This bugs me from some time (about 4 years) that I never managed to do port forwarding on my router.
I have a VPN active on it so I can access anything inside the LAN from it but sometimes I need a simple port forward for ftp which, for some reason that I can't identify, doesn't work.
(for testing purposes I've tried to hit few computers on RDP, created a dummy port on one of the computers to try and hit that, nothing seems to get back to the WAN request)
I tried multiple ways, I even copied the NAT config from a friend for ftp forwarding
I've read multiple posts here on how to do this and apparently the packet gets to my NAS but nothing comes back from it
(I've added the rules for logging as seen here viewtopic.php?t=116569)
Currently I get to 4th step in the logging trace which means there might be something wrong on the set-up of the NAS .
As I said, I have a IPSEC over l2tp vpn set-up which works, and from that I can access the ftp without issues (the fw rulles log the connection both to the ftp server and out of it)
Not sure what I set up wrong on my router, but below you can see the config (part of it as the whole config has about 400 lines, and some data that I don't want to post publicly )
Code: Select all
# jan/14/2022 17:41:22 by RouterOS 6.49.2
# software id = GJD5-47VS
#
# model = 1100AHx2
# serial number =
/ip firewall address-list
add address=10.0.0.0/8 list="10 network"
add address=10.5.0.0/24 list=LAN
add address=xx.xx.xx.xx list="Public IP"
add address=vpn.xxxx.xx list=host
/ip firewall filter
add action=log chain=forward dst-address=10.5.0.45 dst-port=21 log-prefix=3 \
protocol=tcp
add action=log chain=forward log-prefix=6 protocol=tcp src-address=10.5.0.45 \
src-port=21
add action=drop chain=input comment="input Drop invalid packets" \
connection-state=invalid
add action=drop chain=forward comment="fw drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dstnatted" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="accept forward established related" \
connection-state=established,related
add action=accept chain=input comment=\
"Accept established and related packets" connection-state=\
established,related
add action=accept chain=forward comment=\
"accept dstnat from wan established related" connection-nat-state=dstnat \
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment="accept dstnat conn" \
connection-nat-state=dstnat
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=udp src-port=123
add action=accept chain=forward comment="Router fw IPsec in accept" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
ipsec-policy=out,ipsec
add action=drop chain=input in-interface-list=WAN
/ip firewall mangle
add action=log chain=prerouting dst-address=xx.xx.xx.xx dst-port=21 \
log-prefix=1 protocol=tcp
add action=log chain=postrouting dst-address=10.5.0.45 dst-port=21 log=yes \
log-prefix=4 protocol=tcp
add action=log chain=prerouting log-prefix=5 protocol=tcp src-address=\
10.5.0.45 src-port=21
add action=log chain=postrouting log-prefix=7 protocol=tcp src-address=\
10.5.0.45 src-port=21
/ip firewall nat
add action=masquerade chain=srcnat out-interface="eth11 - mobile data"
add action=masquerade chain=srcnat out-interface=RCS-RDS
add action=dst-nat chain=dstnat dst-address-list=host dst-port=55536-55663 \
protocol=tcp to-addresses=10.5.0.45
add action=dst-nat chain=dstnat dst-address-list=host dst-port=21 log=yes \
log-prefix=2 protocol=tcp to-addresses=10.5.0.45