Community discussions

MikroTik App
 
subwrc
just joined
Topic Author
Posts: 5
Joined: Sat Nov 24, 2018 6:16 pm

port forwarding not working on RB3011

Mon May 15, 2023 1:06 pm

Hello to all,

i transfered my working configuration from an RB751g to a RB3011 but i cannot make port forward working anymore.
I have already looked in forum in topics as viewtopic.php?t=187596 but this seemed as another case.

Let me describe the issue i am facing.
In front of mikrotik RB3011 there is a provider's speedport router with lan on 192.168.1.1 while Mikrotik's WAN port is 192.168.1.251 and lan ethernet bridge 192.168.10.1.
In first router (speedport) there is a port forward rule to mikrotik WAN ip 192.168.1.251 and in Mikrotik firewall there is the following configuration :
/ip firewall nat
add action=masquerade chain=srcnat out-interface=!bridgeLAN
.....
add action=dst-nat chain=dstnat dst-port=1433 log=yes protocol=tcp \     to-addresses=192.168.10.10 to-ports=1433
When i check the open port 49389 via yougetsignal.com i get a closed port status while in Mikrotik's log the following is logged :
14:22:39 firewall,info dstnat: in:bridgeWAN out:(unknown 0), connection-state:new src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.1.251:1433, len 60
 14:22:39 firewall,info IN FROM WAN forward: in:bridgeWAN out:bridgeLAN, connection-state:new,dnat src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.10.10:1433, NAT 198.199.98.246:39689->(192.168.1.251:1433->192.168.10.10:1433), len 60
 14:22:40 firewall,info dstnat: in:bridgeWAN out:(unknown 0), connection-state:new src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.1.251:1433, len 60
 14:22:40 firewall,info IN FROM WAN forward: in:bridgeWAN out:bridgeLAN, connection-state:new,dnat src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.10.10:1433, NAT 198.199.98.246:39689->(192.168.1.251:1433->192.168.10.10:1433), len 60
 14:22:40 firewall,info dstnat: in:bridgeWAN out:(unknown 0), connection-state:new src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39693->192.168.1.251:1433, len 60
 14:22:40 firewall,info IN FROM WAN forward: in:bridgeWAN out:bridgeLAN, connection-state:new,dnat src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39693->192.168.10.10:1433, NAT 198.199.98.246:39693->(192.168.1.251:1433->192.168.10.10:1433), len 60
and i can see bytes counting in nat rule counter.

Could somebody help on this ?

