Community discussions

 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Mk, NAT Open Request [Help needed]

Thu May 02, 2019 4:46 am

Hi there,

I have been looking exhaustively for information regarding to have Open Nat at "multiple clients". I've seen UPnP, 1:1 (which I am doing to one client) with netmap.
But what I am looking is to open full ports so my devices could have Open Nat while playing online. So far, I know that it's possible but for one device. If I activate UPnP Nat type becomes 2 but moderate while playing.

My setup is like the following:
ISP ---> RB ---> Linksys Switch ----> LAN

Some lan devices are connected directly to the RB due to a DumbAP.

Any ideas will be appreciated. I have been going through this for almost two years and haven't found a concrete solution.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Thu May 02, 2019 6:13 am

NAT hides multiple addresses behind one and it works for outgoing connections. But if there's incoming connection to external address, router must decide where to send it. With NAT 1:1, everything to external address is sent to one internal address. Ports stay the same, only destination address changes, it's easy. UPnP is for selected ports. So internal device A tells router that it needs ports a, b, c forwarded to it, device B tell router that it needs x, y, z. And it also works, because if incoming connection is to port a, it goes to device A, if for port x, it goes to device B, also easy.

You want some magic where incoming connection to port x would go to device A and another incoming connection to same port x would go to device B. That's generally impossible, it could only work with other conditions, e.g. if you could tell that connections to port x that should go to device A will be from address X, while connections to port x that should go to device B will be from elsewhere. That would be possible. But you don't know from where it will come.

There's only one long-term solution and it's IPv6. It allows every device to have own public address, there's no NAT, so all NAT troubles go away.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Thu May 02, 2019 2:50 pm

NAT hides multiple addresses behind one and it works for outgoing connections. But if there's incoming connection to external address, router must decide where to send it. With NAT 1:1, everything to external address is sent to one internal address. Ports stay the same, only destination address changes, it's easy. UPnP is for selected ports. So internal device A tells router that it needs ports a, b, c forwarded to it, device B tell router that it needs x, y, z. And it also works, because if incoming connection is to port a, it goes to device A, if for port x, it goes to device B, also easy.
[...]
Thanks for the reply.
I see. The problem is that my ISP does not provide IPv6 yet.
Putting aside the destination stuff you've mentioning, when I dstnat all ports in tcp/udp for a given list of addresses, the thing does not work. It only works when I netmap one client but I am in the necessity to open more than one.
There relies the issue.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Thu May 02, 2019 4:23 pm

I understand what you want. But think about poor router. It has one external address, let's say 1.2.3.4. If a new connection comes to e.g. 1.2.3.4:5678, how can it know if it should send it to internal 192.168.88.10, 192.168.88.20, or some other one? It can't. It's like wanting to hit two completely different targets with one bullet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Thu May 02, 2019 6:31 pm

I understand what you want. But think about poor router. It has one external address, let's say 1.2.3.4. If a new connection comes to e.g. 1.2.3.4:5678, how can it know if it should send it to internal 192.168.88.10, 192.168.88.20, or some other one? It can't. It's like wanting to hit two completely different targets with one bullet.
Yes, probably I haven't made me clear. The context is online gaming. PSN/XBOX sets NAT Type based on the network. If I connect the PS4/XBOX directly to the modem, they receive NAT Type 1 and in-game Nat Open.

If I connect those consoles through the RB, they receive NAT Type 2 and in-game Nat Moderate. Even if I open all ports with dst-nat ports 1-65535 due to mascarading.

If I assign that console's static IP with the Netmap to send the Public IP, I am able to get the same as connecting the console directly to the modem. The downside is that only one client is possible.

