Page 1 of 1
Port Forward, Routing Mark Issue
Posted: Wed Oct 28, 2015 3:23 pm
by rae
Hi,
I have dstnat doing my port forwarding but also not ideally, I'm missing something:
add action=dst-nat chain=dstnat comment="RDP" dst-port=10000 protocol=tcp to-addresses=192.168.0.100 to-ports=10000
This gets me to my destination but if I use a different IP with the same port it still takes me here, what am I missing?
Furthermore, I want to enable a second gateway with route routing mark mangle address list and this works fine splitting traffic but then the port forwarding doesn't work.
Advice will be appreciated please.
Thanks.
Re: Port Forward, Routing Mark Issue
Posted: Mon Nov 02, 2015 8:50 am
by rae
Ok I suppose either I'm asking questions that nobody knows the answer who has read this post so far or it's something I have to learn/figure out myself. All good and well if it's the latter, as I don't just want the answer handed to me - I prefer to understand it.
So I'll ask a different question, perhaps it will yield some results. In order for me to learn how to configure this which I need to, what study material is recommended? In the the sense of books or video tutorials etc. If I have to pay I will but i need to get this sorted.
Re: Port Forward, Routing Mark Issue
Posted: Mon Nov 02, 2015 5:21 pm
by jayd2k
Hi there,
add action=dst-nat chain=dstnat comment="RDP" dst-port=10000 protocol=tcp to-addresses=192.168.0.100 to-ports=10000
This gets me to my destination but if I use a different IP with the same port it still takes me here, what am I missing?
if you don't want the rule to apply to any interface or ip address the router is listening to you'll either have to specify a destination ip address or an inbound interface. For instance, to apply the port nat to any traffic coming in through ether2 use this:
add action=dst-nat chain=dstnat in-interface=ether2 comment="RDP" dst-port=10000 protocol=tcp to-addresses=192.168.0.100 to-ports=10000
This is the preferred way for a wan connection that's connected using dynamic addresses (e.g. PPPoE via xDSL). If you rather prefer to restrict the nat rule to a specific ip address simply use
dst-address=$TARGETIP instead of
in-interface:
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX comment="RDP" dst-port=10000 protocol=tcp to-addresses=192.168.0.100 to-ports=10000
Where as
XX.XX.XX.XX is to be replaced with a static ip assigned to your router. Please note that for both examples to work properly you'd require an additional firewall rule in the forward chain to permit traffic to the ip address specified within the
to-addresses field.
Furthermore, I want to enable a second gateway with route routing mark mangle address list and this works fine splitting traffic but then the port forwarding doesn't work.
Can you elaborate on this one?
Re: Port Forward, Routing Mark Issue
Posted: Tue Nov 03, 2015 2:24 pm
by rae
Thank you for your time, I really do appreciate it.
I thought that might be the case with in-interface but your 2nd example shows me another way - could I add two or more IP's in one rule though (dst-address=$TARGETIP instead of in-interface)?
Port forwarding doesn't work when A is enabled. I haven't tried changing setup as you described yet but I don't know if that will resolve this problem:
-
Routing Mark Traffic Splitting
/ip firewall address-list
add address=1.1.1.0/24 list=Fibre-Clients
add address=2.2.2.0/24 list=ContendedGroup1
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Fibre-Clients disabled=no new-routing-mark=Fibre-Clients-RM src-address-list=Fibre-Clients
add action=mark-routing chain=prerouting comment=ContendedGroup1 disabled=no new-routing-mark=ContendedGroup1-RM src-address-list=ContendedGroup1
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=Fibre-Clients-RM
add distance=1 gateway=192.168.1.2 routing-mark=ContendedGroup1-RM
-
Then I'd like to split traffic in IP range 2.2.2.0 equally (to be confirmed if working)
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=20mbpscon1 \
src-address=2.2.2.0/24
add action=mark-packet chain=forward connection-mark=20mbpscon1 \
new-packet-mark=20mbpscon1users
/queue type
add kind=pcq name=pcq-DL-20mbpscon1 pcq-classifier=dst-address
add kind=pcq name=pcq-UL-20mbpscon1 pcq-classifier=src-address
/queue tree
add name=pcq-DL-20mbpscon1 packet-mark=20mbpscon1users parent=\
Bridge-ether6/7/8 queue=pcq-DL-20mbpscon1
add name=pcq-UL-20mbpscon1 packet-mark=20mbpscon1users parent=ether2-DSL \
queue=pcq-UL-20mbpscon1
I'm looking at attending MikroTik training as I need to but I need to get this sorted as soon as possible, thanks again for taking the time to assist.
