MikroTik

Community discussions
https://forum.mikrotik.com/

NAT Port Forwarding loop

https://forum.mikrotik.com/viewtopic.php?t=109869

Page 1 of 1

NAT Port Forwarding loop

Posted: Sat Jul 02, 2016 9:11 pm
by thenegativeone
Hello!
Recently ihave added the firewall nat rule: chain=dstnat protocol=tcp dstport=80 action=netmap to-addresses=10.10.10.10 to-ports=80
I havent specify the In-interface, which is a result of none of http sites over the internet and local through port 80 is available.
I would like to understand how it happens? 
I see this:
from local network: router sees connection to... lets say facebook.com though 80 port and masquarades it to internet say with 803060 port(so, router knows that everything comes to 803060 port is redirected to whichever local address tried to connect facebook.com through 80 port.)
From the internet - whenever someone tries to reach my mikrotik device on 80 port it should be redirected to 10.10.10.10 to port 80. 

The actual question is why, when i dont specify in-interfce in NAT dstnat chain, it redirects all traffic to 10.10.10.10.

Actually when i wrote all this i somehow got an idea, that mikrotik device activates NAT dstnat chain on ALL interfaces and addresses of port-forwarding rule ? 

Thanks in advance 

Re: NAT Port Forwarding loop

Posted: Sat Jul 02, 2016 10:41 pm
by iberium
it's because you haven't specified a filter to tell it only wan traffic.  Either put in the in-interface or the dst-address (your public ip).  You also don't really need to the to-ports.  Action should be dst-nat with the to-address set to the internal ip.

Re: NAT Port Forwarding loop

Posted: Sun Jul 03, 2016 12:18 am
by Sob
Rules are collections of simple conditions and action performed when packet matches those conditions. If the only two conditions are protocol=tcp and dstport=80, then it will match any tcp packet going to port 80, no matter where from or to it goes. So even your connection to facebook.com will be redirected to 10.10.10.10.

Re: NAT Port Forwarding loop

Posted: Sun Jul 03, 2016 4:41 pm
by thenegativeone
it's because you haven't specified a filter to tell it only wan traffic.  Either put in the in-interface or the dst-address (your public ip).  You also don't really need to the to-ports.  Action should be dst-nat with the to-address set to the internal ip.
You didnt read my post. 

Re: NAT Port Forwarding loop

Posted: Sun Jul 03, 2016 4:42 pm
by thenegativeone
Rules are collections of simple conditions and action performed when packet matches those conditions. If the only two conditions are protocol=tcp and dstport=80, then it will match any tcp packet going to port 80, no matter where from or to it goes. So even your connection to facebook.com will be redirected to 10.10.10.10.
Yes, i got that. thanks 
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/