Community discussions

MikroTik App
 
lobber24
just joined
Topic Author
Posts: 8
Joined: Tue Jun 16, 2020 3:32 pm

Port Forwarding / NAT

Thu Jun 25, 2020 11:51 am

Hi there

Herewith a brief indication of my setup. I have a fibre link (gpon) with a dynamic IP address assigned through pppoe. I have enabled port forwarding to one of my devices, through NAT and this seems to be working fine from outside the network. However if I try and connect from my LAN to the device on the particular port (10003) using the DDNS name, it doesn't work.

I read something about Hairpin NAT, not sure if this is correct?

Can someone kindly walk me through the steps of what may need to be done? I also have another device on my LAN, that is on a different IP and has a different port, that I would also like to be able to access.
 
anav
Forum Guru
Forum Guru
Posts: 4777
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port Forwarding / NAT

Thu Jun 25, 2020 3:06 pm

Well this is MT OS, so what you have to do is

a. pile and stack up 5 hard cover books
b. Do a handstand using the books as your base (without falling over)
c. then remove one hand.

Voila done!!!

Seriously, its a well known requirement which is basically, if your server is on the same subnet as a USER attempting to access the server via a dydns name (ie via the external WANIP of your router), then hairpin nat (or called loopback) is required. Since I am opinionated, I tend to say, WTF would one just not use the LANIP to access the server LOL. But I gave up that argument as it seems its a popular thang to do.

Borrowing from my bestest buddy SOB, a certifiable looney I mean expert!!!
(1) Add required 'hairpin nat' masquerade rule
(2) Modify dstnat rules if using dynamic WANIP (static WANIPs do not require a change to dsntat rule). One cannot use the usual 'in-interface=WAN or in-interface-list=WAN' dstnat rule because they miss the LAN attempts to access the server via WANIP. There are many methods, one is make a contorted rule, one is to use the ddns cloud service of the router itself in conjunction with a firewall address list entry, and lastly to use a dhcp client script with a similar firewall address technique.

1. Masquerade Rule (substitute for your lan subnet)
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade
...

2(a) Contorted Rule Method - dst-address-type=local for any address on router. Here you enter in the LANIP gateway of the subnet that the server is on for ! destination (local address but not the LANIP of the subnet which leaves the local WANIP on the router as the alternative).
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=!192.168.88.1 \
dst-address-type=local protocol=tcp dst-port=xxxx to-address=IPofServer  to port= (if need translation)
...

2(b) MT Cloud DDNS method very popular, and made famous on youtube by stevo (our favourite git, or is that Brit). One creates a firewall address list and puts in the name of your IP Cloud DDNS server. The router will resolve the name to your WANIP. The only downside is a very slight delay in updating your IP when and if it changes. Reliance on outside source (MT service) could be another. On the plus side if your router does not have a public IP this is the better method.
(https://www.youtube.com/watch?v=_kw_bQyX-3U)
...
/ip firewall address-list
add list=external_wan address=<DDNS hostname>
/firewall nat
add chain=dstnat action=dst-nat dst-port=xxxx protocol=tcp  dst-address-list=external_wan address \
  to-addresses=IPofServer to-ports={only required if translating to a different port number}
In this method, one simply goes to one IP Cloud DDNS server and copies the name provided (after enabling service) into the firewall address list.
add address=name of cloud ddns list=external_wan address

2(c). This is Sobs favourite dish (mine is paella). If you are comfortable with scripts this is the best method, otherwise 2b is preferred.

The dstnat rule is similar to the DDNS cloud method as both access a firewall address list entry. The only difference in the firewall address list part is that you add comment of your choice (has to match script text) to the firewall address list entry and in the example below 'wan1ip' is used. The script entry basically says, check if the wan IP is bound and if so stick the address into the firewall address list.
....
/firewall nat
add chain=dst-nat action=dstnat dst-port=xxxx protocol=tcp  dst-address-list=external_wan-address \
    to-addresses=IPofServer   to-ports={only required if translating to a different port number}
....

This is what one enters in the DHCP client
/ip dhcp-client
add interface=<WAN> <other options> script="<the script below>"
2| :if ($bound=1) do={
3|   /ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
4|  } else={
5|   /ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
6| }
and finally the firewall address list entry would look like
/ip firewall address-list
add address=x.x.x.x comment="wan1ip" list=external_wan-address
(where x.x.x.x is the current valid wanip)
Last edited by anav on Tue Jul 07, 2020 3:41 pm, edited 5 times in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
lobber24
just joined
Topic Author
Posts: 8
Joined: Tue Jun 16, 2020 3:32 pm

Re: Port Forwarding / NAT

Thu Jun 25, 2020 4:17 pm

Thanks very much for your help and detailed response. Managed to get everything up and running. :D
 
anav
Forum Guru
Forum Guru
Posts: 4777
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port Forwarding / NAT

Thu Jun 25, 2020 4:24 pm

Super, which method did you use?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
lobber24
just joined
Topic Author
Posts: 8
Joined: Tue Jun 16, 2020 3:32 pm

Re: Port Forwarding / NAT

Mon Jun 29, 2020 12:46 pm

I used method 2a
 
Zacharias
Forum Guru
Forum Guru
Posts: 2309
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Port Forwarding / NAT

Mon Jun 29, 2020 1:20 pm

@anav a local address is an address assigned to a routers interface specifically and not in general any local address under the same subnet...
https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle
 
anav
Forum Guru
Forum Guru
Posts: 4777
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port Forwarding / NAT

Mon Jun 29, 2020 2:44 pm

@anav a local address is an address assigned to a routers interface specifically and not in general any local address under the same subnet...
https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle
Hi Zach. Shouldn't you be spending time paying off the Greek debt instead of posting so much. ;-) Seriously, good point!!! Local means any local address on the router, but the contorted rule ensures its not the same subnet as the server. The other local address available is usually the WANIP. If one had multiple local subnets in the mix since there would be choices not clearly delineated to the router - not good. So in that case the contorted rule should be modified I suppose like so......
/ip firewall nat
add chain=dstnat action=dst-nat dst-address-list=!localsubnets \
dst-address-type=local protocol=tcp dst-port=xxxx to-address=IPofServer to port= (if need translation)

firewall address list
add 192.168.0.1 list=localsubnets
add 192.168.1.1 list=localsubnets
add 192.168.88.1 list=localsubnets
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Zacharias
Forum Guru
Forum Guru
Posts: 2309
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Port Forwarding / NAT

Mon Jun 29, 2020 7:12 pm

Hi Zach. Shouldn't you be spending time paying off the Greek debt instead of posting so much.
Not so much of free time anymore, too much work i guess...

Well, as for the Local address type we mean the same, i just use more strict words e.g. "assigned to routers interface" instead of "address on the router"...

Who is online

Users browsing this forum: antonsb, troybowman and 120 guests