My main questions is: How can I do Netmapping to multiple clients (the ones who want open nat while playing online)?
 
anav
Forum Guru
Forum Guru
Posts: 2832
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mk, NAT Open Request [Help needed]

Thu May 02, 2019 7:04 pm

edit removed
Good question, what is going on with MT NAT that is different from a consumer router that just works for this scenari0?
I am thinking the extra granularity of MT should provide a config that works!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Thu May 02, 2019 7:25 pm

edit removed
Good question, what is going on with MT NAT that is different from a consumer router that just works for this scenari0?
I am thinking the extra granularity of MT should provide a config that works!!
The thing is that I cannot open all ports to a few clients. If I assign Netmap to a client, I lose VPN of my MT and that's not the case.
The main concern is to have all ports open to a client (let's say a router) and that client assigns private IP to console with its DMZ to that console.
Like this:
MT-->Switch --> AP---AP <-- Router ---PS4
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Fri May 03, 2019 6:50 pm

Do you say that when you connect two consoles to the modem directly (i.e. without Mikrotik in between the modem and the consoles) at the same time, both consoles indicate the same NAT type "open" and you can use both simultaneously (with two players playing the same online game each on one of those two consoles)?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 2832
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mk, NAT Open Request [Help needed]

Fri May 03, 2019 8:08 pm

Good question Sindy, are you trying to establish if one gaming console is being used or two being used at the same time?
Q1: Does one gaming console work with normal consumer router to modem (or isp supplied combo router/modem)?
Q2: Do two gaming consoles work at the same time with normal consumer router to modem (or isp supplied combo router/modem)?
Q3: Does one gaming console work with MT router?
Q4: Do two gaming consoles work at the same time with the MT router?

Q5: In any scenario where both consoles are connected at the same time, are players at each console able to play the same game concurrently (online)?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Fri May 03, 2019 11:14 pm

Do you say that when you connect two consoles to the modem directly (i.e. without Mikrotik in between the modem and the consoles) at the same time, both consoles indicate the same NAT type "open" and you can use both simultaneously (with two players playing the same online game each on one of those two consoles)?
Hi,
Not both at the same time. The topic is for one at the time.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Fri May 03, 2019 11:32 pm

So you want Mikrotik to forward packets coming to its public address to the private one of the console on the LAN, but choose the right one depending on which console is connected at the time?

Because the DMZ approach (1:1 NAT) should be enough to make the console think that the NAT is the "open" type, and the private address can be updated using a script whenever one of the consoles gets an address from Tik's DHCP server. And the VPN access can be preserved using exceptions from the 1:1 dst-nat rule for the ports used for the VPN, unless the console uses the very same ports for its own purposes.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Fri May 03, 2019 11:59 pm

Good question Sindy, are you trying to establish if one gaming console is being used or two being used at the same time?
Q1: Does one gaming console work with normal consumer router to modem (or isp supplied combo router/modem)?
Q2: Do two gaming consoles work at the same time with normal consumer router to modem (or isp supplied combo router/modem)?
Q3: Does one gaming console work with MT router?
Q4: Do two gaming consoles work at the same time with the MT router?

Q5: In any scenario where both consoles are connected at the same time, are players at each console able to play the same game concurrently (online)?
A1: The gaming console should connect to internet just fine with a router even if assigned a private IP. Opened ports (directly to the modem) works best.
A2: Should work in a private IP environment. Not sure for public IP assignments. May depend on ISP.
A3: It works but if given an IP from the MT, it might say NAT moderate. Even if dsnat all TCP/UDP ports to that console's IP. (Might be MT's mistake).
A4: They do but the issue is not if they work but to have Open NAT behind another router.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Sat May 04, 2019 12:02 am

So you want Mikrotik to forward packets coming to its public address to the private one of the console on the LAN, but choose the right one depending on which console is connected at the time?

Because the DMZ approach (1:1 NAT) should be enough to make the console think that the NAT is the "open" type, and the private address can be updated using a script whenever one of the consoles gets an address from Tik's DHCP server. And the VPN access can be preserved using exceptions from the 1:1 dst-nat rule for the ports used for the VPN, unless the console uses the very same ports for its own purposes.
No need for VPN. MT > Linksys Router > PS4.
MT receives public IP. Linksys gives PS4 private.
Linksys should be in DMZ/1:1.

The problem is when I need more than one client in DMZ.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Sat May 04, 2019 3:18 pm

The problem is when I need more than one client in DMZ.
That is why I asked about two PS4s used simultaneously. You said you need just one PS4 but at the same time you say you need two clients in DMZ.

