Community discussions

 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

dst-nat with changing port

Tue May 14, 2019 9:23 pm

I am attempting to forward ssh connections that connect to a Wan side address on one interface at port 8122 and forward to address 172.21.2.3 port 22.

If I change the rule to forward xxx.xxx.xxx.xxx port 22 to 172.21.2.3 port 22, the connection is successful:
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=22 log=\
yes protocol=tcp to-addresses=172.21.2.3 to-ports=22

However, if I change the dst-port on the same rule to 8122 and attempt to connect, it times out:
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=8122 log=\
yes protocol=tcp to-addresses=172.21.2.3 to-ports=22

add action=accept chain=forward dst-address=\
172.21.2.3 dst-port=22 log=yes protocol=tcp

I have also tried allowing forwarding and input to port 22 and 8122 to no avail.

I can provide any other specifics.
Thanks
 
baragoon
Member Candidate
Member Candidate
Posts: 120
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: dst-nat with changing port

Wed May 15, 2019 10:08 am

/ip firewall nat
add action=netmap chain=dstnat dst-address=WAN.IP.ADD.RESS dst-port=8122 protocol=tcp to-addresses=172.21.2.3 to-ports=22
should work
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 946
Joined: Fri Jul 28, 2017 2:53 pm

Re: dst-nat with changing port

Wed May 15, 2019 10:48 am

You should check availability of your changed port from outside, for example, on some web site that can check it. If it closed then your ISP just filtering unknown ports. Also you have to have a global unique IP address, not from private range.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 632
Joined: Fri Nov 10, 2017 8:19 am

Re: dst-nat with changing port

Wed May 15, 2019 11:02 am

@cwsupport: Netmap is not necessary.
It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it.

@baragoon: Is it possible that some other firewall rule interfere with it? I tried to set it up on completely blank lab router and it worked without issue. Following is my config:
/ip firewall filter
add action=accept chain=forward comment="Allow established traffic" connection-state=established,related
add action=accept chain=forward comment="Allow new SSH traffic from WAN to LAN" dst-address=10.245.25.95 dst-port=22 protocol=tcp
add action=accept chain=forward comment="Allow traffic from LAN to WAN" in-interface=ether5 out-interface=ether2
add action=drop chain=forward comment="Drop everything else" log=yes
/ip firewall nat
add action=masquerade out-interface=ether2
add action=dst-nat chain=dstnat dst-address=10.245.24.229 dst-port=8122 protocol=tcp to-addresses=10.245.25.95 to-ports=22
(10.245.24.0/24 is lab's WAN, 10.245.25.0/24 is internal network)

With this, all I need is to run the SSH command (for example on linux):
ssh vecernik@10.245.24.229 -p 8122

Instantly after running this command, I see that both counters on forward rule (allow ssh traffic) and on dstnat rule got increased - that proves that my connection reached router.
It is important to allow forward on the way back, typically using filter (chain forward, allow established/related)

If your counters don't increase, your router is not even being reached on that port number. It is not uncommon for ISP to block some port numbers.
If your counters increase, that proves your router was reached and ip+port were translated.

If you can't figure out, you can either share rest of your config (as always - feel free to mask sensitive info) or you can try to use packet sniffer to see where do you lose your data. there should be clearly visible packet coming into your WAN interface, then out from your LAN interface. After that, there should be reply coming into your LAN interface and again out from WAN interface. If some of these steps does not show up, that's where your problem is :)

@Anumrak: Good point with non-public IP on WAN! I didn't think about that
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 946
Joined: Fri Jul 28, 2017 2:53 pm

Re: dst-nat with changing port

Wed May 15, 2019 11:18 am

We're all here to help ;)
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Wed May 15, 2019 11:48 pm

Hi, thanks for the replies so far. Here is some more info:

Definitely a public ip and the port is open.
I have rules allowing established/ related packets, etc.
This seems to be a strange issue in this case. I haven't done packet capture yet, but I can see the SYN packet log in the tik on port 8122, but nothing in the log beyond that. If I set it to 22, I see a similar initial packet logged and then I see post nat packets leave. I have a very similar configuration on a CHR running 6.43.2 and just did a quick test and confirmed no issue with the expected configuration. These 2 new CHRs are running 6.44.3. I think I may spin up one running 6.43.2 and migrate the configuration to see if it is just with this version. Thanks for the help so far
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 632
Joined: Fri Nov 10, 2017 8:19 am

Re: dst-nat with changing port

Thu May 16, 2019 1:38 am

Thanks for update.
Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). To understand, how process of packet forwarding works, you might be interested in following article: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
As you are tracking your packet going through flow diagram, you can relatively easily log it with Mangle (prerouting/forward/postrouting chains), Filter (forward chain) and NAT (dstnat chain). Just be careful to interpret results correctly - rules which occur before "dstnat" block (mangle-prerouting and raw-prerouting) needs to be set up with your public IP and public port, while rules which occur after "dstnat" block (all remaining) needs to be set up with your internal IP and internal port. (just making sure because it is common to misunderstand packet flow and misconfigure the rules)
Also keep in mind that rules in each table are evaluated according to their number so it matters, which rule come first and which is second. Some of your existing rules might be preventing you to do this.
 
rbnewfan
newbie
Posts: 27
Joined: Sat Oct 22, 2016 5:23 pm

Re: dst-nat with changing port

Thu May 16, 2019 10:11 am

On 6.44.3 I have NAT rules that change ports from outside to inside and they work Ok.
There is something else in your config(s) (not necessarily in your tick devices) for sure that screw things up.
 
anav
Forum Guru
Forum Guru
Posts: 2716
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: dst-nat with changing port

Thu May 16, 2019 3:33 pm

Post your config
/export hide-sensitive file=yourconfigmay16
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Thu May 16, 2019 5:33 pm

Here it is.

# may/16/2019 08:51:21 by RouterOS 6.44.3
# software id =
#
#
#
/interface bridge
add name=lo
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-Lan
set [ find default-name=ether2 ] disable-running-check=no name=ether2-Wan
set [ find default-name=ether3 ] disable-running-check=no name=\
ether3-IntraNet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=172.21.0.8
/ip address
add address=172.19.19.2/29 disabled=yes interface=ether2-Wan network=\
172.19.19.0
add address=172.19.19.10/30 interface=ether3-IntraNet network=172.19.19.8
add address=172.21.0.8 interface=lo network=172.21.0.8
add address=172.21.2.1/28 interface=ether1-Lan network=172.21.2.0
add address=aaa.bb.ccc.218/29 interface=ether2-Wan network=aaa.bb.ccc.216
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.22.0.0/24 list=CW_Mgmt
add address=aa.aa.aa.4 list=CW_Mgmt
add address=aa.aa.aa.10 list=CW_Mgmt
add address=172.22.0.0/24 list=InternalNets
add address=172.21.0.0/16 list=InternalNets
/ip firewall filter
add action=drop chain=input comment=Inv connection-state=invalid
add action=drop chain=forward comment=Inv connection-state=invalid
add action=accept chain=input comment=Est/Rel connection-state=\
established,related
add action=accept chain=forward comment=Est/Rel connection-state=\
established,related
add action=accept chain=input comment=CW_Mgmt src-address-list=CW_Mgmt
add action=accept chain=forward comment=CW_Mgmt src-address-list=CW_Mgmt
add action=accept chain=forward comment="PWC SSH Access" dst-address=\
172.21.2.3 dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="Drop SSH brute force" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment="SSH Block stage 3" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="SSH Block stage 2" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="SSH Block stage 1" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="SSH Block stage 0" \
connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop ftp brute force if ftp is enabled" \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="Limit bad ftp attempts to 10/min" \
content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=\
tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment=\
"Add ftp brute force ip to address list" content="530 Login incorrect" \
protocol=tcp
add action=accept chain=input comment=WinboxExternalAccess dst-port=8291 \
protocol=tcp src-address-list=CW_Mgmt
add action=accept chain=input comment=TimeService protocol=udp src-port=15252
add action=accept chain=input comment=SSHExternalAccess dst-port=22 protocol=\
tcp
add action=accept chain=input comment=ospfExternalAccess protocol=ospf
add action=accept chain=input comment=SSLWebConfigExternalAccess dst-port=\
10101 protocol=tcp
add action=accept chain=forward comment=LocalOut src-address=172.21.2.0/28
add action=accept chain=forward comment="DNS Server Access" dst-address=\
172.21.2.2 dst-port=53 protocol=udp
add action=drop chain=forward comment=DropElse
add action=drop chain=input comment=DropElse
/ip firewall nat
add action=dst-nat chain=dstnat comment="PWC SSH" dst-address=aaa.bb.ccc.218 \
dst-port=8122 log=yes protocol=tcp to-addresses=172.21.2.3 to-ports=22
add action=masquerade chain=srcnat comment="Masq Out" out-interface=\
ether2-Wan
/ip route
add distance=1 gateway=aaa.bb.ccc.217
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing ospf interface
add interface=ether3-IntraNet network-type=point-to-point
/routing ospf network
add area=backbone network=172.19.19.8/30
add area=backbone network=172.21.2.0/28
add area=backbone network=172.21.0.0/24
/system clock
set time-zone-name=America/Denver
/system identity
set name=nashCWchrFW01
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Sat May 18, 2019 3:56 am

