Community discussions

MikroTik App
  4. RouterOS
  5. General

Port fordwarding behind router

Post Reply
 
jparis
just joined
Topic Author
Posts: 8
Joined: Tue Aug 22, 2017 5:52 pm

Port fordwarding behind router

Thu Mar 01, 2018 3:11 pm

Hi,

I'm facing a setup that is been a headache...

Scenario:
We have a router to connect to the internet and several other uses, it's a IPCOP. At the LAN side of this router we have several computers and so, the LAN is 192.168.x.x and we have complete control over the IPCOP machine
Then we have a second router that connect to a WAN private network, it's a Cisco. At the LAN side of this router we have several computers and so, the LAN is 10.x.x.x and we DO NOT have control over the Cisco router. This private network has it's own internet access.
We were in the need of joining this two LANs to share several services among them and decided to implement a Mikrotik Hex, up to date is working like a champ. Here you have the configuration:
Code: Select all
# mar/01/2018 14:01:16 by RouterOS 6.34.2
# software id = XCFJ-DVCN
#
/interface bridge
add name=Escuela
add name=Xunta
/interface ethernet
set [ find default-name=ether4 ] name=Escuela1
set [ find default-name=ether5 ] name=Escuela2
set [ find default-name=ether2 ] name=Xunta1
set [ find default-name=ether3 ] name=Xunta2
/ip dhcp-server option
add code=249 name=option-249 value=0x10c0a80a3e18e3
/ip firewall layer7-protocol
add name=imaxeson regexp=imaxeson.net
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=10.62.24.100-10.62.24.150
/ip dhcp-server
add address-pool=pool1 disabled=no interface=Xunta lease-time=15m name=\
    "DHCP Xunta" src-address=10.62.24.227
/interface bridge port
add bridge=Xunta interface=Xunta1
add bridge=Xunta interface=Xunta2
add bridge=Escuela interface=Escuela1
add bridge=Escuela interface=Escuela2
/ip address
add address=10.62.24.227/24 interface=Xunta network=10.62.24.0
add address=192.168.254.246/16 interface=Escuela network=192.168.0.0
/ip dhcp-server lease
add address=10.62.24.50 always-broadcast=yes mac-address=00:1A:A0:BF:8F:77 \
    server="DHCP Xunta"
add address=10.62.24.51 mac-address=00:1D:72:EF:2E:52 server="DHCP Xunta"
add address=10.62.24.53 always-broadcast=yes mac-address=00:18:8B:2A:A0:81 \
    server="DHCP Xunta"
add address=10.62.24.54 always-broadcast=yes mac-address=00:18:8B:2A:F7:62 \
    server="DHCP Xunta"
add address=10.62.24.55 mac-address=00:1D:72:DC:FC:37 server="DHCP Xunta"
add address=10.62.24.56 mac-address=00:A0:D1:A2:E9:B6 server="DHCP Xunta"
add address=10.62.24.57 mac-address=00:1B:FC:DA:8C:42 server="DHCP Xunta"
add address=10.62.24.58 always-broadcast=yes mac-address=00:18:8B:2A:FA:4A \
    server="DHCP Xunta"
add address=10.62.24.59 mac-address=00:1D:60:6F:8F:2B server="DHCP Xunta"
add address=10.62.24.69 mac-address=00:10:5C:FE:96:F3 server="DHCP Xunta"
add address=10.62.24.241 mac-address=00:80:77:D0:8B:DD server="DHCP Xunta"
/ip dhcp-server network
add address=10.62.24.0/24 dhcp-option=option-249 dns-server=10.62.24.227 \
    domain=imaxeson.net gateway=10.62.24.1 netmask=24 ntp-server=10.62.24.2
    wins-server=10.62.24.252
/ip dns
set allow-remote-requests=yes servers=10.180.188.75
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.62.24.227 dst-po
    53 layer7-protocol=imaxeson new-connection-mark=imaxeson-fwd protocol=u
/ip firewall nat
add action=dst-nat chain=dstnat comment="Gestion dns imaxeson.net" \
    connection-mark=imaxeson-fwd to-addresses=10.62.24.252
add action=masquerade chain=srcnat connection-mark=imaxeson-fwd
/ip route
add distance=1 gateway=10.62.24.1
add distance=1 dst-address=10.62.24.0/24 gateway=Xunta
add distance=1 dst-address=192.168.0.0/16 gateway=Escuela
/system clock
set time-zone-name=Europe/Madrid
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
Now we are trying to setup a RealVNC server at one computer at the CIsco LAN (10.x.x.x), using a specific port, 58001 for a mate to connect from home through IPCOP WAN
And, up to date, nothing.

