Mikrotik 3 WAN, 1 LAN - Open Ports

rihatum · Wed Jul 13, 2011 5:49 pm

Hi All,

How can I use winbox to open port 3389 to a box behind my mikrotik router os?

I have 3 WAN connections and 1 LAN Connection, I did opened the port on all 3 WAN forwarding to the same internal ip and port 3389 open, the request comes to any of the wan as directed but it won't go through to the server.

I am using winbox, can someone guide me to open a port on mikrotik via winbox ? will be really grateful.

Kind Regards

poli5681 · Thu Jul 14, 2011 3:55 pm

Hi,

I presume you already opened the port at the firewall forwarding chain...

You have to add a "dstnat" Rule for your destination port 3389 at the NAT Tab and select action "dst-nat" and your internal IP as "to-address".

Feklar · Thu Jul 14, 2011 5:03 pm

In addition to needing to set up nat rules, since you have multiple WANs, you need to mark connections coming in for those services behind the router and mark them for routing. Without those rules the router won't know what routing table to use to get back to you, and that will result in the connection not working properly.

ip firewall mangle
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether3 new-connection-mark=outside1_connection
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether2 new-connection-mark=outside2_connection
add action=mark-routing chain=prerouting connection-mark=outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=no

rihatum · Thu Jul 14, 2011 9:21 pm

Hi feklar,

Thank you for your reply / suggestion and I am sure you are right on

I have one more question though :

Lets say, I have a rule for RDP (3389) incoming on WAN-1 and I have named that interface as WAN1, so will I type the following in terminal :

ip firewall mangle
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=WAN1 new-connection-mark=WAN1

Shall I just paste the above command in Winbox > terminal ? or Do I have to add 3 rules as I have 3 WAN and substitute

in-interface=ether3  with in-interface=WAN1
new-connection-mark=WAN1

Will be grateful for your prompt reply !
Thank you so much

PS : Can you also post the code / command required to open RDP 3389 via terminal / winbox, I am just suspicious of the rules I have created, with the rule in place, when I RDP, it shows bytes being received but it doesn't gives me the login window - which is why I think mangle will sort that out, but just to be on the safe side, if you can post the complete command to open port and then to add mangle rule.

Also, Do we add Mangle rules for all WAN connections we have on mikrotik or only when we setup OPEN Ports on a specific WAN connection ? - Thanks !

Feklar · Fri Jul 15, 2011 7:24 pm

How you open a port mainly depends on your firewall filter. The default action of the filter is to "accept" since it's a router first, so if you aren't blocking anything in the forward chain of the filter, it will be able to pass through the filter just fine. Then all your router needs to know is how you want to NAT that connection to reach whatever server you want, and in your case it needs to remember what interface something came in on so it can route it out the correct one again (that is where mangle comes into play).

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=WAN1 protocol=tcp dst-port=3389 to-address=SERVER_YOU_ARE_FORWARDING_TO to-ports=3389

If you have set up your firewall filter, then you may need to add in an explicit accept rule above your drop rule.

/ip firewall filter
add action=accept chain=forward in-interface=WAN1 protocol=tcp dst-port=3389

If you are only concerned about forwarding over WAN1, then you only need rules for WAN1, however if you want to allow forwarding like that over multiple interfaces then you'll want it for all 3 WAN interfaces. Don't forget the rule to mark those connections for routing, and be sure to have the appropriate route in your routing table. You'll also want a "unique" connection and routing mark for each WAN interface in your case.

/ip firewall mangle
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=WAN1 new-connection-mark=WAN1
add action=mark-routing chain=prerouting connection-mark=WAN1 new-routing-mark=WAN1 disabled=no passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=YOUR_GATEWAY routing-mark=WAN1

Remember, order of firewall rules is VERY important. They are processed in the order that they appear within the same chain. So if you're more specific rule isn't being hit, there may be a more general rule above it that is applying to it first. This document will give you a very good idea of the order of operations and the life of a packet in a MikroTik router.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram

Also how general or specific your rules are important. If you make the rules too general it will apply to more than what you want and it can break other things, if they are too specific then they will not do everything you are expecting them to. So pay attention to what you are doing when adding in rules, use safe mode in case you break something, and understand the rules, how they work, and what they do.

rihatum · Sun Jul 17, 2011 5:44 pm

Hi Feklar,

Following is the ip route on our mikrotik router.

