Inbound traffic for private network

niren · Fri Mar 28, 2014 10:06 am

My setup is

private network system(192.168.2.4) <---(LAN)--->(192.168.2.1)Mikrotik (123.201.xxx.xxx)<---(WAN)---> Internet

123.201.xxx.xxx is public IP but not static IP, if disconnect and connect internet back the IP would have changed.

There is a NAT rule to allow outbound traffic:

srcnat LAN private IP's traffic to be masquerade 
chain=srcnat action=masquerade to-addresses=123.201.xxx.xxx src-address=192.168.2.0/24 out-interface=pppoe-out2

Now I can access internet from my private system. now what I want is inbound rule for private system. I am trying to do RDP from my home system to my office system with dst-nat rule in mikrotik router as

 port mapping from 100 to 4's 3389
chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=3389 protocol=tcp dst-address=123.201.xxx.xxx dst-port=100

Here am trying to do port maping. In my home system I use 123.201.xxx.xxx:100 in RDP to connect to my office system, but this rule is not working.

CTrain · Fri Mar 28, 2014 10:26 am

ros code

add action=dst-nat chain=dstnat comment="Remote SSH Access" dst-port=\
    22 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.164 \
    to-ports=22

Here is an example DST NAT with Dynamic IP see instead of using Packets IP I read which port the packet comes in on

niren · Fri Mar 28, 2014 10:46 am

ros code
add action=dst-nat chain=dstnat comment="Remote SSH Access" dst-port=\
    22 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.164 \
    to-ports=22
Here is an example DST NAT with Dynamic IP see instead of using Packets IP I read which port the packet comes in on

i have added this rule in NAT

chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=3389 protocol=tcp in-interface=ether1-Input dst-port=100

and trying access from home system as 123.201.xxx.xxx:100 in RDP, But It is not working

CTrain · Fri Mar 28, 2014 10:58 am

Have you got an allow in your firewall on both your computer and the mikrotik. Try turning windows firewall and anyother firewalls off and disable the rules in the mikrotik firewall

niren · Fri Mar 28, 2014 11:04 am

Have you got an allow in your firewall on both your computer and the mikrotik. Try turning windows firewall and anyother firewalls off and disable the rules in the mikrotik firewall

I tried disable all firewall rule in mikrotik router and have disabled firewall in home windows system, still no luck.

CTrain · Fri Mar 28, 2014 11:09 am

are you behind an ISP based NAT or DO you have a modem performing NAT Duities

niren · Fri Mar 28, 2014 11:31 am

As the given image shows I can say the NAT rule is working but partially. The highlighted line in the image is

Src. Dst.
192.168.2.4:3389(ms-wbt-server) 27.34.253.98:52246

That line is coming when I try initiate RDP from my home system. So from my home system(27.34.253.98) I can access office system(192.168.2.4) but not completely. What would be the problem?

niren · Fri Mar 28, 2014 11:36 am

are you behind an ISP based NAT or DO you have a modem performing NAT Duities

I have mikrotik router to performing NAT rule. I configure it myself.

CTrain · Fri Mar 28, 2014 11:46 am

can you please post your nat and firewall export

CTrain · Fri Mar 28, 2014 11:46 am

Did you disable the firewall on the system that you are connecting to?

niren · Fri Mar 28, 2014 12:36 pm

I have disabled windows firewall. These are the rules I have in mikrotik router

>  ip address print
 #   ADDRESS            NETWORK         INTERFACE
 1   192.168.2.1/24     192.168.2.0      ether2                         
 2 D 106.51.150.148/32  106.51.128.1    pppoe-out2


> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 

 0   ;;; srcnat LAN private IP's traffic to be masquerade
     chain=srcnat action=masquerade to-addresses=106.51.187.89 src-address=192.168.2.0/24 out-interface=pppoe-out2 

 1   ;;; port mapping from 100 to 4's 3389
     chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=3389 protocol=tcp in-interface=pppoe-out2 dst-port=3389 

> interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                              TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ether1-Input                      ether             1500  1598       4074
 1  R  ether2                            ether             1500  1598       4074
 2  R  pppoe-out2                        pppoe-out         1480

/interface pppoe-client> print
Flags: X - disabled, R - running 
 0  R name="pppoe-out2" max-mtu=1480 max-mru=1480 mrru=disabled interface=ether1-Input user="username" password="password" profile=default service-name="" ac-name="" add-default-route=yes dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2

niren · Fri Mar 28, 2014 3:05 pm

Problem solved. Office systems windows firewall was turned on, my bad I didn't think in that way. I turned off windows firewall in office system then I got port forwarding work.

CTrain · Sat Mar 29, 2014 12:12 am

Yes it is always the firewall on the machine that you are connecting to and not the computers doing the connecting. turn the office firewall back on and add an accept rule for rdp traffic

CTrain · Sat Mar 29, 2014 12:15 am

;;; srcnat LAN private IP's traffic to be masquerade
chain=srcnat action=masquerade to-addresses=106.51.187.89 src-address=192.168.2.0/24 out-interface=pppoe-out2

You should remove the to and src address as they are not required and my be causing problems when your IP changes