Hello,
I am very new to the OS, but follow instructions well. I followed several samples on the wiki detailing how to forward requests on a certain port, to a specific internal IP. These dstnat rules are not working for me for some reason. Once I have created them, I can see the counters incrementing in winbox for the rule...however I am still unable to connect to the resource. Below is a print paste of the two rules I cant get to work:
chain=dstnat in-interface=public dst-address=(public IP) protocol=tcp
dst-port=22 action=dst-nat to-addresses=192.168.0.100 to-ports=22
chain=dstnat dst-address=(publicIP) protocol=tcp dst-port=3389
src-address-list="" dst-address-list="" action=dst-nat
to-addresses=192.168.0.50 to-ports=3389
*I replaced my public ip of form xxx.xxx.xxx.xxx for privacy's sake.
Any help or reccomendations would be greatly appreciated...I am stumped.
Hi, i have similar config for port redirect to my local server and it works perfectly
chain=dstnat dst-address=[public ip] protocol=tcp dst-port=80
action=dst-nat to-addresses=172.21.2.2 to-ports=80
chain=dstnat dst-address=[public ip] protocol=tcp dst-port=22
action=dst-nat to-addresses=172.21.2.2 to-ports=22
chain=dstnat dst-address=[public ip] protocol=tcp dst-port=80
action=dst-nat to-addresses=172.21.2.2 to-ports=80
chain=dstnat dst-address=[public ip] protocol=tcp dst-port=22
action=dst-nat to-addresses=172.21.2.2 to-ports=22
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
Yes I do. The only other rules I have presently are a port 80 redirect on the internal (private) interface to the web cache. And a masquerade srcnat for NAT.
chain=srcnat out-interface=public action=masquerade
chain=dstnat in-interface=private protocol=tcp dst-port=80 action=redirect
to-ports=8080
Is the masquerade causing a problem (breaking the connection as the host is not receiving info back from the expected IP?) I suppose that would make sense to me logically, but i dont know how to get around it.
Thanks ,
Jeremy
chain=srcnat out-interface=public action=masquerade
chain=dstnat in-interface=private protocol=tcp dst-port=80 action=redirect
to-ports=8080
Is the masquerade causing a problem (breaking the connection as the host is not receiving info back from the expected IP?) I suppose that would make sense to me logically, but i dont know how to get around it.
Thanks ,
Jeremy
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
Hi again,
There are no routing entries outside of default. There are currently only 3 entries in routes, all default. I have not done anything further than run setup, enable dhcp,transparent web proxy, local dns. Another clue, I attempted to redirect a user using a dst nat rule from their source IP, dstnat port 80 to the address of my internal webserver, and that to appeared not to work. Let me know if I could paste anything else that would be helpful. A side note, I really appreciate your being helpful on this issue...user forums and helpful souls such as yourself are ideal.
Jeremy
There are no routing entries outside of default. There are currently only 3 entries in routes, all default. I have not done anything further than run setup, enable dhcp,transparent web proxy, local dns. Another clue, I attempted to redirect a user using a dst nat rule from their source IP, dstnat port 80 to the address of my internal webserver, and that to appeared not to work. Let me know if I could paste anything else that would be helpful. A side note, I really appreciate your being helpful on this issue...user forums and helpful souls such as yourself are ideal.
Jeremy
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
Thank you for the input psip. I went ahead and made the change to remove in-interface, and still have the same problem. I believe that is something I did going back and forth trying to get this working. Without that parameter specified, both rules for ssh and rdp still fail to work, even though you can see the packet counter for the rule incrementing. On another note, ethereal does see packets arriving when attempting to rdp to the device. It almost seems as though the traffic is only flowing in, and not allowing any return communication? Either way, im stumped.
So you can definately connect to these ports OK from inside the network, and you can definately ping your public addresses from outside ?
Maybe temporarily allow port 22 in the input chain and test to make sure you can SSH to the router itself, work through it piece by piece.
You rules look OK to me and should work, even the one with the in-interface should work, but you don't need that set.
Regards
Paul
Maybe temporarily allow port 22 in the input chain and test to make sure you can SSH to the router itself, work through it piece by piece.
You rules look OK to me and should work, even the one with the in-interface should work, but you don't need that set.
Regards
Paul
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
Hello Paul,
Yes, I can connect to both with no error from inside the network. I also confirmed that both had the correct subnet and gateway, and could communicate with the MT with no issue. At your recommendation I also created an input chain for port 22, and see the same behavior (connection timed out) when attempting to connect to the external IP. I have pasted all firewall>filter rules below. I really appreciate all of your help, please let me know if I can give you any more information.