Regards.
Re: Port Forward, Routing Mark Issue
Posted: Tue Nov 03, 2015 6:50 pm
by jayd2k
I thought that might be the case with in-interface but your 2nd example shows me another way - could I add two or more IP's in one rule though (dst-address=$TARGETIP instead of in-interface)?
Yes, either by creating a separate rule for each additional ip address or by using an address list instead.
Port forwarding doesn't work when A is enabled. I haven't tried changing setup as you described yet but I don't know if that will resolve this problem:
If you're trying to port forward traffic designated to an ip address on the router the return traffic from 1.1.1.1/24 or 2.2.2.2/24 respectively will now use the routing table which only contains the default gateway. Lets assume you want to forward traffic from
192.168.1.100:12345/tcp (your routers wan ip address) to
2.2.2.50:443/tcp the return traffic would be send to the default gateway as specified in the respective routing table for the connection.
-
Routing Mark Traffic Splitting
/ip firewall address-list
add address=1.1.1.0/24 list=Fibre-Clients
add address=2.2.2.0/24 list=ContendedGroup1
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Fibre-Clients disabled=no new-routing-mark=Fibre-Clients-RM src-address-list=Fibre-Clients
add action=mark-routing chain=prerouting comment=ContendedGroup1 disabled=no new-routing-mark=ContendedGroup1-RM src-address-list=ContendedGroup1
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=Fibre-Clients-RM
add distance=1 gateway=192.168.1.2 routing-mark=ContendedGroup1-RM
-
Then I'd like to split traffic in IP range 2.2.2.0 equally (to be confirmed if working)
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=20mbpscon1 \
src-address=2.2.2.0/24
add action=mark-packet chain=forward connection-mark=20mbpscon1 \
new-packet-mark=20mbpscon1users
/queue type
add kind=pcq name=pcq-DL-20mbpscon1 pcq-classifier=dst-address
add kind=pcq name=pcq-UL-20mbpscon1 pcq-classifier=src-address
/queue tree
add name=pcq-DL-20mbpscon1 packet-mark=20mbpscon1users parent=\
Bridge-ether6/7/8 queue=pcq-DL-20mbpscon1
add name=pcq-UL-20mbpscon1 packet-mark=20mbpscon1users parent=ether2-DSL \
queue=pcq-UL-20mbpscon1
Actually, you'll have to mark traffic in both directions. Meaning, for each subnet you'll require
four mangle rules - two for marking the connections (up/down) as well as two marking the packets based on those connections marks (up/down respectively). Right now you're only marking connections originating from network 2.2.2.20/24 which from the routers perspective is upload/outbound. Without handling the download/inbound traffic as well all download traffic generated by hosts within the respective network will be unlimited.
Re: Port Forward, Routing Mark Issue
Posted: Tue Nov 03, 2015 7:04 pm
by jayd2k
I'm attaching a
GNS3 lab of a simple multi-wan setup that's almost identical to what you're trying to do.
Here are the configs for further reference:
R1
The wan subnets are private class networks hence source nat (masq) is applied to any traffic that's leaving towards the emulated upstream through interface ether1.
/ip address
add address=192.168.122.100/24 interface=ether1 network=192.168.122.0
add address=10.1.0.1/24 interface=ether2 network=10.1.0.0
add address=10.2.0.1/24 interface=ether3 network=10.2.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=192.168.122.1
/system identity
set name=R1
Same here, traffic leaving through wan1 and wan2 is masqueraded as well. Additionally we only apply policy based routing to traffic designated to public address space (!Rfc1918). All remaining traffic is handled by the main routing table of R2.
