Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Port forward / NAT / port mapping problem.

Locked
 
pavljiks
just joined
Topic Author
Posts: 7
Joined: Mon Aug 09, 2010 11:11 pm

Port forward / NAT / port mapping problem.

Mon Aug 09, 2010 11:30 pm

First of all proud of such company (because i am Latvian). Heard much about it. Finally got my R750G to give it a try. And to get familiar with RouterOS at all, and i already have that feeling that in some time we will be friends :).

After spending some time reading forums and wiki. mikrotik com i still can't get access from outside to my internal server (service tcp on port 9000-9001 of my internal PC 192.168.1.99). It can be also windows remote access or any other service.

I'll better just try to paste correct part from config just clear out what has gone wrong:
Code: Select all
[admin@MikroTik] > /ip firewall nat print all
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=srcnat action=masquerade out-interface=ether1-gateway

 1 D chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=3442 protocol=tcp dst-address=87.110.170.124 dst-port=3442
 2 D chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=3442 protocol=udp dst-address=87.110.170.124 dst-port=3442
 3 D chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=32966 protocol=tcp dst-address=87.110.170.124 dst-port=32966
 4 D chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=32966 protocol=udp dst-address=87.110.170.124 dst-port=32966
 5   chain=dstnat action=dst-nat to-addresses=192.168.1.99 to-ports=9000 protocol=tcp dst-port=9000
 6   chain=dstnat action=dst-nat to-addresses=192.168.1.99 to-ports=9001 protocol=tcp dst-port=9001
Code: Select all
[admin@MikroTik] > /ip firewall filter print all
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp
 1   ;;; Added by webbox
     chain=input action=accept connection-state=established in-interface=ether1-gateway
 2   ;;; Added by webbox
     chain=input action=accept connection-state=related in-interface=ether1-gateway
 3   ;;; logoshana
     chain=input action=log in-interface=ether1-gateway log-prefix="Input:Other"
 4   ;;; Added by webbox
     chain=input action=drop in-interface=ether1-gateway
 5   ;;; Added by webbox
     chain=forward action=jump jump-target=customer in-interface=ether1-gateway
 6   ;;; Added by webbox
     chain=customer action=accept connection-state=established
 7   ;;; Added by webbox
     chain=customer action=accept connection-state=related
 8   ;;; Added by webbox
     chain=customer action=drop
My outside interface is connected to internet with dynamic IP [DHCP](so it hard for me to specify dst-address for dst-nat), it can change.
Basically my routerboard config is almost default except lines i pasted hare. And settings which i can specify over web access (for example i don't have any clue what means "Protect router", "Protect LAN" and "NAT" in Firewall tab over web access.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Port forward / NAT / port mapping problem.

Tue Aug 10, 2010 1:26 pm

Your firewall filter forward rules are blocking the access. You need to allow the three ips through before the "action=drop" rule.

add chain=customer action=accept src-address=192.168.1.109
add chain=customer action=accept dst-address=192.168.1.109

then do the same for the other two ips.

Move all these above the "chain=customer action=drop" rule.
Top
 
someuser
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Apr 13, 2010 7:05 am

Re: Port forward / NAT / port mapping problem.

Tue Aug 10, 2010 8:25 pm

Your firewall filter forward rules are blocking the access. You need to allow the three ips through before the "action=drop" rule.

add chain=customer action=accept src-address=192.168.1.109
add chain=customer action=accept dst-address=192.168.1.109

then do the same for the other two ips.

Move all these above the "chain=customer action=drop" rule.
Hey FloridaSurferTim,
I missed your "Shark Week". Any recordings anywhere?
:D
CaliforniaSurferTim
Top
 
pavljiks
just joined
Topic Author
Posts: 7
Joined: Mon Aug 09, 2010 11:11 pm

Re: Port forward / NAT / port mapping problem.

Tue Aug 10, 2010 10:32 pm

Added two rules as you said. And it works.
Code: Select all
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp
 1   ;;; Added by webbox
     chain=input action=accept connection-state=established in-interface=ether1-gateway
 2   ;;; Added by webbox
     chain=input action=accept connection-state=related in-interface=ether1-gateway
 3   chain=customer action=accept src-address=192.168.1.99
 4   chain=customer action=accept dst-address=192.168.1.99
 5   ;;; logoshana
     chain=input action=log in-interface=ether1-gateway log-prefix="Input:Other"
 6   ;;; Added by webbox
     chain=input action=drop in-interface=ether1-gateway
 7   ;;; Added by webbox
     chain=forward action=jump jump-target=customer in-interface=ether1-gateway
 8   ;;; Added by webbox
     chain=customer action=accept connection-state=established
 9   ;;; Added by webbox
     chain=customer action=accept connection-state=related
10   ;;; Added by webbox
     chain=customer action=drop
Is that the correct place(3,4). And two more questions
1) How i can change rule order from command line. Had to use winbox to just drag and drop.
2) What the difference between chain input and chain customer. (I understand that i have to read more about it now, but maybe someone can give me a short hint for this time).
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Port forward / NAT / port mapping problem.

Tue Aug 10, 2010 10:39 pm

If they work in that position, then they're OK in that position.

1) "/ip firewall filter move 10 1" moves the 10th rule to the position currently occupied by rule 1, and shifts everything behind it down one
2) http://wiki.mikrotik.com/wiki/Manual:IP ... ter#Chains
# input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
# forward - used to process packets passing through the router
# output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
The 'customer' chain is a custom, non-built in chain jumped to from the forward chain in your ruleset:
Code: Select all
chain=forward action=jump jump-target=customer in-interface=ether1-gateway
Top
Locked

Who is online

Users browsing this forum: No registered users and 16 guests
  4. RouterOS
  5. Beginner Basics