Jeremy
[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward in-interface=public action=jump jump-target=customer
1 ;;; Drop invalid connection packets
chain=customer connection-state=invalid action=drop
2 ;;; Allow established connections
chain=customer connection-state=established action=accept
3 ;;; Allow related connections
chain=customer connection-state=related action=accept
4 ;;; Log dropped connections
chain=customer action=log log-prefix="customer_drop"
5 ;;; Drop and log everything else
chain=customer action=drop
6 chain=input protocol=tcp src-port=22 action=accept
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public action=masquerade
1 X chain=dstnat in-interface=private protocol=tcp dst-port=80 action=redirect
to-ports=8080
2 chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=22
action=dst-nat to-addresses=192.168.0.100 to-ports=22
3 chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=3389
src-address-list="" dst-address-list="" action=dst-nat
to-addresses=192.168.0.50 to-ports=3389
Yes, I can connect to both with no error from inside the network. I also confirmed that both had the correct subnet and gateway, and could communicate with the MT with no issue. At your recommendation I also created an input chain for port 22, and see the same behavior (connection timed out) when attempting to connect to the external IP. I have pasted all firewall>filter rules below. I really appreciate all of your help, please let me know if I can give you any more information.
Jeremy
[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward in-interface=public action=jump jump-target=customer
1 ;;; Drop invalid connection packets
chain=customer connection-state=invalid action=drop
2 ;;; Allow established connections
chain=customer connection-state=established action=accept
3 ;;; Allow related connections
chain=customer connection-state=related action=accept
4 ;;; Log dropped connections
chain=customer action=log log-prefix="customer_drop"
5 ;;; Drop and log everything else
chain=customer action=drop
6 chain=input protocol=tcp src-port=22 action=accept
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public action=masquerade
1 X chain=dstnat in-interface=private protocol=tcp dst-port=80 action=redirect
to-ports=8080
2 chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=22
action=dst-nat to-addresses=192.168.0.100 to-ports=22
3 chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=3389
src-address-list="" dst-address-list="" action=dst-nat
to-addresses=192.168.0.50 to-ports=3389
Rule 6, you need to change to dst-port, then try to connect again, making sure of course that you disable the relevant forward rule for port 22.
What I was trying to get you to do is connect to the port 22 (SSH) on the mikrotik itself just to ensure that you can get port 22 into the router. Also, I'm not sure if you have port 22 enabled on the router if it will cause any problems with forwarding it, it shouldn't, but it may pay to disable that service in IP->Services just in case.
Regards
Paul
What I was trying to get you to do is connect to the port 22 (SSH) on the mikrotik itself just to ensure that you can get port 22 into the router. Also, I'm not sure if you have port 22 enabled on the router if it will cause any problems with forwarding it, it shouldn't, but it may pay to disable that service in IP->Services just in case.
Regards
Paul
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
The IP Address of the Internal Interface is???
In order to use dst-nat, your dst-nat destination address (to-address=) needs to be on the same IP Network as the Interface where the data leaves.
If you dst-nat to-address=172.21.2.2, then the Internal Interface on the Mikrotik need to be on the same IP Network. It needs the MAC Address in order for dst-nat to function, and if you are dst natting to a routed IP address, the router will not know the MAC address of the destination IP.
In order to use dst-nat, your dst-nat destination address (to-address=) needs to be on the same IP Network as the Interface where the data leaves.
If you dst-nat to-address=172.21.2.2, then the Internal Interface on the Mikrotik need to be on the same IP Network. It needs the MAC Address in order for dst-nat to function, and if you are dst natting to a routed IP address, the router will not know the MAC address of the destination IP.
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
reorder firewall
I only came across this thread and I found 2 things.
1\ I do not agree that address where the communication is dst-nated has to be from the same subnet as the address of the interface through which it is leaving. However, the dst-address has to exist (naturally) and you have got to have a route to it, if you want it to work.
2\ In my opinion you do not need to allow port 22 as extra action since there is no rule to deny it. Moreover communication to ssh is normally where dst-port is 22, not the source one, source ports are allocated dynamically.
Although I came across it very quickly I have not found why it should not work. Try to use torch/ethereal and other tools to state whether packets are redirected correctly and not processed because of other reasons, for example.
1\ I do not agree that address where the communication is dst-nated has to be from the same subnet as the address of the interface through which it is leaving. However, the dst-address has to exist (naturally) and you have got to have a route to it, if you want it to work.
