Community discussions

MikroTik App
 
ZakPreston
just joined
Topic Author
Posts: 12
Joined: Mon Apr 15, 2019 7:35 pm

Port forwarding using DDNS doesn't work

Thu Jul 09, 2020 10:20 pm

Hello!
My router gets dynamic IP from my ISP, so one of the most obvious options is to use DDNS. However when I try to forward SSH port 24022 on my router to port 22 on 192.168.1.240 host inside my local network, connection is either refused or timed out. I lurked this forum a bit, used solutions from similar issues but SSH access doesn't work anyways.
Last edited by ZakPreston on Thu Jul 09, 2020 11:51 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding using DDNS doesn't work

Thu Jul 09, 2020 10:48 pm

Port forwarding with dynemic IP / DDNS works if configured correctly. Post NAT config (run /ip firewall nat export in a terminal window) so we can check if something is wrong.
 
ZakPreston
just joined
Topic Author
Posts: 12
Joined: Mon Apr 15, 2019 7:35 pm

Re: Port forwarding using DDNS doesn't work

Thu Jul 09, 2020 11:30 pm

Port forwarding with dynemic IP / DDNS works if configured correctly. Post NAT config (run /ip firewall nat export in a terminal window) so we can check if something is wrong.
Thank you for the response! Here are my NAT rules:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=63306 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3306
add action=dst-nat chain=dstnat dst-port=3724 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3724
add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface-list=WAN log=yes protocol=t
    to-addresses=192.168.1.240 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.1.240 to-ports=22
add action=masquerade chain=srcnat disabled=yes out-interface-list=LAN
add action=accept chain=dstnat dst-address=!192.168.1.1 dst-address-type=local dst-port=22 protocol=
    src-port=24022 to-addresses=192.168.1.240
add action=accept chain=dstnat dst-address-list=MyDDNS dst-port=22 protocol=tcp src-port=24022 \
    to-addresses=192.168.1.240
Unfortunately, no dstnat rule is working as intended.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 12:06 am

My router gets dynamic IP from my ISP, ...
And is it public address? It may sound as stupid question, but many people miss this important bit. If you check the address that DDNS hostname resolves to, do you have the same address on your router in IP->Addresses?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 12:11 am

Too funny,

One needs a protocol so that the router knows whats coming!
This doesnt cut it..........

add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface-list=WAN log=yes protocol=t
to-addresses=192.168.1.240 to-ports=22

Sob: Did you want to sign up for my MTUNA certification, we cover 'proper methods in config scrutinization"! ;-P


To the OP why do you have so many duplicate looking rules, what a mess!!
Makes me want to slap someone upside the head. :-)

Lets fix it!!

By the way this rule should simply work when you fix the protocol issue!!
add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface-list=WAN log=yes protocol=t
to-addresses=192.168.1.240 to-ports=22

Cleaned up working version.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=63306 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3306
add action=dst-nat chain=dstnat dst-port=3724 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3724
add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface-list=WAN log=yes protocol=tcp \
    to-addresses=192.168.1.240 to-ports=22
Done!!

By the way the only reason to use dst-address-list=mywanip
(Assuming mywanip is the firewall address list entry with IP=clouddns name)
If you want to be able to reach the server via your WANIP address from a device on the same lan subnet as your server, if you do two things need to happen.

First add a second hairpin source nat rule.
add action=masquerade chain=srcnat source-address=lansubnet destination-address=lansubnet (in your case lansubnet appears to be 192.168.1.0/24)

Second modify the dst nat rule (replace in-interface-list=WAN) with dst-address=mywanip
Last edited by anav on Fri Jul 10, 2020 12:21 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 12:19 am

@anav: I'd say it's pretty clear that it was just copy error.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 12:22 am

Most likely, but it was a great opportunity for creative writing I could not pass up!! :-)

Note to OP:
Please post complete config as other aspects of the config may be pertinent
/export hide-sensitive file=anynameyouwish
 
ZakPreston
just joined
Topic Author
Posts: 12
Joined: Mon Apr 15, 2019 7:35 pm

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 1:26 am

My router gets dynamic IP from my ISP, ...
And is it public address? It may sound as stupid question, but many people miss this important bit. If you check the address that DDNS hostname resolves to, do you have the same address on your router in IP->Addresses?
Actually... they are very much different, but I didn't think it should've mattered since I was able to connect to my router's SSH port and HTTP port using personalstring.sn.mynetname.net.

My WAN IP address is in 100.80.0.0/16 subnet. Seems like I am behind my provider's NAT. How can I actually tune port forwarding?
 
ZakPreston
just joined
Topic Author
Posts: 12
Joined: Mon Apr 15, 2019 7:35 pm

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 1:58 am

Most likely, but it was a great opportunity for creative writing I could not pass up!! :-)

