Issue with ports filter / NAT rules that no longer work.

rekholm · Fri May 02, 2014 8:53 pm

Hi everyone. I'm having an issue with a port forwarding and NAT rule I have used for some time. I stopped using one of my application servers for a few months, and when I went back to it, the rules (which were never removed) no longer are working. I asked a few years ago for some help adding the rules to get this work work. Here is the post for that topic.. http://forum.mikrotik.com/viewtopic.php?f=13&t=52723

I have tried everything from changing the order of the rules to higher in the list and lower.. to drastic measures of defaulting the router last night, and only entering the rules for this specific application. I am pretty routine about saving configs, so I even tried one from 6 moths ago, and 12 months ago. I rolled back firmware to v6.1.
As a last resort effort, I removed my RB2011 last night and temporarily replaced it with my old WRT54G (with DD-WRT).. Added the rules I need for the application, and it took off just fine!
All this to say, I'm confident it isn't my ISP / connection nor the application nor the server itself.

This is a Ham Radio RoIP (Radio over IP) system called IRLP. IRLP uses UDP 2073-2093 for RoIP, and TCP 15425 for control. I also use SSH for remote management for this system, though for simplicity sake, I just need the audio and control to work!!

Here are the rules i'm using:

/ip firewall filter
add chain=forward dst-address=192.168.1.55 protocol=tcp dst-port=2074-2093 action=accept
add chain=forward dst-address=192.168.1.55 protocol=tcp dst-port=15425 action=accept

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=2074-2093 in-interface=pppoe-out1 action=dst-nat to-addresses=192.168.1.55
add chain=dstnat protocol=tcp dst-port=15425 in-interface=pppoe-out1 action=dst-nat to-addresses=192.168.1.55

I am needing some outside input, specifically from users familiar with Mikrotik!! I've bounced this off of my company network team (which I regret to say i'm part of), and we're all under the impression that it should work!!

My next thought is to roll back further, to an RB433AH from the RB2011, though it worked on the 2011 before, too.
Aside from moving platforms from Mikrotik to another vendor to provide headend routing / firewall solutions, I appear to be lost!!

Thoughts, comments, suggestions, ideas... anything to help me get this to work.
Thanks for your help
Rod

CelticComms · Fri May 02, 2014 10:00 pm

Is the target server definitely still using the RouterBoard as its default gateway?

rekholm · Sat May 03, 2014 1:25 am

It is. I also tried using DHCP, then adjusting the rules to reflect the new address...

Still no luck.

CelticComms · Sat May 03, 2014 3:59 am

OK - try using Torch on the LAN side. Are you even seeing the DST NATed traffic egress the LAN interface?

rekholm · Tue May 06, 2014 5:08 pm

So when I use Torch on the LAN side, I am seeing the traffic head out. Though I see it destined for my gateway, rather than server it is headed to. Is that correct?
I am using CenturLink DSL, so I have a PPPoE connection outbound. I can also Torch the PPPoE interface, and see traffic sourced from the external server destined for my WAN IP. So it leads me to believe it is working like I think it should.

One question... Do I need both the Filter and the NAT statements? or should the Filter be the only rules I need? I'm a little confised as to why I might need both, even though having them both in... they worked several months ago.

Thanks!!

JJCinAZ · Tue May 06, 2014 6:20 pm

Do I need both the Filter and the NAT statements? or should the Filter be the only rules I need?

Assuming you have a rule "further down" in the Forward filter chain which would drop such traffic, then you do need the accept rules.

I think CelticComms was onto something when he suggested torch, but I might modify that suggestion with a packet capture on the LAN side where you then examine the traffic with Wireshark. Next, capture on the PPPoE interface and look at that traffic. Your looking to see if you can find the inbound TCP syn on the PPPoE which then should get a destination-address change and be emitted on the LAN. Next, look for the TCP syn-ack from the server on the LAN and then on the PPPoE you should see the syn-act emit with the source IP translated as expected. You clearly have some source-NAT's so maybe you're catching traffic you shouldn't with those rule(s).

CelticComms · Tue May 06, 2014 11:22 pm

You need both rules because the NAT rule simply does the address/port translation. The filter rule on the forward chain is what permits the traffic. The forward chain comes after DST NAT so the forward rule should reflect the DTS NATed address as destination.

rekholm · Wed May 07, 2014 5:11 pm

Here is the Firewall in it's entirety, unmolested...
For the sake of saying it, I have verified the address I'm attempting to get to and receive traffic from, is not in my blacklist.