Bump due to forum issue yesterday
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Mon May 20, 2019 10:21 pm

Anyone have any other ideas? Is there some other info that will help?

Thanks
 
djcharipar
just joined
Posts: 1
Joined: Thu Nov 02, 2017 5:43 pm

Re: dst-nat with changing port

Mon May 20, 2019 11:04 pm

Hello

I am having problems with simple dstnat rule to allow dvr access from mobile app;
Port config on router

Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP SWITCH
0 S combo1 1500 64:D1:54:EF:AF:1E enabled
1 S ether1 1500 64:D1:54:EF:AF:1F enabled
2 S ether2 1500 64:D1:54:EF:AF:20 enabled
3 S ether3 1500 64:D1:54:EF:AF:21 enabled
4 S ether4 1500 64:D1:54:EF:AF:22 enabled
5 RS ether5 1500 64:D1:54:EF:AF:23 enabled
6 S ether6 1500 64:D1:54:EF:AF:24 enabled dvr port
7 R ;;; Mediacom Wan
ether7_Mediacom 1500 64:D1:54:EF:AF:25 enabled
8 RS sfp-sfpplus1 1500 64:D1:54:EF:AF:1D proxy-arp

I have set firewall filter rule: Chain forward 100.69.1.0/24 tcp dst port 9010 action accept

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=dstnat action=dst-nat to-addresses=100.69.1.204 to-ports=9010 
      protocol=tcp in-interface=ether7_Mediacom dst-port=9010 log=no 
      log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=100.69.1.204 to-ports=8245 
      protocol=tcp in-interface=ether7_Mediacom dst-port=8245 log=no 
      log-prefix="" 

 2    chain=srcnat action=masquerade out-interface=ether7_Mediacom log=no 
      log-prefix="" 
filter rules
/ip firewall filter> print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=tcp dst-port=8728 log=no log-prefix="" 

 1    chain=input action=accept protocol=tcp dst-address=100.64.0.0/22 
      dst-port=8245 log=no log-prefix="" 

 2    chain=forward action=accept protocol=tcp dst-address=100.69.1.0/24 
      dst-port=9010 log=no log-prefix="" 

 3    ;;; **INPUTFW_v1.3 ** - Check to see if we have detected a hacker
      chain=forward action=jump jump-target=traphackers log=no log-prefix="" 

 4    ;;; **INPUTFW_v1.3 ** - Accept Established
      chain=forward action=accept connection-state=established log=no 
      log-prefix="" 

 5    ;;; **INPUTFW_v1.3 ** - Accept Related
      chain=forward action=accept connection-state=related log=no log-prefix="" 

