strange port forwarding

DeIM · Sat May 10, 2014 1:40 pm

Hi,

I've RB751U-2HnD v5.26 and on my small server are two java programs (SIP based).
1) When I connect from inside of local network it runs flawlessly (new lines in log file).
2) When I wanna connect from internet (or outside of local network) it seems one program is unreachable, but second runs flawlessly.

interface list is attached.

When I torch 2) it writes:
SRC | DEST
<serverLocalIP>:<program 1 port> | <PCIP>:<PC port>
<serverLocalIP>:<program 1 port> | <Router WAN IP>:<program 1 port>

Then progam on PC writes that program 1 on server seems to be down (no communication).
(in program 1 log is nothing new)

<serverLocalIP>:<program 2 port> | <PCIP>:<PC port>

Program 2 runs well.
(new lines in log)

My firewall nat options:
6 chain=dstnat action=dst-nat to-addresses=<serverLocalIP> protocol=tcp
in-interface=ether1-gateway dst-port=<program 2 port>,<program 1 port>,<other ports>

7 chain=dstnat action=dst-nat to-addresses=<serverLocalIP> protocol=udp
in-interface=ether1-gateway dst-port=<program 2 port>,<program 1 port>,<other ports>

From Internet I'm able to probe ports by Angry IP Scanner - shows <program 1 port> and <program 2 port> open.

When I connect PC to local network I'm unable (or I don't know how) to torch this communication on any interface

Thanks for help.

Rudios · Sat May 10, 2014 3:35 pm

How are your firewall rules build?

DeIM · Sun May 11, 2014 2:55 pm

Rudios ... good point it could be the problem.

/ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 4   ;;; default configuration
     chain=forward action=accept connection-state=established 

 5   ;;; default configuration
     chain=forward action=accept connection-state=related 

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid

Rudios · Sun May 11, 2014 3:04 pm

If these are your only rules I am very surprised that the connection is even starting.
I do not know the applications you are using but keep in mind that UDP is a connectionless protocol so a firewall rule with connection-state=established will not work there!

On the other hand, you do not have a generic drop rule at the end which drops all remaining traffic, so it makes sense.
The rules you now actually have only block invalid traffic.

DeIM · Sun May 11, 2014 4:10 pm

It's strange - I see now. But I can't figure out how to set firewall rules properly. I've made final forward firewall rule:

 8   chain=forward action=log log-prefix="drop::"

And log prints drop on both program 1 and 2 - but program 2 has higher size of packet (>1k).
Log also prints priority changes.

My Mangle rules for packet sizes are these:

3   ;;; low_size_in
     chain=postrouting action=set-priority new-priority=3 passthrough=yes 
     packet-size=0-512 

 4   ;;; low_size_out
     chain=prerouting action=set-priority new-priority=3 passthrough=yes 
     packet-size=0-512 

 5   ;;; hi_size_in
     chain=postrouting action=set-priority new-priority=7 passthrough=yes 
     packet-size=513-65535 

 6   ;;; hi_size_out
     chain=prerouting action=set-priority new-priority=7 passthrough=yes 
     packet-size=513-65535

I figure out now it shouldn't work anyway. Could you please guide me or give some good resources?

DeIM · Thu May 15, 2014 9:08 pm

I've tried add <program 1 port> to SIP service ports and program 1 seems to work

. I must do some more tests.
I've also recreated firewall rules.

strange port forwarding

strange port forwarding

Re: strange port forwarding

Re: strange port forwarding

Re: strange port forwarding

Re: strange port forwarding

Re: strange port forwarding