In NAT environment, 1:1 NAT is the best approximation of a DMZ you can get. When a device on a private IP checks how the NAT behaves in particular, it checks with the server whether the server has received the initial request for a connection from the same port from which the client has sent it; this is what Mikrotik normally does unless another client device sends a request to the same remote socket from the same port, as in such case, all the fields used to identify a connection (address:port of the server and address:port of the Mikrotik's WAN) would be identical for both connections so it would not be possible to decide to which of the two connection a packet received at WAN belongs.

For incoming communication requests, where the device on a private side of the NAT acts as a server, the situation is even more hopeless - the address of the remote client cannot be used to choose the required one out of the two addresss on the private side, so you simply cannot have more than a single device in DMZ behind a NAT unless each of them would listen on a different set of ports.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 2832
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mk, NAT Open Request [Help needed]

Sat May 04, 2019 8:19 pm

Introducing a second router in the mix is I suspect going to be problematic regardless of which user console is going to be used..........
Have you tried connecting the consoles directly to the MT router??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Sun May 05, 2019 2:46 pm

The problem is when I need more than one client in DMZ.
That is why I asked about two PS4s used simultaneously. You said you need just one PS4 but at the same time you say you need two clients in DMZ.

In NAT environment, 1:1 NAT is the best approximation of a DMZ you can get. When a device on a private IP checks how the NAT behaves in particular, it checks with the server whether the server has received the initial request for a connection from the same port from which the client has sent it; this is what Mikrotik normally does unless another client device sends a request to the same remote socket from the same port, as in such case, all the fields used to identify a connection (address:port of the server and address:port of the Mikrotik's WAN) would be identical for both connections so it would not be possible to decide to which of the two connection a packet received at WAN belongs.

For incoming communication requests, where the device on a private side of the NAT acts as a server, the situation is even more hopeless - the address of the remote client cannot be used to choose the required one out of the two addresss on the private side, so you simply cannot have more than a single device in DMZ behind a NAT unless each of them would listen on a different set of ports.
I agree.
Can this be bypassed by having an address list to DMZ?
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Sun May 05, 2019 2:48 pm

Introducing a second router in the mix is I suspect going to be problematic regardless of which user console is going to be used..........
Have you tried connecting the consoles directly to the MT router??
That router is remotely connected through a wireless CPE so, it is necessary to have a router because that CPE is bridged and the end user needs to connect multiple devices.
Connecting directly to the MT and UPnP works but that's not the scenario.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Sun May 05, 2019 3:14 pm

Can this be bypassed by having an address list to DMZ?
If you mean an address list of the sources in the internet, then yes. You can forward packets for wan.add.re.ss:port to private.add.ress.1:port if they come from a source on address-list "list1", and to private.add.ress.2:port if they come from a source on address-list "list2", and to private.add.ress.3:port if they come from a source which is not on any address list.

Or you can forward the packets to private address chosen up to the destination port.

But you cannot decide which of the three internal addresses to choose if you do not know in advance on which port it listens (or if all of them listen on the same port) or from where the request will come.

It is not a matter of configuration, it is a matter of common sense. If you do not have any information in the packet itself which would tell you where to send it, there is nothing you could use to choose a forwarding (dst-nat) rule.

But I am still wondering about your overall topology. Do the PS4 games send packets between players directly, i.e. not via a gaming server? Because the only scenario I can imagine where you need a real DMZ is that you have two PS4s behind the same public IP, and a third one behind another public IP, and they all participate in the same game to the third one needs to send direct packets to both the first and second one. Only in this case there is a conflict because when the first PS4 seizes a particular port on the public IP of the WAN interface for a connection with the third one, the second PS4 cannot seize the same port for connection with the third one because the packets coming from the third PS4 to that port would be forwarded to the first console.

So maybe we were not clear enough in the example with two PS4, where you want to have one connected directly to Mikrotik's LAN and the other one connected to the LAN of the Linksys but it also gets to internet via the same Mikrotik like the first one, and we've simplified it to just 2 PS4 on Mikrotik's LAN, approximating the tunnel via Linksys by just a cable?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Mon May 06, 2019 11:09 pm

Can this be bypassed by having an address list to DMZ?
If you mean an address list of the sources in the internet, then yes. You can forward packets for wan.add.re.ss:port to private.add.ress.1:port if they come from a source on address-list "list1", and to private.add.ress.2:port if they come from a source on address-list "list2", and to private.add.ress.3:port if they come from a source which is not on any address list.