 6    ;;; **INPUTFW_v1.3 ** - Drop Invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7    ;;; **INPUTFW_v1.3 ** - Manage UDP Attack Vectors
      chain=forward action=jump jump-target=udp_attacks protocol=udp log=no 
      log-prefix="" 

 8    ;;; **INPUTFW_v1.3 ** - Process firewall exceptions
      chain=forward action=jump jump-target=exceptions log=no log-prefix="" 

 9    ;;; **INPUTFW_v1.3 ** - ***PLACEMARK***DO_NOT_DELETE
      chain=forward action=passthrough log=no log-prefix="" 

10    ;;; **INPUTFW_v1.3 ** - Check for Virus Traffic
      chain=forward action=jump jump-target=known_viruses log=no log-prefix="" 

11    ;;; **INPUTFW_v1.3 ** - Allow ICMP Ping
      chain=RouterServices action=accept protocol=icmp log=no log-prefix="" 

12    ;;; **INPUTFW_v1.3 ** - Allow DHCP
      chain=RouterServices action=accept protocol=udp dst-port=67-68 log=no 
      log-prefix="" 

13    ;;; **INPUTFW_v1.3 ** - Allow DNS internally
      chain=RouterServices action=accept protocol=udp src-address-list=LOCALIP 
      dst-port=53 log=no log-prefix="" 

14    ;;; **INPUTFW_v1.3 ** - Allow MAC-Winbox
      chain=RouterServices action=accept protocol=udp dst-port=20561 log=no 
      log-prefix="" 

15 X  ;;; **INPUTFW_v1.3 ** - Allow Winbox for anyone
      chain=RouterServices action=accept protocol=tcp dst-port=8291 log=no 
      log-prefix="" 

16    ;;; **INPUTFW_v1.3 ** - Allow LDP
      chain=RouterServices action=accept protocol=tcp port=646 log=no 
      log-prefix="" 

17    ;;; **INPUTFW_v1.3 ** - Allow LDP
      chain=RouterServices action=accept protocol=udp port=646 log=no 
      log-prefix="" 

18 X  ;;; **INPUTFW_v1.3 ** - Allow OSPF
      chain=RouterServices action=accept protocol=ospf log=no log-prefix="" 

19 X  ;;; **INPUTFW_v1.3 ** - Allow RIP
      chain=RouterServices action=accept protocol=udp src-port=520-521 log=no 
      log-prefix="" 

20 X  ;;; **INPUTFW_v1.3 ** - Allow RIP
      chain=RouterServices action=accept protocol=tcp src-port=520-521 log=no 
      log-prefix="" 

21 X  ;;; **INPUTFW_v1.3 ** - Allow BGP
      chain=RouterServices action=accept protocol=tcp dst-port=179 log=no 
      log-prefix="" 

22 X  ;;; **INPUTFW_v1.3 ** - NTP server - Allowed internally
      chain=RouterServices action=accept protocol=udp src-address-list=LOCALIP 
      dst-port=123 log=no log-prefix="" 

23 X  ;;; **INPUTFW_v1.3 ** - Web-proxy
      chain=RouterServices action=accept protocol=tcp src-address-list=LOCALIP 
      dst-port=3128 log=no log-prefix="" 

24    ;;; **INPUTFW_v1.3 ** - Allow localhost comms to work
      chain=RouterServices action=accept src-address=127.0.0.1 
      dst-address=127.0.0.1 log=no log-prefix="" 

25    ;;; **INPUTFW_v1.3 ** - Allow TCP bandwidth test INSIDE
      chain=RouterServices action=accept protocol=tcp src-address-list=LOCALIP 
      dst-port=2000 log=no log-prefix="" 

26    ;;; **INPUTFW_v1.3 ** - Allow UDP bandwidth test INSIDE
      chain=RouterServices action=accept protocol=udp src-address-list=LOCALIP 
      dst-port=2000 log=no log-prefix="" 

27    ;;; **INPUTFW_v1.3 ** - Allow Mikrotik router discovery INSIDE
      chain=RouterServices action=accept protocol=udp src-address-list=LOCALIP 
      dst-port=5678 log=no log-prefix="" 

