Can't get my port-forwarding working.
I'm doing it as described in many tutorials: added dst-nat action to dst-nat chain but it's not working.
I guess i have to fix some filtering rules: i have tried to disable all drop actions with no luck...
So if i have clean RouterOS with WAN static IP on the eth1-gateway, how to port-forward 8080 port to Static DHCP PC?
Should be easy... but not with Mikrotik.....
Re: Port forwarding
It's really as simple as you described.
No need to modify filter rules as NAT happens before firewall.
It'll be good to see your actual rule from /ip firewall nat export to really help you - often enough to-address is confused with dst-address.
-Chris
No need to modify filter rules as NAT happens before firewall.
It'll be good to see your actual rule from /ip firewall nat export to really help you - often enough to-address is confused with dst-address.
-Chris
Re: Port forwarding
It'll be good to see your actual rule from /ip firewall nat export to really help you - often enough to-address is confused with dst-address.
-Chris
Code: Select all
[admin@MikroTik] > /ip firewall nat export
# oct/31/2016 18:59:40 by RouterOS 6.37.1
# software id = X4W2-RPHY
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 protocol=tcp to-addresses=192.168.88.2 to-ports=8080Re: Port forwarding
Hi,
Remove both of them and insert this mentioned rule & make specific changes if your IP & Subnet is differ.
add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.2 to-ports=8080
We hope this will resolve your issue.
Remove both of them and insert this mentioned rule & make specific changes if your IP & Subnet is differ.
add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.2 to-ports=8080
We hope this will resolve your issue.
Re: Port forwarding
I need help here. my port forwarding are not working. currently i have two static ISP and i try to port forward my ip camera to one of the ISP but no luck.
Currently i dont have firewall rule co'z i reset my router into "NO TO DEFAULT CONFIGURATION". Maybe i miss something in firewall rule.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=121.96.x.x
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=\
119.92.x.x
add action=dst-nat chain=dstnat dst-address=119.92.x.x dst-port=7979 \
protocol=tcp to-addresses=192.168.0.12 to-ports=7979
Currently i dont have firewall rule co'z i reset my router into "NO TO DEFAULT CONFIGURATION". Maybe i miss something in firewall rule.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=121.96.x.x
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=\
119.92.x.x
add action=dst-nat chain=dstnat dst-address=119.92.x.x dst-port=7979 \
protocol=tcp to-addresses=192.168.0.12 to-ports=7979
Re: Port forwarding
Change to masquerade rule fixed part of the problem... Now when i try to visit this port from inside i'm getting port-forwarded. But It's not working from outside (WAN)!
I guess that's because masquerading was affecting all traffic to ether1-gateway including port-forwarding... I've tryed to reorder this rules and put my port-forwarding on top of masquerading with no luck...
I'm seeng alot of port-forwarding question on the forum... i guess that's becuse of auto-generated masquerading that does not allow port-forwarding.
If you could explain why "Quick Set" generated masquerade like this, and why it's not working properly with port-forward:add action=masquerade chain=srcnat src-address=192.168.88.0/24
Code: Select all
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gatewayI'm seeng alot of port-forwarding question on the forum... i guess that's becuse of auto-generated masquerading that does not allow port-forwarding.
Re: Port forwarding
You also need to add second rule if you want to get access from outside of your network.
Re: Port forwarding
Sorry, I don't understand you... my current rules:You also need to add second rule if you want to get access from outside of your network.
Code: Select all
add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 protocol=tcp to-addresses=192.168.88.2 to-ports=8080I guess i have to make srcnat like in iptables prerouting/postrouting dnat/snat...
Re: Port forwarding
Code: Select all
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.2 to-ports=8080Re: Port forwarding
Now its not working completely... not from WAN, nor from LAN...Add interface & try to access from WAN.
Re: Port forwarding
Yes, quite a lot. You need to make sure that incoming connections go back to same ISP. Something like this. One more helpful tip, do not post your problems to other people's topics, even if they are similar. Unless it's exactly the same problem, opening new topic is better for everyone, including yourself.Maybe i miss something in firewall rule.
No, that was probably because you were testing it from LAN and port forwarding doesn't work from there by default. By removing out-interface from masquerade rule, you created variant of hairpin NAT. Your last rules should work. If not, it's either blocked by target machine (make sure it allows connections from any address) or in router's forward chain. Add this rule to allow all forwarded ports:I guess that's because masquerading was affecting all traffic to ether1-gateway including port-forwarding...