Or you can forward the packets to private address chosen up to the destination port.

But you cannot decide which of the three internal addresses to choose if you do not know in advance on which port it listens (or if all of them listen on the same port) or from where the request will come.

It is not a matter of configuration, it is a matter of common sense. If you do not have any information in the packet itself which would tell you where to send it, there is nothing you could use to choose a forwarding (dst-nat) rule.

But I am still wondering about your overall topology. Do the PS4 games send packets between players directly, i.e. not via a gaming server? Because the only scenario I can imagine where you need a real DMZ is that you have two PS4s behind the same public IP, and a third one behind another public IP, and they all participate in the same game to the third one needs to send direct packets to both the first and second one. Only in this case there is a conflict because when the first PS4 seizes a particular port on the public IP of the WAN interface for a connection with the third one, the second PS4 cannot seize the same port for connection with the third one because the packets coming from the third PS4 to that port would be forwarded to the first console.

So maybe we were not clear enough in the example with two PS4, where you want to have one connected directly to Mikrotik's LAN and the other one connected to the LAN of the Linksys but it also gets to internet via the same Mikrotik like the first one, and we've simplified it to just 2 PS4 on Mikrotik's LAN, approximating the tunnel via Linksys by just a cable?
Thanks Sindy for giving your opinion in this topic. Probably, we have gone so deep into this and I would like to clarify the main point here.

PS4 needs open ports to play fine. That's basically it. When the PS4 is connected to a router (MT>Router>PS4) it is receiving a double NAT. Then, if I activate UPnP in the router, nothing happens. There is no register of petitions of ports at the MT level from the router on behalf the PS4. I don't know if I am making myself understood or doing this correctly. I know it's child's play but not for me at this point. I have been reading for months and no solution.

Then, if I dstnat all 1-65535 ports to that router, it's not working for some reason. Much less if I have to consoles (XBOX and PS4) in my network.

How can we have all ports open for a given client? That's the issue.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Mon May 06, 2019 11:33 pm

If you'd have:

MT>Router>(PS4#1,PS4#2,...)

then NAT 1:1 from MT to Router and UPnP on Router should work fine (edit: although maybe not, I'm not sure if client gets public address from UPnP server, it wouldn't be public in this case, if it does). But if it would be anything like:

MT>Router1>PS4#1
MT>Router2>PS4#2
MT>PS4#3

i.e. not all consoles behind same router, it's probably impossible. You'd either need to configure consoles to each use different port range and configure such port forwarding on routers (I have no idea if it's possible; probably not, because average user would not be able to configure it anyway). Or there would have to be some UPnP proxy on Router that would receive requests from clients, open ports as usual, and additionally send own UPnP port opening request to upstream router. I don't know if anything supports this (RouterOS surely doesn't).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Mon May 06, 2019 11:42 pm

How can we have all ports open for a given client? That's the issue.
For a single client that's no issue, the dst-nat rule may translate just the destination address and ignore protocol & port completely. So instead of specifying dst-port=1-65535, just leave the dst-port out from the rule completely, much like the default action=masquerade rules in chain=srcnat do. And this way, you can have a triple and quadruple NAT and still nothing happens.

The dst-nat rules are even evaluated before the decision whether the received packet is for the router itself or needs forwarding, so a dst-nat rule forwards even the ports on which the router itself eventually listens.

The trouble starts when there is some other equipment behind the same NAT and that equipment talks from the same ports to the same remote destination like the first one.

That's why I talked about a single PS4 connected directly on Mikrotik's LAN (and with UPnP disabled); if it works to your satisfaction, Mikrotik's handling of 1:1 NAT is not the issue. Have you tried this simplified scenario as a diagnostic step?

A single PS4 behind a Mikrotik and Linksys, each with 1:1 NAT configured, should also not be an issue even with UPnP disabled.