/ip address
add address=10.1.0.2/30 comment=wan-a interface=ether1 network=10.1.0.0
add address=10.2.0.2/30 comment=wan-b interface=ether2 network=10.2.0.0
add address=172.16.0.1/24 comment=clients-a interface=ether3 network=172.16.0.0
add address=172.17.0.1/24 comment=clients-b interface=ether4 network=172.17.0.0
/ip firewall address-list
add address=172.16.0.0/24 list=clients-a
add address=172.17.0.0/24 list=clients-b
add address=10.0.0.0/8 list=Rfc1918
add address=172.16.0.0/12 list=Rfc1918
add address=192.168.0.0/16 list=Rfc1918
/ip firewall mangle
add action=mark-routing chain=prerouting comment="clients-a route mark via wan1" dst-address-list=\
!Rfc1918 new-routing-mark=clients-a-wan1 src-address-list=clients-a
add action=mark-routing chain=prerouting comment="clients-b route mark via wan2" dst-address-list=\
!Rfc1918 new-routing-mark=clients-b-wan2 src-address-list=clients-b
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add distance=1 gateway=10.1.0.1 routing-mark=clients-a-wan1
add distance=1 gateway=10.2.0.1 routing-mark=clients-b-wan2
/system identity
set name=R2
/ip address
add address=172.16.0.100/24 interface=ether1 network=172.16.0.0
/ip route
add distance=1 gateway=172.16.0.1
/system identity
set name=client-a-1
Hope this helps. The lab obviously does not include traffic shaping.
Re: Port Forward, Routing Mark Issue
Posted: Tue Nov 03, 2015 8:53 pm
by rae
I'm going to work on this, thanks ALOT!
Re: Port Forward, Routing Mark Issue
Posted: Wed Nov 04, 2015 10:33 am
by rae
Please bear with me here and forgive my ignorance, but something hasn't 'clicked' for me yet.
I have another MikroTik further down the network with IP 192.168.192.240, I can ping it and have a range of ports being forwarded to it and working well. I have other ports here and there being forwarded to some other IP's in 10.10.10.0 range and also working fine.
When I enable the Routing Mark on the route and mangle rule for it then I cannot see the rest of the network, no pings and of course no port forwarding functioning then.
Where can I look for the problem?
Thanks in advance.
Re: Port Forward, Routing Mark Issue
Posted: Wed Nov 04, 2015 10:47 am
by jayd2k
Can you provide a network diagram and the configuration of all the routers involved? Did you exclude private networks for the routing marks?
Re: Port Forward, Routing Mark Issue
Posted: Wed Nov 04, 2015 11:06 am
by jayd2k
Depending on the situation you might want to create additional routing marks which ensure that traffic that comes in through a certain interface will leave through the same interface. Check out
this post on how to do that. Eventually you'll have to add this for each wan-link to ensure that return traffic is routed properly for port-forwardings to work.
Re: Port Forward, Routing Mark Issue
Posted: Wed Nov 04, 2015 11:51 am
by rae
Perhaps my problem lies with my IP addressing, I know it isn't well and want to revamp it but perhaps it should occur sooner than later. Recommendations are very welcome in this regard
Here is my current mess:
ether1-Fibre (public IP)
ether2-DSL 192.168.1.2/24
bridge1-ether6/7/8 192.168.192.250/24; 10.50.10.1/24
ether13-Radius 10.10.10.1/24
Radius 10.10.10.5/24
Backhaul Antennas 192.168.192.0/24 - transparent bridges, switched, no routers
Clients 10.10.10.0/24 - each IP specified in Radius so I know where to port forward, there is probably a
better way but I don't know how.
RouterBoard at a tower 192.168.192.240/24
I did not exclude anything in routing marks as I don't know what to exclude.
Re: Port Forward, Routing Mark Issue
Posted: Wed Nov 04, 2015 12:06 pm
by jayd2k
This is going way beyond the topic initially addressed in this post. You should request for general feedback on your setup by opening a new post. Make sure to provide all the proper details of your setup including a network diagram. However, if you're seeking professional advise feel free to send me your contact information via PM
