Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Nat rule not works out:(unknown 0)

Post Reply
 
Kataius
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Feb 05, 2023 4:38 pm
Location: Italy

Nat rule not works out:(unknown 0)

Wed Jun 12, 2024 1:11 pm

hi, I was trying to discover a device from a vlan (casa) 192.168.0.xx to the device in a different vlan (192.168.240.161).

I found these instructions in a non-microtik device forum.

(https://community.ui.com/questions/HDHo ... 45733d5150)

Is it possible to apply them to the mikrotik?

As I understand it I wrote these 4 firewall rules:
Code: Select all
NAT

 ;;; HDHomeRUN
      chain=dstnat action=dst-nat to-addresses=192.168.240.161 protocol=udp src-address-list=net_casa in-interface-list=LAN dst-port=65001 log=yes log-prefix="HDhomeRUN" 


FILTER

;;; HDHomeRUN
      chain=input action=accept protocol=udp src-address=192.168.240.161 in-interface-list=LAN src-port=65001 log=no log-prefix="" 

;;; HDHomeRUN
      chain=forward action=accept protocol=udp dst-address-list=192.168.240.161 in-interface-list=LAN dst-port=65001 log=no log-prefix="" 

;;; HDHomeRUN
      chain=forward action=accept protocol=udp dst-address-list=255.255.255.255 dst-port=65001 log=no log-prefix=""

I just can't do discovery.

the log gives me this error:
Code: Select all
HDhomeRUN dstnat: in:100-Home out:(unknown 0), connection-state:new src-mac xxx, proto UDP, 192.168.0.106:61044->255.255.255.255:65001, len 46
What am I doing wrong?

my complete firewall rules are:
Code: Select all
/ip/firewall/filter/ print 
Flags: X - disabled, I - invalid; D - dynamic 

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; ONLY allow trusted subnet full access to router services
      chain=input action=accept src-address-list=net_casa 

 6    ;;; PiHole
      chain=input action=accept protocol=udp in-interface-list=LAN dst-port=53,123 log=no log-prefix="" 

 7    ;;; PiHole
      chain=input action=accept protocol=tcp in-interface-list=LAN dst-port=53 log=no log-prefix="" 

 8    ;;; HDHomeRUN
      chain=input action=accept protocol=udp src-address=192.168.240.161 in-interface-list=LAN src-port=65001 log=no log-prefix="" 

 9    ;;; DROP ALL ELSE
      chain=input action=drop 

10    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

11    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

12    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

13    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

14    ;;; allow access to ALL DomusNET
      chain=forward action=accept src-address-list=net_casa dst-address-list=net_domus log=no log-prefix="" 

15    ;;; allow access to ALL ControlNET
      chain=forward action=accept src-address-list=net_casa dst-address-list=net_control log=no log-prefix="" 

16    ;;; allow access to AP Mamma
      chain=forward action=accept dst-address=10.255.255.2 src-address-list=net_casa log=no log-prefix="" 

17    ;;; allow access to MCZ from LAN
      chain=forward action=accept dst-address=192.168.120.1 src-address-list=net_casa log=no log-prefix="" 

18    ;;; allow access to MCZ from DOMUS
      chain=forward action=accept dst-address=192.168.120.1 src-address-list=net_domus log=no log-prefix="" 

19    ;;; allow access to PiHOLE
      chain=forward action=accept dst-address=192.168.55.55 src-address-list=filtered log=no log-prefix="" 

20    ;;; HDHomeRUN
      chain=forward action=accept protocol=udp dst-address-list=192.168.240.161 in-interface-list=LAN dst-port=65001 log=no log-prefix="" 

21    ;;; HDHomeRUN
      chain=forward action=accept protocol=udp dst-address-list=255.255.255.255 dst-port=65001 log=no log-prefix="" 

22    ;;; BLOCK DOT and DOH
      chain=forward action=drop protocol=udp src-address-list=!excluded dst-address-list=DNS-DOH dst-port=443,853 log=no log-prefix="" 

23    ;;; BLOCK DOT and DOH
      chain=forward action=drop protocol=tcp src-address-list=!excluded dst-address-list=DNS-DOH dst-port=443,853 log=no log-prefix="" 

24    ;;; internet traffic
      chain=forward action=accept src-address-list=!net_control in-interface-list=LAN out-interface-list=WAN log=no log-prefix="" 

25    ;;; port forwarding
      chain=forward action=accept connection-nat-state=dstnat 

26    ;;; DROP ALL ELSE
      chain=forward action=drop 


/ip/firewall/nat/ print       
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=masquerade out-interface-list=WAN 

 1    ;;; Pihole
      chain=dstnat action=dst-nat to-addresses=192.168.55.55 protocol=udp src-address-list=!excluded in-interface-list=LAN dst-port=53 log=no log-prefix="" 

 2    ;;; Pihole
      chain=dstnat action=dst-nat to-addresses=192.168.55.55 protocol=tcp src-address-list=!excluded dst-port=53 log=no log-prefix="" 

 3    ;;; HDHomeRUN
      chain=dstnat action=dst-nat to-addresses=192.168.240.161 protocol=udp src-address-list=net_casa in-interface-list=LAN dst-port=65001 log=yes log-prefix="HDhomeRUN"


Thanks in advance
Top
 
Kataius
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Feb 05, 2023 4:38 pm
Location: Italy

Re: Nat rule not works out:(unknown 0)

Sun Jun 16, 2024 12:25 am

try with one up? :D
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4441
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:
Contact Amm0

Re: Nat rule not works out:(unknown 0)

Sun Jun 16, 2024 4:27 am

So it works if you use an IP address in whatever app/media-center/etc in 192.168.0.x that's using it. Just it does not show up as "discovered". Is that the issue?

AFAIK HDHomeruns just use UDP broadcast message to kick start discovery. So while NAT/filter may be need to connect using unicast IP address across the VLAN, it does NOT help with "discovery". IP broadcast aren't forwarded across VLAN, since there suppose to be local to the subnet.

So... discovery is NOT going to work across VLANs. I just put in the LAN that needs it and not on a separate VLAN.

I'll note that I suppose it be possible to do same "bridge filter trick" used for mDNS, but not 100% & won't be for the faint-of-heart to try. But see viewtopic.php?t=204025 which have to be adapted for broadcast message and ports used by HDHomerun, with in the /interface/bridge side of things.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics