Community discussions

MikroTik App
  4. RouterOS
  5. General

questio about how to do DNAT.

Post Reply
 
davidfs
just joined
Topic Author
Posts: 18
Joined: Thu Aug 06, 2009 10:05 am
Location: Barcelona, Spain

questio about how to do DNAT.

Mon Nov 16, 2009 9:34 am

I've setup dnat on port 5900 (vnc) to an internal pc.
Sometimes I can't connect to it (of course sometimes I can).

If I look at connections on winbox (firewall->connections)
I can see the connection with TCP State established when I'am connected.
The times I can't connect, I see the TCP State: syn-received.
As I understand this happens when the syn-ack packet has been sent from
internal ip to external..., but the external ip does not respond (second
stage of three-way handshaking) (see packet flow->connection timeout in
mikrotik documentation).

Is this correct?


If I capture the traffic on both internal and external interfaces, I can
see the Syn going to internal pc. (so dnat is ok)

But the Syn,ack is only captured on Lan segment, but not in public segment!
Althought in Firewall->conections I can see the syn-received state, this packet never goes
out to public interface. (and this is the cause the connection isn't established).

I'm lost because don't know where this packet is lost (and remember, only sometimes).

Im starting to think that Routeros does not "undo" Dnat very well.


Note: I don't have any rule in postrouting mangle.
In Nat, I accept the Dnat traffic before doing snat. (the connection is marked on prerouting).

Oh, this happens with others mikrotiks with other ports (udp 500) with multiple clients
(vista, Xp), on dynamic public ip's. :(
Top
 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: questio about how to do DNAT.

Tue Nov 17, 2009 3:59 am

turn off your forward chain firewall to make sure nothing in there is blocking it. are you doing masquerade on this before it goes back to internet?

post your basic config.
Top
 
davidfs
just joined
Topic Author
Posts: 18
Joined: Thu Aug 06, 2009 10:05 am
Location: Barcelona, Spain

Re: questio about how to do DNAT.

Tue Nov 17, 2009 12:04 pm

Thanks for the response:
I post firewall config. I disabled forward rules with no success. What I don't understand is why sometimes
works, and sometimes not.

configuration in mangle:
(mark vpn, mark dnat server, mark allowed clients)
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment=VPN connection-state=new disabled=no \
    dst-address=172.16.0.0/16 src-address=172.16.0.0/16 new-connection-mark=VPN passthrough=no 
add action=mark-connection chain=prerouting comment="DNAT server" \
    connection-state=new protocol=tcp dst-port=5900 in-interface=adsl1 \
    new-connection-mark="DNAT server" passthrough=no disabled=no  
add action=mark-connection chain=prerouting comment="" \
    connection-state=new protocol=tcp dst-port=5800 in-interface=adsl1 \
    new-connection-mark="DNAT server" passthrough=no disabled=no
add action=mark-connection chain=prerouting comment=\
    "            whitelist_dest" connection-state=new disabled=no \
    dst-address-list=whitelist_dest in-interface=lan \
    new-connection-mark=Clients-adsl1 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "            whitelist_org" connection-state=new disabled=no \
    in-interface=lan new-connection-mark=Clients-adsl1 passthrough=yes \
    src-address-listwhitelist_org
add action=mark-routing chain=prerouting comment="" \
    connection-mark=Clients-adsl1 connection-state=new disabled=no \
    new-routing-mark=adsl1 passthrough=no
Config in NAT (in srcnat: accept dnat servers, accept vpn, and srcnat allowed clients.)
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5900 in-interface=adsl1 protocol=tcp to-addresses=172.16.0.189
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5800 in-interface=adsl1 protocol=tcp to-addresses=172.16.0.189
add action=accept chain=srcnat comment="" connection-mark="DNAT server" disabled=no
add action=accept chain=srcnat comment="" connection-mark=VPN disabled=no
add action=src-nat chain=srcnat comment="" connection-mark=Clients-adsl1 disabled=no to-addresses= @publicip1
I've put only forward rules, The input rules does not affect in Dnat.
Code: Select all
/ip firewall filter
add action=accept chain="Keep State" comment="KEEP STATE" connection-state=established disabled=no
add action=accept chain="Keep State" comment="" connection-state=related disabled=no
add action=return chain="Keep State" comment="" disabled=no
add action=jump chain=forward comment=FORWARD disabled=no jump-target="Keep State"
add action=accept chain=forward comment="" connection-mark=VPN disabled=no
add action=accept chain=forward comment="" connection-mark="DNAT server" disabled=no
add action=accept chain=forward comment="" connection-mark=Clients-adsl1 disabled=no
add action=accept chain=forward comment="" connection-mark=Clients-adsl2 disabled=no
add action=drop chain=forward comment="" disabled=no
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 61 guests
  4. RouterOS
  5. General