Any light?

Thank you in advance!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port fordwarding behind router

Thu Mar 01, 2018 4:15 pm

The mangle rule is cut off. But "protocol=u" suggests udp, so it has chance to work. But are you sure that L7 will match the very first packet?
Top
 
jparis
just joined
Topic Author
Posts: 8
Joined: Tue Aug 22, 2017 5:52 pm

Re: Port fordwarding behind router

Fri Mar 02, 2018 2:07 pm

That option is here to make some DNS requests being intercepted and "NATed" on another server and it's working proprely, nothing to do with the problem we are facing

Thanks
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port fordwarding behind router

Sat Mar 03, 2018 4:35 am

Well, I was looking for the non-working rule and this was the only one I saw.

Try #2, first forward port from IPCOP to Hex, then add standard dstnat rule to forward it further and if the target device doesn't have Hex as its default gateway, add srcnat rule to change the source to Hex, so that the device will know where to send reply packets:
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=192.168.254.246 protocol=tcp dst-port=58001 action=dst-nat to-addresses=10.x.x.x to-ports=<port on 10.x.x.x>
add chain=srcnat dst-address=10.x.x.x dst-port=<port on 10.x.x.x> action=masquerade
If this what you're looking for?
Top
 
jparis
just joined
Topic Author
Posts: 8
Joined: Tue Aug 22, 2017 5:52 pm

Re: Port fordwarding behind router

Mon Mar 05, 2018 3:20 pm

Hi Sob,

Thank you for take care of this but we had already tested that way before posting and got anything. So, here we have somehow good knowledge/skills about this kind of configs (but not in Mikrotik) and did explore a lot of possibilities before initiating this desperate thread.

The stuff you see at the config is the one that was there at the moment of backing it up to post here, you'll see several stuff there related to the job this router is doing joining our two LANs and relaying DNS requests for both networks and so, these are OK and working properly. Then you will see two last rules in NAT that was the last ones we was working on to acomplish this new "mission" but didn't work. So, we want to acomplish this:

VNC Host (10.x.x.x:58001)<-------------->Hex(10.x.x.x "side")<-------------->Hex(192.168.x.x "side")<-------------->IPCOP(192.168.x.x "Side")<-------------->IPCOP(x.x.x.x "Internet")

But gateway to internet in VNC Host is NOT Hex NOR IPCOP:

(Several intranet related stuff)<-------------->Hex(10.x.x.x "Side")<-------------->VNC Host(10.x.x.x)<-------------->CISCO(10.x.x.x "Side)<-------------->CISCO(x.x.x.x "Internet")

This is our problem, to route the packets from IPCOP internet side to VNC Host is very easy and worked at first attempt, we can see packets hitting host at right port. But, the fault is at the return path, the host answers the traffic using its know gateway, the CISCO router, and get lost.

We need a way, if possible, to "convince" the host that it has to answer that packets over the same "gateway" it came.

And, again, thank you very much for your help
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port fordwarding behind router

Mon Mar 05, 2018 7:14 pm

That's what the masquerade rule is for. It will change source address to 10.x.x.x (*) on Hex. So VNC host will see all incoming connections as if they came from Hex. And since that's in local subnet, replies will go there, not to default gateway. That's the quick and dirty solution. More clean one would be to implement policy routing on VNC host, if it's capable to do so (Linux yes, Windows probably no).

(*) Btw, what's the point of masking private addresses (not unique and not reachable from internet)?
Top
Post Reply

Who is online

Users browsing this forum: Sirafim and 92 guests
  4. RouterOS
  5. General