Two PS4 (or one PS4 and something else talking to the same remote services) behind the same public IP will always be a problem no matter whether directly on Mikrotik's (or any other NATing router's) LAN or behind yet another 1:1 NAT device.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 12:04 am

One more idea - if you can extend Mikrotik's LAN to the other site using an L2 tunnel, the PS4 will be able to talk UPnP with the Mikrotik, so you could have two or more (provided that the PS4 accepts a replacement port from the router if the requested one is already occupied).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 12:21 am

Or another idea (not really a serious one, just for fun), there's a standard for opening ports through double NAT (RFC 6970). So if your other router supports it (or you'd be able to convince manufacturer to add it if not), and you'd be able to convince MikroTik to add PCP server to RouterOS, it would (ok, should) work. The tough question is if one should invest the time and energy in this or better into convincing the world to finally advance with IPv6. Both seem to be long-term projects.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 12:58 am

If you'd have:

MT>Router>(PS4#1,PS4#2,...)

then NAT 1:1 from MT to Router and UPnP on Router should work fine (edit: although maybe not, I'm not sure if client gets public address from UPnP server, it wouldn't be public in this case, if it does). But if it would be anything like:

MT>Router1>PS4#1
MT>Router2>PS4#2
MT>PS4#3

i.e. not all consoles behind same router, it's probably impossible. You'd either need to configure consoles to each use different port range and configure such port forwarding on routers (I have no idea if it's possible; probably not, because average user would not be able to configure it anyway). Or there would have to be some UPnP proxy on Router that would receive requests from clients, open ports as usual, and additionally send own UPnP port opening request to upstream router. I don't know if anything supports this (RouterOS surely doesn't).
That is a very likely scenario. I'd like to have my consoles with all ports open. There are 3 and that's the problem.
With UPnP and PS4 connected directly to MT, works flawlessly. The problem comes when a router is introduced. I use to use OpenWRT in most of my routers.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 4:33 am

How can we have all ports open for a given client? That's the issue.
That's why I talked about a single PS4 connected directly on Mikrotik's LAN (and with UPnP disabled); if it works to your satisfaction, Mikrotik's handling of 1:1 NAT is not the issue. Have you tried this simplified scenario as a diagnostic step?

When that is done (UPnP: Off), PS4 shows NAT restricted.

A single PS4 behind a Mikrotik and Linksys, each with 1:1 NAT configured, should also not be an issue even with UPnP disabled.


Could you please explain a little bit more of 1:1? Is that for a single device or for the entire LAN? How is that done?

Two PS4 (or one PS4 and something else talking to the same remote services) behind the same public IP will always be a problem no matter whether directly on Mikrotik's (or any other NATing router's) LAN or behind yet another 1:1 NAT device.

Well, the MT is handling a public IP dynamically for worse so I have auto routes.

Unfortunately, there is no IPv6 yet in here.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 7:35 am

If you have OpenWRT on the other router, it may not be completely hopeless, because you can install additional stuff. So if someone made a proxy like I described:
Or there would have to be some UPnP proxy on Router that would receive requests from clients, open ports as usual, and additionally send own UPnP port opening request to upstream router.
Then you should be able to install it. I don't know if such thing exists, but the idea is logical and not even complicated (well, on first sight at least). So try to look around, maybe you'll be lucky.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 8:49 am

How can we have all ports open for a given client? That's the issue.
That's why I talked about a single PS4 connected directly on Mikrotik's LAN (and with UPnP disabled); if it works to your satisfaction, Mikrotik's handling of 1:1 NAT is not the issue. Have you tried this simplified scenario as a diagnostic step?

When that is done (UPnP: Off), PS4 shows NAT restricted.
OK, so this is the place to start from.

When the only enabled rules in your /ip firewall nat are as shown just below, is it still true that the PS4 reports a restricted NAT when UPnP is disabled?

action=dst-nat chain=dstnat in-interface-list=WAN to-addresses=the.internal.ip.of.ps4
action=masquerade chain=srcnat out-interface-list=WAN

(or, if you don't have the interface list configured, replace in-interface-list=WAN and out-interface-list=WAN by in-interface=your-wan-interface-name and out-interface=your-wan-interface-name respectively).

But regardless the result (which only tells us whether Mikrotik's NAT behaves the way I always believed it did or not), getting all three PS4 to the LAN of the Mikrotik and enabling UPnP is the only way to make them all be happy which doesn't require development or denial of logic.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 11:48 am

@sindy: I have one more idea about UPnP and double NAT, but I'm lacking knowledge about one needed part, maybe you know something about it. I'm not sure how much it can help OP, but let's assume that I want to do it with two RouterOS devices. Both under my control, but for some reason there must be different subnets.