edit:added full configuration
# may/15/2023 14:08:15 by RouterOS 7.9
# software id = ----
#
# model = RB3011UiAS
# serial number = ----------
/interface bridge
add arp=proxy-arp name=bridgeLAN
add name=bridgeWAN
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:0C:42:E6:98:A3
set [ find default-name=ether2 ] mac-address=00:0C:42:E6:98:A4
set [ find default-name=ether3 ] mac-address=00:0C:42:E6:98:A5
set [ find default-name=ether4 ] mac-address=00:0C:42:E6:98:A6
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full loop-protect=on mac-address=\
    00:0C:42:E6:98:A7 rx-flow-control=auto tx-flow-control=auto
/disk
set disk1 slot=disk1 type=hardware
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolDHCP ranges=192.168.10.200-192.168.10.229
add name=ovpnPool ranges=192.168.10.230-192.168.10.239
/ip dhcp-server
add address-pool=poolDHCP authoritative=after-2sec-delay interface=bridgeLAN \
    lease-time=10m name=server1
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.10.1 name=ovpnProfile only-one=no remote-address=\
    ovpnPool use-ipv6=no
add local-address=192.168.10.1 name=ovpnTOM only-one=yes remote-address=\
    192.168.10.227
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridgeWAN ingress-filtering=no interface=ether1
add bridge=bridgeLAN ingress-filtering=no interface=ether2
add bridge=bridgeLAN ingress-filtering=no interface=ether3
add bridge=bridgeLAN ingress-filtering=no interface=ether4
add bridge=bridgeLAN ingress-filtering=no interface=ether5
add bridge=bridgeLAN interface=ether6
add bridge=bridgeLAN interface=ether7
add bridge=bridgeLAN interface=ether8
add bridge=bridgeLAN interface=ether9
add bridge=bridgeLAN interface=ether10
add bridge=bridgeLAN interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512,null certificate=server-certificate cipher=\
    blowfish128,aes128-cbc,aes192-cbc,aes256-cbc,aes128-gcm enabled=yes \
    protocol=udp
/ip address
add address=192.168.10.1/24 interface=bridgeLAN network=192.168.10.0
add address=192.168.1.251/24 interface=bridgeWAN network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\
    192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    208.67.222.222,208.67.220.220,192.168.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add chain=input comment="Accept established and related packets" \
    connection-state=established,related
add chain=forward comment="Accept established and related packets" \
    connection-state=established,related
add action=accept chain=input comment="ACCEPT OpenVPN TCP" dst-port=1194 \
    in-interface=bridgeWAN log=yes log-prefix=I-A-VPN protocol=tcp
add action=accept chain=input comment="ACCEPT OpenVPN TCP" dst-port=1194 \
    in-interface=bridgeWAN log=yes log-prefix=I-A-VPN protocol=udp
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid log=yes log-prefix=I-D-INVALID
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid log=yes log-prefix=F-D-INVALID
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    dst-address-type=multicast log=yes log-prefix=I-D-IGMP
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" \
    dst-address-type=!local log=yes log-prefix="I-D-NOT LOCAL"
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=bridgeWAN \
    log=yes log-prefix=F-D-!DST-NAT
add action=drop chain=forward comment="Drom Forwards From Internal LAN 155" \
    connection-state=new in-interface=bridgeLAN log=yes log-prefix=\
    "DROP FWD 155:" src-address=10.155.155.0/24
add action=accept chain=input comment=\
    "Accept all connections from local network" connection-state=new \
    in-interface=bridgeLAN log-prefix=I-A-LOC src-address=192.168.10.0/24
add action=accept chain=forward comment="Accept Forwards From Internal LAN" \
    connection-state=new in-interface=bridgeLAN log-prefix=F-A-LOC \
    src-address=192.168.10.0/24
add action=drop chain=forward comment=ALL in-interface=bridgeWAN log=yes \
    log-prefix="IN FROM WAN"
add action=drop chain=input comment="Default WLAN Drop" in-interface=\
    bridgeWAN log=yes log-prefix="WLAN IN DROP" protocol=tcp
add action=drop chain=input comment="Default WLAN Drop" in-interface=\
    bridgeWAN log=yes log-prefix="WLAN IN DROP" protocol=udp
add action=accept chain=input comment=ALL log=yes log-prefix=I-A-LAST
add action=accept chain=forward comment=ALL log=yes log-prefix=F-A-LAST
/ip firewall nat
add action=masquerade chain=srcnat out-interface=!bridgeLAN
add action=dst-nat chain=dstnat disabled=yes dst-port=59010 log=yes protocol=\
    tcp to-addresses=192.168.10.10 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59020 protocol=tcp \
    to-addresses=192.168.10.20 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59030 protocol=tcp \
    to-addresses=192.168.10.30 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59107 protocol=tcp \
    to-addresses=192.168.10.107 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59108 protocol=tcp \
    to-addresses=192.168.10.108 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59118 protocol=tcp \
    to-addresses=192.168.10.118 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=33010 protocol=tcp \
    to-addresses=192.168.10.10 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=33020 protocol=tcp \
    to-addresses=192.168.10.20 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=33030 protocol=tcp \
    to-addresses=192.168.10.30 to-ports=3389
add action=dst-nat chain=dstnat dst-port=1433 log=yes protocol=tcp \
    to-addresses=192.168.10.10 to-ports=1433
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp address=192.168.10.0/24
set www address=192.168.10.0/24
set ssh address=192.168.10.0/24 port=4022
set winbox address=192.168.10.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set default-screen=interfaces read-only-mode=yes time-interval=hour
/lcd interface
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
add interface=bridgeLAN
add interface=bridgeWAN
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=bridgeLAN,bridgeWAN
/ppp secret
add name=ovpnUser profile=ovpnProfile service=ovpn
add name=ovpnTom profile=ovpnTOM service=ovpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=____VPN
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=0.gr.pool.ntp.org
add address=3.gr.pool.ntp.org
add address=2.gr.pool.ntp.org
add address=1.gr.pool.ntp.org
add address=pool.ntp.org
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool graphing interface
add interface=bridgeLAN
add interface=bridgeWAN
Last edited by subwrc on Wed Nov 01, 2023 11:58 am, edited 3 times in total.
 