2\ In my opinion you do not need to allow port 22 as extra action since there is no rule to deny it. Moreover communication to ssh is normally where dst-port is 22, not the source one, source ports are allocated dynamically.
Although I came across it very quickly I have not found why it should not work. Try to use torch/ethereal and other tools to state whether packets are redirected correctly and not processed because of other reasons, for example.
Re: Port Forwarding not working
I have a similar issue and wanted to know if anyone has a fix or know how to resolve:
Port forwarding works but only if you are on the outside of the private network. For example I can sit outside and get to all my email and webservers no porblem.
Once inside tring to pull up any service pointing to the outside IP it dies at the MT box?
There are no firewall rules except for dst-nat at this time. Curious to know that I can stick a cheap linksys in and everthing works just fine from both sides.
Thank you in advance!
Port forwarding works but only if you are on the outside of the private network. For example I can sit outside and get to all my email and webservers no porblem.
Once inside tring to pull up any service pointing to the outside IP it dies at the MT box?
There are no firewall rules except for dst-nat at this time. Curious to know that I can stick a cheap linksys in and everthing works just fine from both sides.
Thank you in advance!
Re: Port Forwarding not working
Wtw -
NAT Rule #3 - "src-address-list="" dst-address-list="" " are you using src and dst addresses here? If not then get rid of these parameters...they'll just cause problems otherwise.
In the above set of rules I do not see an allocation for a 'new' connection. You have related, established, and invalid - where is new?
You are ONLY filtering requests coming from the outside - "in-interface=public", was this your intention?
I also don't know how you 'allow' connections to your servers, one of the security features I use among others is IP addresses...if you use this feature then you will also have to match the masqureaded IP from the MT and add it to your list of 'allowed' IP addresses for your servers...because you have ALL requests for external IP addresses masqueraded "0 chain=srcnat out-interface=public action=masquerade ". When connecting using an inside IP address you'll have to do the same on the server - the MT isn't involved - it's a direct connection from client to server but the IP address of your client will need to be in the 'allow' list on the server....
Thom
Filter Rule #6 - should be deleted. Besides you have this rule after all of your other rules so it is dropped and logged before it even gets to it...[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward in-interface=public action=jump jump-target=customer
1 ;;; Drop invalid connection packets
chain=customer connection-state=invalid action=drop
2 ;;; Allow established connections
chain=customer connection-state=established action=accept
3 ;;; Allow related connections
chain=customer connection-state=related action=accept
4 ;;; Log dropped connections
chain=customer action=log log-prefix="customer_drop"
5 ;;; Drop and log everything else
chain=customer action=drop
6 chain=input protocol=tcp src-port=22 action=accept
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public action=masquerade
1 X chain=dstnat in-interface=private protocol=tcp dst-port=80 action=redirect
to-ports=8080
2 chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=22
action=dst-nat to-addresses=192.168.0.100 to-ports=22
3 chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=3389
src-address-list="" dst-address-list="" action=dst-nat
to-addresses=192.168.0.50 to-ports=3389
NAT Rule #3 - "src-address-list="" dst-address-list="" " are you using src and dst addresses here? If not then get rid of these parameters...they'll just cause problems otherwise.
In the above set of rules I do not see an allocation for a 'new' connection. You have related, established, and invalid - where is new?
You are ONLY filtering requests coming from the outside - "in-interface=public", was this your intention?
I also don't know how you 'allow' connections to your servers, one of the security features I use among others is IP addresses...if you use this feature then you will also have to match the masqureaded IP from the MT and add it to your list of 'allowed' IP addresses for your servers...because you have ALL requests for external IP addresses masqueraded "0 chain=srcnat out-interface=public action=masquerade ". When connecting using an inside IP address you'll have to do the same on the server - the MT isn't involved - it's a direct connection from client to server but the IP address of your client will need to be in the 'allow' list on the server....
Thom
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
Re: Port Forwarding not working
I FIGURED IT OUT!!! it was a damn filter rule "Drop and log everything else". I disabled this rule, and everything works...yay! Any problems with leaving this rule disabled, or perhaps editing the filter rules to allow that traffic?
Thanks,
JZ
Thanks,
JZ
Re: Port Forwarding not working
Just make the "Drop and log everything else" rule the last rule in your filter table and it should be okay to enable it.
-
-
ziggyrocket
just joined
- Posts: 10
- Joined:
Re: Port Forwarding not working
It is currently the last rule in the sequence and when enabled it is still filtering out that traffic.
-JZ
-JZ
Re: Port Forwarding not working
You need to create accept rules for that trafficIt is currently the last rule in the sequence and when enabled it is still filtering out that traffic.
-JZ