To open port using UPnP, first there's SSDP discovery (UDP to 239.255.255.250:1900), it returns location of UPnP server, and the rest is easy, because it's just HTTP. But discovery is the interesting part. What if client received IP address of primary router as UPnP server (i.e. from different subnet)?

RouterOS happily accepts completely different internal address as destination for open port (e.g. client 192.168.88.10 can request port forwarded to 192.168.222.22 and RouterOS doesn't complain). So I guess it wouldn't complain either if 192.168.222.22 (i.e. address from non-local subnet) was the client (but I didn't test this part yet). Client could also accept UPnP server from remote subnet, I don't see anything clearly wrong with that, but of course it would depend on client.

The critical part is how to make discovery return the right server address. And this is where I'm lost. The 239.255.255.250 is multicast and it should be somehow possible to forward it between interfaces, but I'm ashamed to admit that I've never done anything with multicast before, so I don't even know where to start. Do you know more than I do about this? Not necessarily all details, mainly just if it's completely wrong way or not.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 12:05 pm

I've never done anything with multicast before, so I don't even know where to start. Do you know more than I do about this?
Just a small bit which doesn't help here. But unless you expect the inner NAT to be a 1:1 one again, I think it's not important because in case of stacked NATs, the client would have to be aware of the existence of stacked NAT and use UPnP to request ports at the inner NAT and then, based on the result, request a port on the outer NAT in the name of the inner one. Or, as you've suggested before, the inner NAT would have to act as UPnP client, request a port at the outer NAT, and based on that inform the client about the outer IP and port he's got. So it is probably a scriptable thing if you dive into UPnP enough, but the inner NAT must be able to run scripts, and its UPnP server functionality would have to be fully replaced by the script (in terms that it would receive the requests from the actual client, convert them into outgoing requests to the outer NAT, and create according rules in its own firewall).

As for the multicast routing, it is basically that when one of router's neighbors subscribes for some multicast group, the router should subscribe to the same group on its other interfaces, and then forward whatever comes for this group (= to this multicast address) to the original subscriber (or more thereof). On Mikrotik, a package called multicast must be installed for that.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 3:00 pm

Oops, sorry, I wrote double NAT, but I guess what I actually meant was just different routed subnet. Well, I started thinking about double NAT, but I got somehow lost in it. ;)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 2832
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 4:19 pm

Don't feel bad i got lost at least 5 posts ago LOL.........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 6:00 pm

I'm not lost, I just took a wrong turn. :)

Btw, this looks like the proxy I thought about: https://github.com/tomaszmrugalski/portproxy (but I didn't test it).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Tue May 07, 2019 11:42 pm

I'd say you've just switched on the wrong winker rather than actually taken a wrong turn :)

Judging by this self-answered topic on another forum that Google has yielded it seems that configuration of multicast on Mikrotik is none of an issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Wed May 08, 2019 2:51 am

Uff, I had a look at multicast package and let's say that I'm starting to understand how @anav sometimes feels about things. ;) Or in other words, I'll keep that one for long winter nights, there's so many things and for multicast beginner it's not clear at all.

But for the record, I solved my UPnP for routed subnet (without NAT on second router). Even though I was able to forward multicast SSDP packets through the router, and I got replies back, for some reason client ignored them. But often when fine tools fail, hammer will do the job. So I just enabled UPnP on both routers and since RouterOS seems to always use tcp port 2828, I just added dstnat from <second router's LAN IP>:2828 to <first router's LAN IP>:2828. Client thinks that it talks to the router it's connected to, but all requests go to upstream router. It's a hack, but works like a charm here. Downside is that port 2828 doesn't seem to be any standard, from what I found, it can be anything, so interoperability with devices from other manufacturers could be a problem. But as long as the other router would use static port for own UPnP (even if it was different), and it would be configurable enough to be able to add required dstnat rule, it should work too.

