Struggling with Port Forwarding

csbelli · Thu May 29, 2014 4:54 am

I am having trouble with port forwarding after trying may different combinations of settings. I want to forward any traffic for port 3389 to a server on my network. I know the port is open on the server. From within my network I can RDP into the server. All computers in my network can access the internet but it looks like nothing is getting into my network from the Internet. I am testing the RDP from a remote computer on a different network. I am not sure where the problem is, any help would be greatly appreciated.

Here is my setup:
Dynamic IP from Comcast Business account that I have confirmed is not blocking any ports.
Netgear gateway from Comcast.
Mikrotok 951G-2HnD with firmware 3.10 and RouterOS 6.13.

Current WAN IP is 67.xx.xx.xx.
The Netgear gateway LAN IP is 10.1.10.1. DHCP is enabled and using range 10.1.10.10 - 10.1.10.199. The router is assigned 10.1.10.10. If I turn off the DHCP on the gateway I lose my internet connection.

On the Mikrotik I have a DHCP server setup with 192.168.1.0/24.
Port 1 is from the gateway labeled ether1-gateway.
Ports 3-5 are slaved to port 2. Port 2 and WLAN are bridged.

Below are all the prints:

ros code

[admin@MikroTikHomeRouter] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   ;;; LAN IP Subnet
     192.168.1.1/24     192.168.1.0     bridge-local                           
 1 D 10.1.10.10/24      10.1.10.0       ether1-gateway

ros code

[admin@MikroTikHomeRouter] /ip dhcp-server> print
Flags: X - disabled, I - invalid 
 #   NAME     INTERFACE         RELAY     ADDRESS-POOL        LEASE-TIME ADD-ARP
 0   dhcp1     ether1-gateway               dhcp                      3d

ros code

[admin@MikroTikHomeRouter] /ip dhcp-client> print
Flags: X - disabled, I - invalid 
 #   INTERFACE        USE-PEER-DNS ADD-DEFAULT-ROUTE   STATUS        ADDRESS           
 0   ether1-gateway   yes                yes                          bound         10.1.10.10/24

ros code

[admin@MikroTikHomeRouter] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=accept connection-state=established 
 1   chain=input action=accept connection-state=related 
 2   chain=input action=drop connection-state=invalid 
 3   chain=input action=accept in-interface=bridge-local 
 4   chain=input action=drop 
 5   chain=forward action=accept connection-state=established 
 6   chain=forward action=accept connection-state=related 
 7   chain=forward action=drop connection-state=invalid 
 8   chain=forward action=accept in-interface=bridge-local 
 9   chain=forward action=accept protocol=tcp dst-address=192.168.1.136 dst-port=3389 
10   chain=forward action=drop

ros code

[admin@MikroTikHomeRouter] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; RDP
     chain=dstnat action=dst-nat to-addresses=192.168.1.136 to-ports=3389 
     protocol=tcp dst-address=67.xx.xx.xx dst-address-type="" dst-port=3389 

 1   ;;; RDP
     chain=dstnat action=dst-nat to-addresses=192.168.1.136 to-ports=3389 
     protocol=udp dst-address=67.xx.xx.xx dst-address-type="" dst-port=3389 

 2   chain=srcnat action=masquerade out-interface=ether1-gateway

ros code

[admin@MikroTikHomeRouter] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #        DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0              10.1.10.1                                   0
 1   S    0.0.0.0/0              10.1.10.1                                   1
 2 ADC  10.1.10.0/24         10.1.10.10       ether1-gateway      0
 3 ADC  192.168.1.0/24      192.168.1.1     bridge-local            0

ros code

[admin@MikroTikHomeRouter] /ip pool> print
 # NAME                                               RANGES                         
 0 dhcp                                               192.168.1.2-192.168.1.119

Thanks for your time and assistance.

Chris

Rudios · Thu May 29, 2014 12:16 pm

Is your gateway router also forwarding the port 3389?

csbelli · Thu May 29, 2014 1:54 pm

Yes, I have it forwarding to 10.1.10.10 which is assigned to the Mikrotik but it is still not working.

Thanks for your time.

Lagered · Thu May 29, 2014 4:55 pm

You can't use your public address in the dst-address field. Your router does not know that address since it's already NAT'd by your ISP gateway. I normally use the in-interface in my dstnat setups.

add chain=dstnat protocol=tcp dst-port=3389 in-interface=ether1-gateway action=dst-nat to-addresses=192.168.1.136 comment="RDP Forward"

Should be all you need.

error216216 · Thu May 29, 2014 5:07 pm

This is how I would do it:

First two firewall rules:

ip firewall filter add chain=input protocol=tcp dst-port=3389 action=accept
ip firewall filter add chain=forward protocol=tcp dst-port=3389 action=accept

This allows all traffic on 3389 to be allowed to input and forward chain and then once it reaches the forward chain you can send it to 192.168.1.136 with nat rule:

ip firewall nat add action=dst-nat to-addresses=192.168.1.136 to-ports=3389 chain=dstnat protocol=tcp dst-port=3389 disabled=no

You can add more parameters to these rules for security if you want, and first try to connect from the 10.1.10.0 subnet to 10.1.10.10 on port 3386 and see if it works, after that try from the internet on you're public ip. If it works from 10.1.10.0 subnet and not from internet then the router is programmed correctly and the problem is the router with the public ip.

csbelli · Thu May 29, 2014 5:40 pm

Thanks Lagered and error216216 for the suggestions. I tried them and it is still not working.

I suspect the problem is with the gateway so I am going to work with the cable company to get the gateway in true bridge mode and see if that will solve the problem.

Chris