Note to OP:
Please post complete config as other aspects of the config may be pertinent
/export hide-sensitive file=anynameyouwish
[spoiler]
# jul/10/2020 01:27:13 by RouterOS 6.47
#
# model = RB450Gx4
/interface bridge
add admin-mac=B8:69:F4:E5:04:3B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=WAN \
    loop-protect=on speed=100Mbps
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=\
    ZP-NB loop-protect=on speed=100Mbps
set [ find default-name=ether3 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=\
    ZP-PC loop-protect=on speed=100Mbps
set [ find default-name=ether4 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=\
    MAMA-PC speed=100Mbps
set [ find default-name=ether5 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=\
    "TP-Link AP" poe-out=off speed=100Mbps
/interface pptp-server
add disabled=yes name=XXX user=XXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.21-192.168.1.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=2d name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.11 client-id=1:8c:89:a5:8:9:fa mac-address=\
    8C:89:A5:08:09:FA server=defconf
add address=192.168.1.20 client-id=1:d0:50:99:5d:c3:16 mac-address=\
    D0:50:99:5D:C3:16 server=defconf
add address=192.168.1.12 client-id=1:dc:85:de:86:2b:d5 mac-address=\
    DC:85:DE:86:2B:D5 server=defconf
add address=192.168.1.10 client-id=1:0:d8:61:54:d7:bc mac-address=\
    00:D8:61:54:D7:BC server=defconf
add address=192.168.1.13 client-id=1:94:39:e5:b:b9:a7 mac-address=\
    94:39:E5:0B:B9:A7 server=defconf
add address=192.168.1.210 mac-address=00:19:21:68:12:10 server=defconf \
    use-src-mac=yes
add address=192.168.1.220 mac-address=00:19:21:68:12:20 server=defconf
add address=192.168.1.221 mac-address=00:19:21:68:12:21 server=defconf
add address=192.168.1.211 mac-address=00:19:21:68:12:11 server=defconf
add address=192.168.1.230 mac-address=00:19:21:68:12:30 server=defconf
add address=192.168.1.231 mac-address=00:19:21:68:12:31 server=defconf
add address=192.168.1.240 mac-address=00:19:21:68:12:40 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24 wins-server=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=4w4d cache-size=65536KiB servers=\
    8.8.8.8,8.8.4.4
/ip firewall address-list
add address=mystring.sn.mynetname.net list=MyDDNS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=63306 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.1.10 to-ports=3306
add action=dst-nat chain=dstnat dst-port=3724 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.1.10 to-ports=3724
add action=dst-nat chain=dstnat dst-port=24022 in-interface-list=WAN log=yes \
    protocol=tcp to-addresses=192.168.1.240 to-ports=22
/ip smb
set domain=HOME enabled=yes interfaces=bridge
/system clock
set time-zone-name=Europe/XXX
/system identity
set name=HOMEBASE
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[spoiler]

Too funny,

One needs a protocol so that the router knows whats coming!
This doesnt cut it..........

add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface-list=WAN log=yes protocol=t
to-addresses=192.168.1.240 to-ports=22

Sob: Did you want to sign up for my MTUNA certification, we cover 'proper methods in config scrutinization"! ;-P


To the OP why do you have so many duplicate looking rules, what a mess!!
Makes me want to slap someone upside the head. :-)

Lets fix it!!

By the way this rule should simply work when you fix the protocol issue!!
add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface-list=WAN log=yes protocol=t
to-addresses=192.168.1.240 to-ports=22

Cleaned up working version.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=63306 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3306
add action=dst-nat chain=dstnat dst-port=3724 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3724
add action=dst-nat chain=dstnat disabled=yes dst-port=24022 in-interface-list=WAN log=yes protocol=tcp \
    to-addresses=192.168.1.240 to-ports=22
Done!!

By the way the only reason to use dst-address-list=mywanip
(Assuming mywanip is the firewall address list entry with IP=clouddns name)
If you want to be able to reach the server via your WANIP address from a device on the same lan subnet as your server, if you do two things need to happen.

First add a second hairpin source nat rule.
add action=masquerade chain=srcnat source-address=lansubnet destination-address=lansubnet (in your case lansubnet appears to be 192.168.1.0/24)

Second modify the dst nat rule (replace in-interface-list=WAN) with dst-address=mywanip
It was a copy-paste error, but thanks for an intreresting read anyways =)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 3:24 am

If you can reach router using the public address, it must also work for forwarded ports to devices behind router. Do you know what exactly you're supposed to have? NAT 1:1, i.e. all ports forwarded to you, or just some selected ports? Watch if dstnat rules get any hits. If not, try same ports that previously worked for accessing router.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3292
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 8:29 am

This is wrong. Your are only the 10th this week with this error. :)
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
When using bringing, the IP should be on the bridge (or VLAN if that is used), not one of the interface belongs to the bridge.

Correct
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
You got the DHCP server correct. They should be on the same bridge.
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=2d name=defconf
 
ZakPreston
just joined
Topic Author
Posts: 12
Joined: Mon Apr 15, 2019 7:35 pm

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 1:54 pm

This is wrong. Your are only the 10th this week with this error. :)
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
When using bringing, the IP should be on the bridge (or VLAN if that is used), not one of the interface belongs to the bridge.

Correct
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
You got the DHCP server correct. They should be on the same bridge.
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=2d name=defconf
Thank you, I've corrected the way you've suggested! =)
I think this was set by default since I didn't change much in config.


[/quote]
If you can reach router using the public address, it must also work for forwarded ports to devices behind router. Do you know what exactly you're supposed to have? NAT 1:1, i.e. all ports forwarded to you, or just some selected ports? Watch if dstnat rules get any hits. If not, try same ports that previously worked for accessing router.
I most definitely have access to HTTP, SSH, Telnet ports, but I don't have access to forwarded ports (like src 24022 => dest 22). I get
ssh: connect to host mystring.sn.mynetname.net port 24022: Connection refused
however when I try to connect from the outside, I have no access to anything of these.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding using DDNS doesn't work

Fri Jul 10, 2020 3:11 pm

Is this double NAT? Where you have to ask your ISP to give you a public IP vice a natted IP?

Who is online

Users browsing this forum: BioMax and 43 guests