28    ;;; **INPUTFW_v1.3 ** - Allow L2TP
      chain=RouterServices action=accept protocol=udp dst-port=1701 log=no 
      log-prefix="" 

29    ;;; **INPUTFW_v1.3 ** - Allow L2TP
      chain=RouterServices action=accept protocol=tcp dst-port=1701 log=no 
      log-prefix="" 

30    ;;; **INPUTFW_v1.3 ** - Allow PPTP
      chain=RouterServices action=accept protocol=tcp dst-port=1723 log=no 
      log-prefix="" 

31 X  ;;; **INPUTFW_v1.3 ** - Allow OpenVPN
      chain=RouterServices action=accept protocol=tcp dst-port=1194 log=no 
      log-prefix="" 

32 X  ;;; **INPUTFW_v1.3 ** - Allow OpenVPN
      chain=RouterServices action=accept protocol=udp dst-port=1194 log=no 
      log-prefix="" 

33 X  ;;; **INPUTFW_v1.3 ** - Allow GRE PPtP and EoIP
      chain=RouterServices action=accept protocol=gre log=no log-prefix="" 

34 X  ;;; **INPUTFW_v1.3 ** - Allow ISAKMP - for IPSEC
      chain=RouterServices action=accept protocol=tcp dst-port=500 log=no 
      log-prefix="" 

35 X  ;;; **INPUTFW_v1.3 ** - Allow ISAKMP - for IPSEC
      chain=RouterServices action=accept protocol=udp dst-port=500 log=no 
      log-prefix="" 

36 X  ;;; **INPUTFW_v1.3 ** - Allow  protocol 50 - IPSEC
      chain=RouterServices action=accept protocol=ipsec-esp log=no 
      log-prefix="" 

37 X  ;;; **INPUTFW_v1.3 ** - Allow protocol 51 - IPSEC
      chain=RouterServices action=accept protocol=ipsec-ah log=no log-prefix="" 

38 X  ;;; **INPUTFW_v1.3 ** - Allow VRRP
      chain=RouterServices action=accept protocol=vrrp log=no log-prefix="" 

39    ;;; **INPUTFW_v1.3 ** - Add SSH attempts to hacker list - 1 hour
      chain=hackertraps action=add-src-to-address-list protocol=tcp 
      address-list=hacker address-list-timeout=1h dst-port=22 log=no 
      log-prefix="" 

40    ;;; **INPUTFW_v1.3 ** - Add FTP attempts to hacker list - 1 hour
      chain=hackertraps action=add-src-to-address-list protocol=tcp 
      address-list=hacker address-list-timeout=1h dst-port=21 log=no 
      log-prefix="" 

41    ;;; **INPUTFW_v1.3 ** - Add telnet attempts to hacker list - 1 hour
      chain=hackertraps action=add-src-to-address-list protocol=tcp 
      address-list=hacker address-list-timeout=1h dst-port=23 log=no 
      log-prefix="" 

42    ;;; **INPUTFW_v1.3 ** - Add port scanners to hacker list
      chain=hackertraps action=add-src-to-address-list protocol=tcp 
      psd=15,3s,3,1 address-list=hacker address-list-timeout=1h log=no 
      log-prefix="" 

43    ;;; **INPUTFW_v1.3 ** - Ensure we do not drop our local IPs if they get ad>
 to the hacker list accidentally
      chain=traphackers action=return src-address-list=LOCALIP log=no 
      log-prefix="" 

44    ;;; **INPUTFW_v1.3 ** - Protect customers from known hackers
      chain=traphackers action=drop src-address-list=hacker log=no 
      log-prefix="" 

45    ;;; **INPUTFW_v1.3 ** - Windows Netbios
      chain=known_viruses action=drop protocol=tcp dst-port=135-139 log=no 
      log-prefix="" 

46    ;;; **INPUTFW_v1.3 ** - Windows Netbios
      chain=known_viruses action=drop protocol=udp dst-port=135-139 log=no 
      log-prefix="" 

