I am using a RB433UAH with software 5.6 installed on the RB.
I am trying to reach a website on a private IP of 10.1.0.2 through my public IP address. I have it configured as so:
GENERAL TAB:
Chain: dstnat
Protocol: 6 (TCP)
SRC. Port: 8100
ACTION TAB:
Action: dst-nat
To Address: 10.1.0.2
Port: 80
I am trying to navigate to http://x.x.x.x:8100 and reach the internal web server on 10.1.0.2.
(x.x.x.x is the public IP address)
Can you help me understand why this is not working?
Thanks for your help.
-
-
bhamhotspots
newbie
- Posts: 45
- Joined:
- Location: United States
- Contact:
Re: port forward / nat
Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
Re: port forward / nat
Are you trying that from your local network? Then here is an explanation: http://wiki.mikrotik.com/wiki/Hairpin_NAT
-
-
bhamhotspots
newbie
- Posts: 45
- Joined:
- Location: United States
- Contact:
Re: port forward / nat
No, I am attempting to connect from external the network, using a public ip address.Are you trying that from your local network? Then here is an explanation: http://wiki.mikrotik.com/wiki/Hairpin_NAT
Re: port forward / nat
Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
Re: port forward / nat
You still haven't sent anything fewi has asked you for.No, I am attempting to connect from external the network, using a public ip address.
You are using dst-nat - it means server is "seeing" real IP address of client and must respond him. Make sure server has ip route to client and that you don't have firewall blocking foreign clients.
Otherwise you may use src-nat - server will "see" only local router asking his services. I don't recommend that, but sometimes it is neccessary - for example I have some WiFi routers in AP mode that don't support "default gateway", nor "static route" and they are located in other network, so only way to access them is to use src-nat.
-
-
bhamhotspots
newbie
- Posts: 45
- Joined:
- Location: United States
- Contact:
Re: port forward / nat
Here is the response you have asked for:Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; hotspot network
address=10.1.0.1/22 network=10.1.0.0 interface=HotSpots
actual-interface=HotSpots
1 address=x.x.x.x/30 network=x.x.x.x interface=ether6
actual-interface=ether6
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; hotspot network
address=10.1.0.1/22 network=10.1.0.0 interface=HotSpots
actual-interface=HotSpots
1 address=x.x.x.x/30 network=x.x.x.x interface=ether6
actual-interface=ether6
[gk2inc@14th] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=x.x.x.x
gateway-status=x.x.x.x reachable ether6 distance=1 scope=30
target-scope=10
1 ADC dst-address=10.1.0.0/22 pref-src=10.1.0.1 gateway=HotSpots
gateway-status=HotSpots reachable distance=0 scope=10
2 ADC dst-address=x.x.x.x/30 pref-src=x.x.x.x gateway=ether6
gateway-status=ether6 reachable distance=0 scope=10
Code: Select all
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="ether2" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522
1 name="ether5" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522
2 R name="HotSpots" type="bridge" mtu=1500 l2mtu=1522
3 R name="ether6" type="ether" mtu=1500 l2mtu=1526 max-l2mtu=1526
Code: Select all
# jan/03/1970 09:37:47 by RouterOS 5.7
# software id = N5SQ-DB04
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=drop chain=input disabled=no src-address=75.75.254.0/24
add action=drop chain=input disabled=no src-address=211.253.242.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.1.0.0/22
add action=dst-nat chain=dstnat disabled=no protocol=tcp src-port=8100 \
to-addresses=10.1.0.2 to-ports=80
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
Re: port forward / nat
Code: Select all
add action=dst-nat chain=dstnat disabled=no protocol=tcp src-port=8100 \
to-addresses=10.1.0.2 to-ports=80Code: Select all
add action=dst-nat chain=dstnat disabled=no protocol=tcp dst-port=8100 \
to-addresses=10.1.0.2 to-ports=80-
-
bhamhotspots
newbie
- Posts: 45
- Joined:
- Location: United States
- Contact:
Re: port forward / nat
worked like a charm. Thank you FEWI and the others that have replied.
Re: port forward / nat
fewi ...That's wrong. The source port isn't 8100, it's some ephemeral port. The destination port is 8100. Change it to:Code: Select alladd action=dst-nat chain=dstnat disabled=no protocol=tcp src-port=8100 \ to-addresses=10.1.0.2 to-ports=80Code: Select alladd action=dst-nat chain=dstnat disabled=no protocol=tcp dst-port=8100 \ to-addresses=10.1.0.2 to-ports=80
from your nat configuration, is it possible to redirect Radmin (Remote Administrator) port ??? the default port from radmin is 4899. i'm already change it to 6886
here my config at nat.
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no protocol=tcp dst-port=4899,6886
to-addresses=192.168.0.253 to-ports=6886
or, maybe have another conifg at Filter Rules, Mangle, or Route ???
Re: port forward / nat
On what port is radmin on 192.168.0.253 listening on?
Re: port forward / nat
on 6886On what port is radmin on 192.168.0.253 listening on?
The default port come from software is 4899. but, i already change Radmin default port (4899) to 6886
Let me say IP 192.168.0.253 is Billing CPU System. so, after i'm done remote to that IP, i can easy Remote to another client using IP 192.168.0.253
(Remote to IP 192.168.0.253, from that using Radmin again to control client. so, i'm suppose can remote to IP 192.168.0.253:6886)
Thanks for reply fewi
port forward / nat
I'm confused now.
So here an example. I hope it helps.
There's a router with IP address 1.1.1.1. When you connect to it on port tcp/10000 it forwards the connection to port 20000 on a host with IP 2.2.2.2
So here an example. I hope it helps.
There's a router with IP address 1.1.1.1. When you connect to it on port tcp/10000 it forwards the connection to port 20000 on a host with IP 2.2.2.2
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=10000 action=dst-nat to-addresses=2.2.2.2 to-port=20000Re: port forward / nat
I'm confused now.
So here an example. I hope it helps.
There's a router with IP address 1.1.1.1. When you connect to it on port tcp/10000 it forwards the connection to port 20000 on a host with IP 2.2.2.2Code: Select all/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=10000 action=dst-nat to-addresses=2.2.2.2 to-port=20000
Ok Mr/Mrs fewi
i let you know after i try remote to this computer
here my conifg like you said
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=0.0.0.0/0 protocol=tcp dst-port=4899,1122 action=dst-nat to-addresses=192.168.0.253 to-port=6886
Thanks fewi
Re: port forward / nat
Mr/Ms fewi
you give me the rule for Nat is working
but, the problem is, working fine if i'm disable all "Firewall Filter"
what's wrong with my "Firewall Filter"
or, should i add a new Filter ???
here my code
PLEASE Help Me fewi
you give me the rule for Nat is working
but, the problem is, working fine if i'm disable all "Firewall Filter"
what's wrong with my "Firewall Filter"
or, should i add a new Filter ???
here my code
Code: Select all
# oct/08/2011 14:10:01 by RouterOS 5.6
# software id = 4ZK3-D2MU
#
/ip firewall filter
add action=accept chain=chk-conn disabled=no src-address-type=local
add action=drop chain=chk-conn connection-state=invalid disabled=no
add action=drop chain=chk-conn disabled=no src-address-type=\
broadcast,multicast
add action=drop chain=chk-conn disabled=no dst-address-type=\
broadcast,multicast
add action=jump chain=chk-conn disabled=no jump-target=virus
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus disabled=no protocol=tcp src-port=445
add action=drop chain=virus disabled=no protocol=tcp src-port=135-139
add action=drop chain=virus disabled=no protocol=udp src-port=135-139
add action=jump chain=input comment="Check Conn" disabled=no jump-target=\
chk-conn
add action=accept chain=input comment="Accept WinBox" disabled=no dst-port=\
8291,8866 protocol=tcp
add action=accept chain=input comment="Accept icmp" disabled=no protocol=icmp
add action=accept chain=input comment="Accept client" disabled=no \
in-interface=ether1-lan src-address=192.168.168.0/24 src-address-list=\
client
add action=accept chain=input comment="Acceot est rel Speedy" \
connection-state=established disabled=no in-interface=ether2-speedy
add action=accept chain=input connection-state=related disabled=no \
in-interface=ether2-speedy
add action=accept chain=input comment="Acceot est rel Speedy" \
connection-state=established disabled=no in-interface=pppoe-Speedy
add action=accept chain=input connection-state=related disabled=no \
in-interface=pppoe-Speedy
add action=accept chain=input comment="Accept Local Conns" disabled=no \
dst-address-type=local in-interface=ether2-speedy
add action=accept chain=input comment="Accept Local Conns" disabled=no \
dst-address-type=local in-interface=pppoe-Speedy
add action=log chain=input comment="Default Drop" disabled=no log-prefix=\
"[--IN--]"
add action=drop chain=input disabled=no
add action=jump chain=forward comment="Check Conn" disabled=no jump-target=\
chk-conn
add action=drop chain=forward comment="Drop p2p" disabled=no p2p=all-p2p
add action=accept chain=forward comment="Forward client" disabled=no \
in-interface=ether1-lan src-address=192.168.168.0/24 src-address-list=\
client
add action=accept chain=forward comment="Forward est rel Speedy" \
connection-state=established disabled=no in-interface=ether2-speedy
add action=accept chain=forward connection-state=related disabled=no \
in-interface=ether2-speedy
add action=accept chain=forward comment="Forward est rel Speedy" \
connection-state=established disabled=no in-interface=pppoe-Speedy
add action=accept chain=forward connection-state=related disabled=no \
in-interface=pppoe-Speedy
add action=log chain=forward comment="Default Drop" disabled=no log-prefix=\
"[--FW--]"
add action=drop chain=forward disabled=no
add action=log chain=chk-conn comment="Logging system" disabled=yes \
log-prefix="[--IN--]"
add action=log chain=forward disabled=yes log-prefix="[--IN--]"
add action=log chain=output disabled=yes log-prefix="[--IN--]"