Community discussions

MikroTik App
 
bilak
just joined
Topic Author
Posts: 6
Joined: Sat Aug 20, 2022 11:50 am

DST NAT config in RB4011iGS

Tue Sep 06, 2022 10:12 pm

Hello,
I've configured dst-nat to forward ports 80/443/8123 to internal server with address 192.168.88.88 on the same ports 88/443/8123.
However this is not working. I think there could be some issue with firewall rules.

Note1: previously I had some old asus router where NAT was working without any issue.
Note2: firewall rules are default rules which came with mikrotik
Note3: WAN port is SFP

thanks for help in advance
# sep/06/2022 21:08:08 by RouterOS 7.5
# software id = Z6C1-3AJB
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:3C:05:39 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="czech republic" disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name=wlan-2g ssid=v-net wireless-protocol=802.11
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan-5g secondary-frequency=auto ssid=v-net-5 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=iot supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=DE:2C:6E:09:FB:00 master-interface=wlan-2g name=v-home-iot security-profile=iot ssid=v-home wds-default-bridge=bridge wps-mode=\
    disabled
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*10
# no interface
add action=drop chain=forward out-interface=*10
# no interface
add action=drop chain=forward in-interface=*F
# no interface
add action=drop chain=forward out-interface=*F
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-5g
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-2g
add bridge=bridge interface=ether1
add bridge=bridge interface=v-home-iot
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http_80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.88 to-ports=80
add action=dst-nat chain=dstnat comment=http_443 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.88 to-ports=443
add action=dst-nat chain=dstnat in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.88.88 to-ports=8123
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=v-home
/system leds
add interface=wlan-2g leds=wlan-2g_signal1-led,wlan-2g_signal2-led,wlan-2g_signal3-led,wlan-2g_signal4-led,wlan-2g_signal5-led type=wireless-signal-strength
add interface=wlan-2g leds=wlan-2g_tx-led type=interface-transmit
add interface=wlan-2g leds=wlan-2g_rx-led type=interface-receive
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST NAT config in RB4011iGS

Wed Sep 07, 2022 2:00 pm

Sorry, you dont speak truth,
Bridge filters are not set by default so how did these get here??

/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*10
# no interface
add action=drop chain=forward out-interface=*10
# no interface
add action=drop chain=forward in-interface=*F
# no interface
add action=drop chain=forward out-interface=*F


Hmm nothing I see that would block external users coming in on the WAN.
Are there any other users, like on the same LAN, that want to access the server and if so are they using the LANIP of the server direct??
 
bilak
just joined
Topic Author
Posts: 6
Joined: Sat Aug 20, 2022 11:50 am

Re: DST NAT config in RB4011iGS

Wed Sep 07, 2022 6:54 pm

Sorry, you dont speak truth,
Bridge filters are not set by default so how did these get here??

/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*10
# no interface
add action=drop chain=forward out-interface=*10
# no interface
add action=drop chain=forward in-interface=*F
# no interface
add action=drop chain=forward out-interface=*F


Hmm nothing I see that would block external users coming in on the WAN.
Are there any other users, like on the same LAN, that want to access the server and if so are they using the LANIP of the server direct??
Well I don't know from where bridge filters came from :O
I'm on the same lan with my laptop and I'm able to access it directly on ports 80/443/8123
The weird thing is also that I've changed the web console port to 8080 and it is accessible from public address A.B.C.D:8080
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST NAT config in RB4011iGS

Wed Sep 07, 2022 9:48 pm

Perhaps your ISP is blocking ports??
 
bilak
just joined
Topic Author
Posts: 6
Joined: Sat Aug 20, 2022 11:50 am

Re: DST NAT config in RB4011iGS

Thu Sep 08, 2022 10:38 am

No no, as I wrote before...it was working with previous asus router.
I have a feeling that those firewall rules doesn't work properly or what.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST NAT config in RB4011iGS

Thu Sep 08, 2022 2:56 pm

Did you remove those bridge filter rules yet?
Are you sure you get a public IP and not a private IP from the ISP?
If you go to IP cloud what is the IP address? Does it match googling whats myIP for example and the IP DHCP client Ip address.
(Dont need/want to see your public IP just confirming you are getting one!)

I still cannot see a reason why it should not work, perhaps another set of eyes could help.
 
bilak
just joined
Topic Author
Posts: 6
Joined: Sat Aug 20, 2022 11:50 am

Re: DST NAT config in RB4011iGS

Thu Sep 08, 2022 3:37 pm

I've just disabled those filters.
Yes the ip is public and I've tested that through mobile data (A.B.C.D) ... so I'm able to access A.B.C.D:8080 where my web console is located.
In /IP Cloud is the same address as in /IP DHCP Client and it's the same as above A.B.C.D

I'm thinking of factory reset as it seems like something is broken :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST NAT config in RB4011iGS

Thu Sep 08, 2022 3:42 pm

That is a good idea, not much more to try at this point.
 
bilak
just joined
Topic Author
Posts: 6
Joined: Sat Aug 20, 2022 11:50 am

Re: DST NAT config in RB4011iGS

Mon Sep 19, 2022 7:59 pm

just for reference... seems like the problem was that I wasn't able to access the WAN IP from within LAN. So I've tried to do hairpin as described here and now it works
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST NAT config in RB4011iGS

Mon Sep 19, 2022 9:14 pm

Yup good reference - viewtopic.php?t=179343

Who is online

Users browsing this forum: Bing [Bot] and 40 guests