47    ;;; **INPUTFW_v1.3 ** - Windows Netbios
      chain=known_viruses action=drop protocol=tcp dst-port=445 log=no 
      log-prefix="" 

48    ;;; **INPUTFW_v1.3 ** - Windows Netbios
      chain=known_viruses action=drop protocol=udp dst-port=445 log=no 
      log-prefix="" 

49    ;;; **INPUTFW_v1.3 ** - Accept Established
      chain=input action=accept connection-state=established log=no 
      log-prefix="" 

50    ;;; **INPUTFW_v1.3 ** - Accept Related
      chain=input action=accept connection-state=related log=no log-prefix="" 

51    ;;; **INPUTFW_v1.3 ** - Drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

52    ;;; **INPUTFW_v1.3 ** - Accept ALL from fulladmin address list
      chain=input action=accept src-address-list=fulladmin log=no log-prefix="" 

53 X  ;;; **INPUTFW_v1.3 ** - Allow webadmins access to webbox and webfig
      chain=input action=accept protocol=tcp src-address-list=webadmin 
      dst-port=80 log=no log-prefix="" 

54 X  ;;; **INPUTFW_v1.3 ** - Allow snmpadmin access to snmp
      chain=input action=accept protocol=udp src-address-list=snmpadmin 
      dst-port=161 log=no log-prefix="" 

55    ;;; **INPUTFW_v1.3 ** - Jump to Router Services chain
      chain=input action=jump jump-target=RouterServices log=no log-prefix="" 

56    ;;; **INPUTFW_v1.3 ** - trap Hacker Behavior
      chain=input action=jump jump-target=hackertraps log=no log-prefix="" 

57    ;;; **INPUTFW_v1.3 ** - no need to log netbios stuff
      chain=input action=jump jump-target=known_viruses log=no log-prefix="" 

58 X  ;;; **INPUTFW_v1.3 ** - Disable this when you are sure you have everything>
rking
      chain=input action=log log=no log-prefix="INPUTFW:" 

59    ;;; **INPUTFW_v1.3 ** - Drop all remaining traffic - ENABLE THIS WHEN YOU >
 SURE EVERYTHING WORKS
      chain=input action=drop log=no log-prefix="" 

60 X  ;;; **INPUTFW_v1.3 ** - Placeholder for the exceptions chain DISABLED INTE>
ONALLY- NEW rules should go BELOW this rule
      chain=exceptions action=passthrough log=no log-prefix="" 

61    ;;; **INPUTFW_v1.3 ** - Do not limit customers UDP traffic
      chain=udp_attacks action=return src-address-list=LOCALIP log=no 
      log-prefix="" 

62    ;;; **INPUTFW_v1.3 ** - Allow dns traffic to the PUBLICDNS list
      chain=udp_attacks action=accept protocol=udp dst-address-list=PUBLICDNS 
      dst-port=53 log=no log-prefix="" 

63    ;;; **INPUTFW_v1.3 ** - Allow ntp traffic to the PUBLICNTP list
      chain=udp_attacks action=accept protocol=udp dst-address-list=PUBLICNTP 
      dst-port=123 log=no log-prefix="" 

64    ;;; **INPUTFW_v1.3 ** - Drop all other INBOUND dns traffic
      chain=udp_attacks action=drop protocol=udp dst-port=53 log=no 
      log-prefix="" 

65    ;;; **INPUTFW_v1.3 ** - Drop all other INBOUND ntp traffic
      chain=udp_attacks action=drop protocol=udp dst-port=123 log=no 
      log-prefix="" 

66    ;;; **INPUTFW_v1.3 ** - SCRIPTTEMP
      chain=forward action=accept log=no log-prefix="" 
I have disabled all filter rules and still no luck
Help
Thanks
DJC
 
sindy
Forum Guru
Forum Guru
Posts: 3280
Joined: Mon Dec 04, 2017 9:19 pm

Re: dst-nat with changing port

Mon May 20, 2019 11:59 pm

I cannot see anything wrong about your configuration. Are you testing from a device on LAN or the request from the test client really comes in via ether2-Wan?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Tue May 21, 2019 12:33 am