EDIT: I removed these lines to compact the thread...

CelticComms · Wed May 07, 2014 6:24 pm

Compact output from firewall would be easier to read! And select Router OS syntax when pasting - easier on the eyes/head!

rekholm · Thu May 08, 2014 6:53 am

Sorry.. Must have missed being able to do that!! This may be better...

ros code

/ip firewall filter
add action=drop chain=input comment=\
    "Drop any IP Address on the BLACKLIST_INBOUND" disabled=yes \
    src-address-list=BLACKLIST_INBOUND
add chain=forward disabled=yes protocol=tcp src-address=67.185.57.105
add chain=forward disabled=yes protocol=udp src-address=67.185.57.105
add chain=input connection-state=established
add action=drop chain=forward comment="Cameron 1" disabled=yes \
    src-mac-address=8C:84:01:4D:35:3B time=\
    21h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add chain=input disabled=yes dst-port=80 protocol=tcp src-address=\
    192.168.1.0/24
add chain=input protocol=icmp
add chain=input connection-state=related
add action=add-dst-to-address-list address-list=Rod_Sites chain=forward \
    comment="Rod - Sites Visited" disabled=yes src-mac-address=\
    5C:F8:A1:31:FC:E8 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-dst-to-address-list address-list=Mateo_Sites chain=forward \
    comment="Mateo - Sites Visited" disabled=yes src-mac-address=\
    C4:62:EA:8A:A3:83 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Mateo 1" connection-limit=100,32 \
    disabled=yes limit=1,5 src-mac-address=C4:62:EA:8A:A3:83 time=\
    21h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Mateo 2" disabled=yes src-mac-address=\
    C4:62:EA:8A:A3:83 time=0s-8h30m,sun,mon,tue,wed,thu,fri,sat
add action=add-dst-to-address-list address-list=Cameron_Sites chain=forward \
    comment="Cameron - Sites Visited" disabled=yes src-mac-address=\
    8C:84:01:4D:35:3B time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Cameron 2" disabled=yes \
    src-mac-address=8C:84:01:4D:35:3B time=\
    0s-8h30m,sun,mon,tue,wed,thu,fri,sat
add action=add-dst-to-address-list address-list=Denzel_Sites chain=forward \
    comment="Denzel - Sites Visited" disabled=yes src-mac-address=\
    00:26:E8:F9:62:B0 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Denzel 1" disabled=yes \
    src-mac-address=00:26:E8:F9:62:B0 time=\
    21h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Denzel 2" src-mac-address=\
    00:26:E8:F9:62:B0 time=0s-8h30m,sun,mon,tue,wed,thu,fri,sat
add chain=input protocol=tcp src-address=208.67.255.162 src-port=15425-15428
add chain=input protocol=udp src-address=208.67.255.162 src-port=2074-2093
<REMOVED FOR SECURITY...>
add chain=forward dst-address=192.168.1.55 dst-port=5198-5199 protocol=udp
add chain=forward dst-address=192.168.1.55 dst-port=5200 protocol=tcp
add chain=input comment="Web Remote Access" dst-port=80 protocol=tcp
add chain=input comment="VPN PPtP Protocol" dst-port=1723 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat
add action=redirect chain=dstnat comment="Tablet - Mateo - Redirect" \
    disabled=yes dst-address=0.0.0.0 protocol=tcp src-mac-address=\
    C4:62:EA:8A:A3:83 to-ports=8000
add action=redirect chain=dstnat comment="Tablet - Mateo" disabled=yes \
    dst-port=80 protocol=tcp src-mac-address=C4:62:EA:8A:A3:83 to-ports=8000
add action=redirect chain=dstnat comment="Phone - Denzel" disabled=yes \
    dst-port=80 protocol=tcp src-mac-address=00:26:E8:F9:62:B0 to-ports=8000
add action=redirect chain=dstnat comment="Tablet - Cameron" disabled=yes \
    dst-port=80 protocol=tcp src-mac-address=8C:84:01:4D:35:3B to-ports=8000
add action=dst-nat chain=dstnat dst-port=15425-15428 protocol=tcp \
    to-addresses=192.168.1.55
add action=dst-nat chain=dstnat dst-port=2074-2093 protocol=udp to-addresses=\
    192.168.1.55
<REMOVED FOR SECURITY...>

The lines listed as <REMOVED FOR SECURITY...> are security devices. Cameras and surveillance stuff...