User avatar
karlisi
Member
Member
Posts: 435
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: port forwarding not working on RB3011

Mon May 15, 2023 1:17 pm

So your dst-nat works. Check if there is response from 192.168.10.10. And it would be better if we can see all configuration, perhaps something was altered by configuration transfer and adaptation process.
 
subwrc
just joined
Topic Author
Posts: 5
Joined: Sat Nov 24, 2018 6:16 pm

Re: port forwarding not working on RB3011

Mon May 15, 2023 2:12 pm

So your dst-nat works. Check if there is response from 192.168.10.10. And it would be better if we can see all configuration, perhaps something was altered by configuration transfer and adaptation process.
Thank you for your reply. Just added full configuration on my initial post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forwarding not working on RB3011

Mon May 15, 2023 4:58 pm

Normal behaviour --> closed port
Normal behaviour --> invisible on scan when limit addres by src-address or src-address-list (highly recommended).

(1) You do not need an extra bridge!

All you need is
a. turn off ip dhcp client

b. add the iP address
/ip address
add address=192.168.1.251/24 interface=ether1 network=192.168.1.0

c. add the route manually
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main

(2) With a fixed IP your sourcenat rule should not be what you have, why invent crap

/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether1 to-address=192.168.1.254

(3) In terms of dst-nat rules your formats is missing the interface, see the first rule here for a corrected version.

add add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=59010 log=yes \
protocol=tcp to-addresses=192.168.10.10 to-ports=5900

++++++++++++++++++++++++++++++++

viewtopic.php?t=179343
 
subwrc
just joined
Topic Author
Posts: 5
Joined: Sat Nov 24, 2018 6:16 pm

Re: port forwarding not working on RB3011

Wed Nov 01, 2023 1:06 pm

Thank you for your advice anav but i didn't have luck either.

The port forwarding (dstnat) works, when i disable the rule :

add action=drop chain=forward comment=ALL in-interface=bridgeWAN log=yes \ log-prefix="IN FROM WAN"

Could somebody explain why this happens while the packets come from dstnat chain ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: port forwarding not working on RB3011

Wed Nov 01, 2023 1:30 pm

Study the packet flow to understand that. Or do not add rules to the default firewall before you understand what they do.

https://help.mikrotik.com/docs/display/ ... n+RouterOS
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: port forwarding not working on RB3011

Wed Nov 01, 2023 1:39 pm

Your rule is basically a drop all rule (which is fine by itself), hence everything from WAN is dropped.
If you want to be able to port forward, you have to accept for specific ports, something like:
add action=accept chain=forward dst-address=192.168.1.254 dst-port=59010 log=yes log-prefix="PORT FORWARD"
Make sure it is located above your above mentioned rule.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: port forwarding not working on RB3011

Wed Nov 01, 2023 2:06 pm

The default firewall already blocks everything from WAN except port forwarded traffic.
He chose to modify that, and now he has trouble.
Lesson: when you do not understand how it works, and you modify it, it may break.

This is the rule as it is by default:
/ip firewall filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forwarding not working on RB3011

Wed Nov 01, 2023 4:16 pm

Really? The butchering of firewall rules seems to indicate a very swept up admin.
There is no reason to think that its a patchwork of youtube and other nefarious articles.

Who is online

Users browsing this forum: miks and 44 guests