Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Problem with NAT port forwarding

Locked
 
microcat
just joined
Topic Author
Posts: 8
Joined: Mon Nov 26, 2018 11:48 am

Problem with NAT port forwarding

Tue May 07, 2019 6:09 pm

Hi!

Short description of the problem:
on my 951G-2HnD, when an incoming connection requests TCP port 55000, it should be redirected to local address 192.168.88.254 and the port 3389 (which is windows machine, available by RDP). To this end, I added a rule:
Code: Select all
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=3389 protocol=tcp in-interface=ether1 dst-port=55000

Then I connect to 111.111.111.222:55000 using RDP, but connection is not established! :shock:

Please look at the details of my configuration:
ISP dynamic ip: 111.111.111.222 (this is the address assigned to me by the ISP for remote access. So I can ssh to my router. This IP does not change).
ISP network: 111.111.111.0
My local network: 192.168.88.0/24
Interface for ISP: ether1
Interfaces for local network: ether2,3,4,5 with bridge
Code: Select all
[username@hostname] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                               
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                  
 1 D 111.111.111.222/24  111.111.111.0    ether1
Firewall filter rules:
Code: Select all
[username@hostname] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
0    chain=input action=drop src-address-list=bogon in-interface=ether1 
1    chain=input action=accept connection-state=established,related,untracked 
2    chain=input action=drop connection-state=invalid 
3    chain=input action=accept protocol=icmp 
4    chain=forward action=accept connection-state=established,related,untracked 
5    chain=forward action=drop connection-state=invalid 
6    chain=input action=drop connection-state=new in-interface=!bridge 
7    chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
Firewall NAT rules:
Code: Select all
[username@hostname] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=ether1 

 1    chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=3389 protocol=tcp 
      in-interface=ether1 dst-port=55000
IP route:
Code: Select all
[username@hostname] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          111.111.111.1              1
 1 ADC  111.111.111.0/24    111.111.111.222  ether1                    0
 2 ADC  192.168.88.0/24    192.168.88.1    bridge                    0

What should I add to my configuration?


Thanks!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21933
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Problem with NAT port forwarding

Tue May 07, 2019 7:03 pm

If you are attempting this behind the router you will need hairpin nat. I dont see anything from a quick view that would stop the traffic.
Top
 
microcat
just joined
Topic Author
Posts: 8
Joined: Mon Nov 26, 2018 11:48 am

Re: Problem with NAT port forwarding

Tue May 07, 2019 8:18 pm

If you are attempting this behind the router you will need hairpin nat. I dont see anything from a quick view that would stop the traffic.
I forgot to say that this is a remote connection over the Internet, from a completely different network. So apparently "hairpin NAT" is not my case.

By the way, maybe this will help. The thing is, I have another 951G-2HnD with the same version of RouterOS, and with a different ISP (ISP-2). The difference in the configuration is only in the fact that the IP address by ISP-2 is registered statically. So NAT works fine there with the same forwarding rule. I have already called the ISP-1 and asked if they are blocking any ports, but not in this case.
Last edited by microcat on Tue May 07, 2019 8:25 pm, edited 1 time in total.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12990
Joined: Thu Mar 03, 2016 10:23 pm

Re: Problem with NAT port forwarding

Tue May 07, 2019 8:24 pm

How about firewall on your windows machine? By default it won't allowconnection from internet ...

Do packet counters of the NAT rule increase when you try to connect?
Top
 
microcat
just joined
Topic Author
Posts: 8
Joined: Mon Nov 26, 2018 11:48 am

Re: Problem with NAT port forwarding

Tue May 07, 2019 8:39 pm

How about firewall on your windows machine? By default it won't allowconnection from internet ...
This machine surely allows remote connection via RDP with another ISP and router. In addition, there is another machine that should be available via SSH. But it is not available too.

Do packet counters of the NAT rule increase when you try to connect?
Yes, I confirm an increase of the packet counter each time I try to connect! :?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12990
Joined: Thu Mar 03, 2016 10:23 pm

Re: Problem with NAT port forwarding

Tue May 07, 2019 8:59 pm

You're mentioning another ISP and router ... are both WANs active at the same time?

This would mean a slightly complicated setup with potential routing triangle (in such case firewall can panic as it might not see both legs of the connection) and/or routing the other leg through different ISP.
Top
 
microcat
just joined
Topic Author
Posts: 8
Joined: Mon Nov 26, 2018 11:48 am

Re: Problem with NAT port forwarding

Tue May 07, 2019 9:08 pm

You're mentioning another ISP and router ... are both WANs active at the same time?

This would mean a slightly complicated setup with potential routing triangle (in such case firewall can panic as it might not see both legs of the connection) and/or routing the other leg through different ISP.
These are two completely separate 951G-2HnDs with different ISPs. They are not connected together. But these two routers have identical configuration, the difference in configuration includes only ISP-specific settings and some port numbers. Therefore, it is surprising to me that NAT rules do not work on this router.

The target windows-machine used to work with ISP-2, and NAT forwarding worked fine.
Top
 
rbnewfan
newbie
Posts: 28
Joined: Sat Oct 22, 2016 5:23 pm

Re: Problem with NAT port forwarding

Wed May 08, 2019 2:22 pm

Check again IP addresses, I had a case with wrong IP and it took me half an hour until I spotted it.
Check again firewall rules carefully and see their counters if some increases too.
Check other dstnats for any conflicts etc.
Make 100% sure port 55000 is not blocked by ISP. Some ISP's first-line support knows sh** and plain lie.
Top
Locked

Who is online

Users browsing this forum: No registered users and 23 guests
  4. RouterOS
  5. Beginner Basics