Yeah, I can't see a problem either. I have tested from multiple remote locations all of which connect to ether2-Wan. I can see the SYN packet on ether2-Wan in the logs. If I change the nat rule from this:

add action=dst-nat chain=dstnat comment="PWC SSH" dst-address=aaa.bb.ccc.218 \
dst-port=8122 log=yes protocol=tcp to-addresses=172.21.2.3 to-ports=22

to this:

add action=dst-nat chain=dstnat comment="PWC SSH" dst-address=aaa.bb.ccc.218 \
dst-port=22 log=yes protocol=tcp to-addresses=172.21.2.3 to-ports=22

With the only change being the dst-port I can connect through to the internal ssh server fine. I have tried this on another chr with the same version on a different network and have the same issue. I have tried about 5 different dst-ports with the same result. I think my next step is to try an older chr version and see if I have the same issue. I don't have this issue on chr's running 6.43.2.
 
sindy
Forum Guru
Forum Guru
Posts: 3280
Joined: Mon Dec 04, 2017 9:19 pm

Re: dst-nat with changing port

Tue May 21, 2019 12:39 am

Hm. It sounds to me as if the to-ports wasn't taken into account. Can you try to add a rule like action=log dst-port=8122 chain=forward to the beginning of /ip firewall filter? If my guess is correct, the dst-address changes but not the dst-port. And it would be a bug worth sending to support@mikrotik.com of course.

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Tue May 21, 2019 6:55 pm

Sorry for the long post. Here are some logs taken from the client and the CHR I am attempting to forward through. I logged for both forwarding 8122 > 22 and 22 > 22. Forwarding 22 > 22 successfully connects.

Log from client system when forwarding port 8122 to port 22
08:44:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (SYN), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 60
08:44:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (SYN,ACK), aaa.bb.ccc.218:8122->192.168.200.26:58757, len 60
08:44:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 52
08:44:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:10 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:12 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:15 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:22 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:37 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68
08:44:55 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,FIN), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 52
08:45:05 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,FIN,PSH), 192.168.200.26:58757->aaa.bb.ccc.218:8122, len 68