Basically, we got this installed as we were told that this will load-balance all our 3 Internet connections (2 x DSL and 1 x Dedicated Lease Line of 2MB)

Please let me know if you want to see an output of any other command. I will be grateful if you could just type the 3 or 2 commands I have to type to open the ports in this scenario.

1st Rule : I want to use the IP 1.1.159.250 to get to my server on port 3389, servers private ip is 192.168.2.250
2nd Ruel : I want to use the IP 1.1.159.250 to get to mikrotik on 8291 via winbox, mikrotik IP is 192.168.2.2

[admin@mikrotikos] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 
        gateway=1.1.159.249,192.167.2.1,192.167.2.1,192.167.0.1,192.167.0.1,
                192.167.0.1,192.167.0.1,192.167.0.1 
        interface=ISP1,ISP3,ISP3,ISP2,ISP2,ISP2,
                  ISP2,ISP2 
        check-gateway=ping 
        gateway-state=reachable,reachable,reachable,reachable,reachable,
                      reachable,reachable,reachable 
        distance=1 scope=255 target-scope=10 

 1 ADC  dst-address=1.1.159.248/29 pref-src=1.1.159.250 interface=ISP1 
        distance=0 scope=10 

 2 ADC  dst-address=192.167.0.0/24 pref-src=192.167.0.2 interface=ISP2 
        distance=0 scope=10 

 3 ADC  dst-address=192.167.2.0/24 pref-src=192.167.2.2 interface=ISP3 
        distance=0 scope=10 

 4 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 interface=lan 
        distance=0 scope=10 
[admin@mikrotikos] >

Will be grateful !
Kind Regards

Feklar · Mon Jul 18, 2011 5:20 pm

You are using ECMP for load balancing, it works, but if I remember correctly it have very little to no fault tolerance for a link going down. While it will work for you, you might want to read up on PCC and use that instead of ECMP for load balancing just as a suggestion. If you're happy with it, that's fine.

For opening the ports, lets assume that you do have a default drop all rule in your firewall filter. Be sure to move this rule further up the chain ahead of the drop all rule. I'm also guessing that 192.168.2.2 is a separate MikroTik router?

/ip firewall filter
add action=accept chain=forward dst-address=1.1.159.250 dst-port=3389 protocol=tcp
add action=accept chain=forward dst-address=1.1.159.250 dst-port=8291 protocol=tcp

Next set up the NAT rule so that it will forward the connections. Note that by making the winbox forward rule, you will no longer be able to access winbox on the main router over that specific IP address. Since it's listening for a service on that port already on the main router, I'm not 100% certain if it will forward it properly or not as well.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.159.250 dst-port=3389 protocol=tcp to-address=192.168.2.250 to-port=3389
add action=dst-nat chain=dstnat dst-address=1.1.159.250 dst-port=8291 protocol=tcp to-address=192.168.2.2 to-port=8291

Next set up mangle rules so that the router can remember how to get back to you over the right route.

/ip firewall mangle
add action=mark-connection chain=forward in-interface=ISP1 connection-state=new new-connection-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no

And last of all, have a routing table set up that uses the routing mark you just created.

/ip route
add dst-address=0.0.0.0/0 gateway=1.1.159.249 routing-mark=ISP1

rihatum · Tue Jul 19, 2011 11:26 am

Hi Feklar,

Thank you so much for your detailed reply ; I will apply the rules today. For now, I have attached a diagram so that I can explain clearly what sort of topology we have.

The DSL router / modem are fowarding all packets to Mikrotik and no policies are on any of the routers / modem connected to mikrotik (3 WANs)

Will post update here once I have applied the rules as per your suggestion !
Also there is no firewall drop rule in mikrotik as far as I can see via Winbox. (IP Firewall > Filters)

Kind Regards

Mikrotik 3 WAN, 1 LAN - Open Ports

Mikrotik 3 WAN, 1 LAN - Open Ports

Re: Mikrotik 3 WAN, 1 LAN - Open Ports

Re: Mikrotik 3 WAN, 1 LAN - Open Ports

Re: Mikrotik 3 WAN, 1 LAN - Open Ports

Re: Mikrotik 3 WAN, 1 LAN - Open Ports

Re: Mikrotik 3 WAN, 1 LAN - Open Ports

Re: Mikrotik 3 WAN, 1 LAN - Open Ports

Re: Mikrotik 3 WAN, 1 LAN - Open Ports

Who is online