Code: Select all
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
Re: Port forwarding
I was checking from both WAN and LAN... With no luck... Target machine accepts all traffic, web-server listen on 0.0.0.0 ...No, that was probably because you were testing it from LAN and port forwarding doesn't work from there by default. By removing out-interface from masquerade rule, you created variant of hairpin NAT. Your last rules should work. If not, it's either blocked by target machine (make sure it allows connections from any address)
This rule did not helped.or in router's forward chain.Add this rule to allow all forwarded ports:Code: Select all/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat
I've read about Hairpin NAT... I can see that i'm trying to do exactly the same scenario... But with my configuration i'm able to port-forward in LAN, but not from WAN... Wich is different from what is described in the article... I will try to dive deeper to better understand whats happening... Thank you...
Re: Port forwarding
You can also try to post whole firewall config, maybe someone will spot something obvious.
Re: Port forwarding
I've enabled logging on filtering rule(that allows all port-forwarding) and port-forwarding itsef with web-filter and web-nat respectively. Here is logs:
here is my firewall rules:
I'm concerned about "dstnat out:(none)" ... looks like this is my problem...
Thanks.
here is my firewall rules:
Code: Select all
[admin@MikroTik] > /ip firewall export
# oct/31/2016 22:17:39 by RouterOS 6.37.1
# software id = X4W2-RPHY
#
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-nat-state="" connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat log=yes log-prefix=web-filter
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=80 log=yes log-prefix=web-nat protocol=tcp to-addresses=192.168.88.2 to-ports=80
Thanks.
Re: Port forwarding
Packets in dstnat chain don't yet know where they'll go, so "dstnat out:(none)" is fine. Looking at your log with all those repeating SYN packets, it looks like port forwarding is ok, but 192.168.88.2 is not accepting the connection.
Re: Port forwarding
Ok, you are right here is tcpdump from the host(ubuntu 14.04)...
So i don't have any firewall, my web-server is listening on all interfaces...
But i have tcp SYN packets without answer... WTF???=\
Code: Select all
# tcpdump -i eth1 tcp port 80 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:50:47.556804 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087187 ecr 0,nop,wscale 7]
20:50:48.554298 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087437 ecr 0,nop,wscale 7]
20:50:50.558430 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087938 ecr 0,nop,wscale 7]
20:50:54.566136 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990088940 ecr 0,nop,wscale 7]
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernelCode: Select all
# ufw status
Status: inactive
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# netstat -tulpn | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5211/nginx -g daemo
But i have tcp SYN packets without answer... WTF???=\
Re: Port forwarding
Thanks to all of you!
I think i'm nailed down the issue to my Ubuntu server not responding to SYN tcp packets...
Not a Mikrotik related issue... just bad network configuration on my Ubuntu server...
Thank you again!
I think i'm nailed down the issue to my Ubuntu server not responding to SYN tcp packets...
Not a Mikrotik related issue... just bad network configuration on my Ubuntu server...
Thank you again!
-
-
silversword
Frequent Visitor
- Posts: 58
- Joined:
Re: Port forwarding
Can you elaborate, and post what you did to fix? I have also been troubleshooting intermittent connectivity issues with hairpin enabled...and it's been to a ubuntu server thus far (running different servers on unique ports). Was thinking it was hairpin, then fasttrack issue. Neither have panned out.Thanks to all of you!
I think i'm nailed down the issue to my Ubuntu server not responding to SYN tcp packets...
Not a Mikrotik related issue... just bad network configuration on my Ubuntu server...
Thank you again!
Thx
Re: Port forwarding
My problem was really simple. I had two ethernet cards, with default ethernet card looking to other network. Thus my eth1 was facing mikrotik router but isn't default route. That's why SYN packets was coming to eth1 syn/ack was going to eth0 and dropped by the kernel.Can you elaborate, and post what you did to fix? I have also been troubleshooting intermittent connectivity issues with hairpin enabled...and it's been to a ubuntu server thus far (running different servers on unique ports). Was thinking it was hairpin, then fasttrack issue. Neither have panned out.
Thx
Pretty stupid issue... Sorry for taking your time guyz!