Log from CHR when forwarding port 8122 to port 22
10:44:12 firewall,info dstnat: in:ether2-Wan out:(unknown 0), src-mac b8:69:f4:xx:xx:xx, proto TCP (SYN), cc.bbb.dd.10:58757->aaa.bb.ccc.218:8122, len 60
10:44:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (SYN), cc.bbb.dd.10:58757->172.21.2.3:22,NAT cc.bbb.dd.10:58757->(aaa.bb.ccc.218:8122->172.21.2.3:22), len 60
10:44:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (SYN,ACK), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 60
10:44:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:58757->172.21.2.3:22, NAT cc.bbb.dd.10:58757->(aaa.bb.ccc.218:8122->172.21.2.3:22), len 52
10:44:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:13 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:14 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:16 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:19 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:27 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:44:42 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:45:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:46:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 73
10:46:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,FIN), 172.21.2.3:22->cc.bbb.dd.10:58757, NAT (172.21.2.3:22->aaa.bb.ccc.218:8122)->cc.bbb.dd.10:58757, len 52
Log from client when forwarding port 22 to port 22
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (SYN), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 60
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (SYN,ACK), aaa.bb.ccc.218:22->192.168.200.26:37967, len 60
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 68
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK), aaa.bb.ccc.218:22->192.168.200.26:37967, len 52
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK,PSH), aaa.bb.ccc.218:22->192.168.200.26:37967, len 73
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 484
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK,PSH), aaa.bb.ccc.218:22->192.168.200.26:37967, len 1332
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 76
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK), aaa.bb.ccc.218:22->192.168.200.26:37967, len 52
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK,PSH), aaa.bb.ccc.218:22->192.168.200.26:37967, len 332
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 324
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK,PSH), aaa.bb.ccc.218:22->192.168.200.26:37967, len 900
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 68
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 104
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK), aaa.bb.ccc.218:22->192.168.200.26:37967, len 52
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK,PSH), aaa.bb.ccc.218:22->192.168.200.26:37967, len 104
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,PSH), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 120
09:26:09 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK,PSH), aaa.bb.ccc.218:22->192.168.200.26:37967, len 136
09:26:09 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
09:26:28 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK,FIN), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
09:26:28 firewall,info input: in:ether1 out:(unknown 0), src-mac 00:50:56:zz:zz:zz, proto TCP (ACK,FIN), aaa.bb.ccc.218:22->192.168.200.26:37967, len 52
09:26:28 firewall,info output: in:(unknown 0) out:ether1, proto TCP (ACK), 192.168.200.26:37967->aaa.bb.ccc.218:22, len 52
Log from CHR when forwarding port 22 to port 22
11:26:12 firewall,info dstnat: in:ether2-Wan out:(unknown 0), src-mac b8:69:f4:xx:xx:xx, proto TCP (SYN), cc.bbb.dd.10:37967->aaa.bb.ccc.218:22, len 60
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (SYN), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 60
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (SYN,ACK), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 60
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,PSH), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 68
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 52
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 73
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 1332
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,PSH), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 484
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,PSH), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 76
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 52
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 332
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,PSH), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 324
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 900
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,PSH), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 68
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,PSH), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 104
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 52
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 104
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,PSH), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 120
11:26:12 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,PSH), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 136
11:26:12 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
11:26:31 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK,FIN), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
11:26:31 firewall,info forward: in:ether1-Lan out:ether2-Wan, src-mac 00:0c:29:yy:yy:yy, proto TCP (ACK,FIN), 172.21.2.3:22->cc.bbb.dd.10:37967, NAT (172.21.2.3:22->aaa.bb.ccc.218:22)->cc.bbb.dd.10:37967, len 52
11:26:31 firewall,info forward: in:ether2-Wan out:ether1-Lan, src-mac b8:69:f4:xx:xx:xx, proto TCP (ACK), cc.bbb.dd.10:37967->172.21.2.3:22, NAT cc.bbb.dd.10:37967->(aaa.bb.ccc.218:22->172.21.2.3:22), len 52
 
sindy
Forum Guru
Forum Guru
Posts: 3280
Joined: Mon Dec 04, 2017 9:19 pm

Re: dst-nat with changing port

Tue May 21, 2019 7:36 pm

Okay, so it seems that the SYN>, <SYN,ACK, ACK> passes properly including the NAT handling, and the subsequent packets carrying some actual data don't make it through in either direction - at client side, you can see the client sending but these packets cannot be seen at the server side CHR, and at the server side CHR, you can see the server sending and the packets to be forwarded out ether2-WAN but they never arrive to the client. So you can use /tool sniffer quick interface=ether2-Wan ip-protocol=tcp port=8122 to check whether it is a firewall issue (no idea how it could be, but try, please) and if you can see the server->client packets there but none of client->server (except the initial SYN>, <SYN,ACK, ACK> that means), it must be some firewall between the CHR and the client which causes this (or possibly some firewall on the client itself?).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Thu May 23, 2019 5:49 pm

I was traveling yesterday, but I no longer think this is an issue with dst-nat and may be an issue with the upstream provider. Will update later.
 
cwsupport
just joined
Topic Author
Posts: 9
Joined: Mon Apr 08, 2019 5:30 pm

Re: dst-nat with changing port

Mon Jun 03, 2019 5:35 pm

FYI, it was caused by what the provider called an application level filter being applied to our traffic by the provider as an oversight. I'm guessing an ids of some type. All working as it should now. Thanks for the help in determining the issue.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 632
Joined: Fri Nov 10, 2017 8:19 am

Re: dst-nat with changing port

Tue Jun 04, 2019 11:28 am

Thanks for feedback! This info is very appreciated. I was really wondering what will be the issue and I definitely didn't expect something like that.

Who is online

Users browsing this forum: No registered users and 31 guests