Port Forwarding Woes :(

ChipP · Thu Jun 22, 2017 6:06 am

For some reason, I can't get port forwarding to work to save my life

No one can connect externally, and until I get that working I don't want to add the hairpin rules just yet.

[admin@XXXXX] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=ether1-WAN-1 log=no 
      log-prefix="" 

 1    ;;; Windows Server RDP TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=3389 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3389 log=no log-prefix="" 

 2    ;;; Windows Server RDP UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=3389 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3389 log=no log-prefix="" 

 3    ;;; Windows Server GameSvrs 1 TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=6001-9999 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=6001-9999 log=no log-prefix="" 

 4    ;;; Windows Server GameSvrs 1 UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=6001-9999 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=6001-9999 log=no log-prefix="" 

 5    ;;; Windows Server GameSvrs 2 TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 
      to-ports=25000-50000 protocol=tcp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=25000-50000 log=no log-prefix="" 

 6    ;;; Windows Server GameSvrs 2 UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 
      to-ports=25000-50000 protocol=udp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=25000-50000 log=no log-prefix="" 

 7    ;;; Linux Server Lower Web TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=80-3300 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=80-3300 log=no log-prefix="" 

 8    ;;; Linux Server Lower Web UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=80-3300 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=80-3300 log=no log-prefix="" 

 9    ;;; Linux Server Upper Web Web TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=3400-6000 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3400-6000 log=no log-prefix="" 

10    ;;; Linux Server Upper Web Web UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=3400-6000 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3400-6000 log=no log-prefix="" 

11    ;;; Linux Server WebMin TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 
      to-ports=10000-20000 protocol=tcp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=10000-20000 log=no log-prefix="" 

12    ;;; Linux Server WebMin UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 
      to-ports=10000-20000 protocol=udp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=10000-20000 log=no log-prefix="" 

13    ;;; Joe Dirt RDP TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 to-ports=3390 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3390 log=no log-prefix="" 

14    ;;; Joe Dirt Games TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 
      to-ports=24100-24299 protocol=tcp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=24100-24299 log=no log-prefix="" 

15    ;;; Joe Dirt RDP UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 to-ports=3390 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3390 log=no log-prefix="" 

16    ;;; Joe Dirt Games UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 
      to-ports=24100-24299 protocol=udp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=24100-24299 log=no log-prefix=""

[admin@XXXXX] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

 2    ;;; Allow Existing Connections
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

 3    ;;; Allow Outbound
      chain=forward action=accept src-address=192.168.0.0/16 log=no 
      log-prefix="" 

 4    ;;; Allow WindowsServer
      chain=forward action=accept protocol=udp 
      dst-port=3389,6001-9999,25000-50000 log=no log-prefix="" 

 5    ;;; Allow WindowsServer
      chain=forward action=accept protocol=tcp 
      dst-port=3389,6001-9999,25000-50000 log=no log-prefix="" 

 6    ;;; Allow JoeDirt Server
      chain=forward action=accept protocol=tcp dst-port=3390,24100-24299 log=no 
      log-prefix="" 

 7    ;;; Allow JoeDirt Server
      chain=forward action=accept protocol=udp dst-port=3390,24100-24299 log=no 
      log-prefix="" 

 8    ;;; Allow LinuxServer
      chain=forward action=accept protocol=tcp 
      dst-port=2-3300,3400-6000,10000-20000 log=no log-prefix="" 

 9    ;;; Allow LinuxServer
      chain=forward action=accept protocol=udp 
      dst-port=2-3300,3400-6000,10000-20000 log=no log-prefix=""

Anyone mind lending a hand?

emikrotik · Thu Jun 22, 2017 6:40 am

1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH

ChipP · Thu Jun 22, 2017 6:54 am

1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH

I've already tried reordering (moved the masqurade rule to the bottom) earlier, that didn't help, no one can open a port to anything but the router.

I'll try fowarding the router's port 22 and see if that works.

Hang on, I'm not even forwarding port 22, that rule shouldn't impact anything.

aacable · Thu Jun 22, 2017 9:34 am

Sometimes, few common ports are silently blocked by the upstream providers,
Try PAT, Example forward port 55510 to your local server ip - port 3389

ajack46 · Thu Jun 22, 2017 4:00 pm

Sometimes, few common ports are silently blocked by the upstream providers,
Try PAT, Example forward port 55510 to your local server ip - port 3389

But why is that so that the common ports are blocked?

Thu Jun 22, 2017 5:11 pm

Do you have public IP on WAN interface ?

To check if common blocks are blocked try to change the first rule to:

 1    ;;; Windows Server RDP TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=3389
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1
      dst-port=53389 log=no log-prefix=""

so you need to make RDP connection to 53389 port on WAN side. You will see if NAT works.

emikrotik · Mon Jul 24, 2017 3:05 am

Sometimes, few common ports are silently blocked by the upstream providers,
Try PAT, Example forward port 55510 to your local server ip - port 3389
But why is that so that the common ports are blocked?

To stop people with residential Internet connections hosting mail servers .etc

emikrotik · Mon Jul 24, 2017 3:08 am

1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH
I've already tried reordering (moved the masqurade rule to the bottom) earlier, that didn't help, no one can open a port to anything but the router.

I'll try fowarding the router's port 22 and see if that works.

Hang on, I'm not even forwarding port 22, that rule shouldn't impact anything.

Where you able to get this working?

If you are testing ssh to the firewall you will have to select the input chain.

ChipP · Mon Jul 24, 2017 5:05 am

1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH
I've already tried reordering (moved the masqurade rule to the bottom) earlier, that didn't help, no one can open a port to anything but the router.

I'll try fowarding the router's port 22 and see if that works.

Hang on, I'm not even forwarding port 22, that rule shouldn't impact anything.
Where you able to get this working?

If you are testing ssh to the firewall you will have to select the input chain.

I did. It seems like something was not working within the router cache or something, after restart it started working with my old configuration :S

Port Forwarding Woes :(

Port Forwarding Woes :(

Re: Port Forwarding Woes :(

Re: Port Forwarding Woes :(

Re: Port Forwarding Woes :(

Re: Port Forwarding Woes :(

Re: Port Forwarding Woes :(

Re: Port Forwarding Woes :(

Re: Port Forwarding Woes :(

Re: Port Forwarding Woes :(