then I need to think about LAN machines doing ssh to server (I could add dst-address is not local subnet then). I will put in other sensible firewall rules back and write this up better - to remember myself and for others who might need something similar.

One query - why cannot I see the ssh connection in firewall connections list?

And about that srcnat rule - yes, I did it trying to understand how this thing works and after reading about hairpin nat by @anav. I thought it might be good to see how things happen with that. SSH connection works both with and without hairpin rule and as you say, if hairpin rule is active, then server sees ssh client address as router's address. I disabled this rule.

As regards the additional routing table - is it enough to give just default route via the other end of L2TP tunnel as 100.100.50.50%l2tp-aa or should there be some other rules there. For example if I ever wanted to ping, I probably should add a rule about icmp. If you could mention something about scenarios where second+ routing tables come in handy, that would be very nice.

Thanks again for you looking at this! When I am doing this thing for the first time it is quite befuddling.
Top
 
User avatar
r0berts
newbie
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 5:36 pm

Thanks krafg,

I know I am behind CGNAT, that is why I got the L2TP connection. From the l2tp-aa interface there is one hop to that address.and the same to the other end of the tunnel.

This way dstnat works through l2tp tunnel, but setting up routing was tricky due to lack of experience and many moving parts.

Best wishes,

R
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cannot port forward through dstnat

Thu Jun 29, 2023 6:48 pm

One query - why cannot I see the ssh connection in firewall connections list?
Most likely due to wrong syntax of the filter expression if you use command line or because you cannot spot it among other connections if you don't. Or, less likely, it is some glitch of ROS 7.10.

NAT is a functionality of connection tracking so if the connection wasn't there indeed, NAT would not work.

As regards the additional routing table - is it enough to give just default route via the other end of L2TP tunnel as 100.100.50.50%l2tp-aa or should there be some other rules there. For example if I ever wanted to ping, I probably should add a rule about icmp. If you could mention something about scenarios where second+ routing tables come in handy, that would be very nice.
There are cases when the extra routing tables need to contain more that a single (usually default) route, e.g. when you use them to distribute traffic among multiple WANs with failover, using different preferences of each WAN for each traffic class, but that's far from your scenario where you even have to obtain your public static IP from the gentlemen at AA.

To send other kinds of traffic than the SSH server responses via the L2TP tunnel, you don't need more routes or even more routing tables to send that traffic via the tunnel, but you need more mangle rules assigning routing marks (or routing rules doing the same). But I can imagine little cases where you'd want to initiate outgoing connections via the L2TP tunnel, as there is always the overhead that reduces your effective MTU or doubles your packet rate if AA supports MLPPP - if they do, you can push 1500-byte packets through the tunnel without fragmenting them on IP level by transporting large payload packets using two transport ones each.
Top
 
User avatar
r0berts
newbie
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: Cannot port forward through dstnat

Fri Jun 30, 2023 1:12 am

Great, thanks a lot sindy. More understanding is really useful.

By the way - if router's IP X.X.X.X port is forwarded (dstnat) from say 3333 to 22, address and port rewriting happens in prerouting chain at the very end. If I wanted to put in a rule that disables that by dropping packets going to X.X.X.X port 3333 in the raw table, because that is prior to address and port rewriting by dstnat. I can't drop by input as the packet travels via forward chain. But in forward chain it's IP and port are rewritten, so if I blocked the new address and port, that might block some other connection attempt too.

Is that about right?
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], LeoNaXe and 32 guests
  4. RouterOS
  5. Beginner Basics