There's still problem if second router has NAT. But I'm wondering, in this case:
That router is remotely connected through a wireless CPE so, it is necessary to have a router because that CPE is bridged and the end user needs to connect multiple devices.
Is NAT on second router absolutely necessary? Couldn't there be just a routed subnet? I don't know what exactly it is, if some serious ISP network, it could be a problem, but in some hobby network it could be ok.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Wed May 08, 2019 8:30 am

It largely depends on that wireless CPE's capabilities whether NAT can be switched off on it.

I didn't get the part about the client's ignoring of responses being resolved by port-forwarding its requests (is it 2828 on the multicast address or on the unicast one?), nor why UPnP must be enabled on the Tik adjacent to the client to make the port-forwarding work. Maybe it's because I'm not reading it at 2 AM?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Wed May 08, 2019 8:02 pm

2AM is not mandatory, it still makes sense now. :)

There are two parts. First is SSDP discovery (from client to udp 239.255.255.250:1900) and router sends back response containing address of control endpoint http://<router>:2828 (I'm not sure how it's officially called). I was able to get the discovery through router with multicast package, I saw the response on client with Wireshark, but for some reason client didn't like it, because no further communication followed. When I enable UPnP on second router, the only goal is to make SSDP discovery work. Client accepts response from second router, gets http://<second router>:2828, but all requests sent there are dstnatted to <first router>:2828. And because UPnP (as least in RouterOS) in first router doesn't care from what clients requests are, or what is requested target address for forwarded ports, it works.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Thu May 09, 2019 12:41 am

... I saw the response on client with Wireshark, but for some reason client didn't like it, because no further communication followed. When I enable UPnP on second router, the only goal is to make SSDP discovery work. Client accepts response from second router, ...
Okay, at third reading it clicked after all (well, 2 AM is not so far away). When you replace the word "second" by "the closer one to the client" or "inner", things start making sense. So the client likely ignores service discovery responses indicating a unicast address in non-connected subnet (what else could be the reason), so you satisfy it by giving it a response from a device in a connected subnet, and then steal the requests for that address and deliver them where you really need them to go. Cool. It means that you actually don't need the muticast routing at all provided that the "closer to the client" router supports UPnP and port forwarding in LAN -> WAN direction, and that the "outer" or "closer to internet" router doesn't mind getting client requests from a non-connected subnet.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4187
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mk, NAT Open Request [Help needed]

Thu May 09, 2019 2:37 am

That's it. Sorry for confusing terms.
... the "closer to the client" router supports UPnP and port forwarding in LAN -> WAN direction, ...
The latter disqualifies all simple consumer routers I've ever seen.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Tue May 14, 2019 3:06 am

https://ibb.co/rw50dGW
Even if the Xbox is statically connected and with all ports "open", it still shows NAT restricted at the console level.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1258
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Mk, NAT Open Request [Help needed]

Tue May 14, 2019 3:34 am

I think it is time you pride the config, in terminal window,
Export file=YourFileName hide-sensitive and either attach the file here or copy and paste the contents between source code brackets
MTCNA, MTCTCE, MTCRE & MTCINE
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Fri May 17, 2019 3:25 pm

I think it is time you pride the config, in terminal window,
Export file=YourFileName hide-sensitive and either attach the file here or copy and paste the contents between source code brackets
Modem > MT > Switch
UPnP: On

NAT
chain=srcnat action=masquerade out-interface=WAN1 PoE log=no 
      log-prefix=""

Filter
 ;;; DMZ Gaming
      chain=forward action=accept connection-nat-state=dstnat 
      in-interface=WAN1 PoE log=no log-prefix=""
So far this is what I have aside from DNS redirection and QoS.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mk, NAT Open Request [Help needed]

Fri May 17, 2019 3:31 pm

So there is no chain=dstnat action=dst-nat in-interface=WAN1 to-addresses=the.ip.of.the.console rule in /ip firewall nat?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 30
Joined: Wed Feb 21, 2018 12:54 am

Re: Mk, NAT Open Request [Help needed]

Sat May 18, 2019 3:48 am

So there is no chain=dstnat action=dst-nat in-interface=WAN1 to-addresses=the.ip.of.the.console rule in /ip firewall nat?
If I do that, the rule only works for one of the two consoles when connected directly to MT. If I want both, I need to activate UPnP. But, the problem is when I have the console behind another router.

Who is online

Users browsing this forum: No registered users and 63 guests