MikroTik

Posted: **Mon Oct 31, 2016 6:39 pm**

Can't get my port-forwarding working.
I'm doing it as described in many tutorials: added dst-nat action to dst-nat chain but it's not working.
I guess i have to fix some filtering rules: i have tried to disable all drop actions with no luck...

So if i have clean RouterOS with WAN static IP on the eth1-gateway, how to port-forward 8080 port to Static DHCP PC?
Should be easy... but not with Mikrotik.....

Posted: **Mon Oct 31, 2016 6:56 pm**

It's really as simple as you described.
No need to modify filter rules as NAT happens before firewall.

It'll be good to see your actual rule from /ip firewall nat export to really help you - often enough to-address is confused with dst-address.

-Chris

Posted: **Mon Oct 31, 2016 7:03 pm**

It'll be good to see your actual rule from /ip firewall nat export to really help you - often enough to-address is confused with dst-address.
-Chris

[admin@MikroTik] > /ip firewall nat export 
# oct/31/2016 18:59:40 by RouterOS 6.37.1
# software id = X4W2-RPHY
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 protocol=tcp to-addresses=192.168.88.2 to-ports=8080

Looks like everything fine... But it's not working...

Posted: **Mon Oct 31, 2016 7:37 pm**

Hi,

Remove both of them and insert this mentioned rule & make specific changes if your IP & Subnet is differ.

add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.2 to-ports=8080

We hope this will resolve your issue.

Posted: **Mon Oct 31, 2016 7:52 pm**

I need help here. my port forwarding are not working. currently i have two static ISP and i try to port forward my ip camera to one of the ISP but no luck.

Currently i dont have firewall rule co'z i reset my router into "NO TO DEFAULT CONFIGURATION". Maybe i miss something in firewall rule.

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=121.96.x.x
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=\
119.92.x.x
add action=dst-nat chain=dstnat dst-address=119.92.x.x dst-port=7979 \
protocol=tcp to-addresses=192.168.0.12 to-ports=7979

Posted: **Mon Oct 31, 2016 8:24 pm**

Change to masquerade rule fixed part of the problem... Now when i try to visit this port from inside i'm getting port-forwarded. But It's not working from outside (WAN)!

add action=masquerade chain=srcnat src-address=192.168.88.0/24

If you could explain why "Quick Set" generated masquerade like this, and why it's not working properly with port-forward:

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

I guess that's because masquerading was affecting all traffic to ether1-gateway including port-forwarding... I've tryed to reorder this rules and put my port-forwarding on top of masquerading with no luck...
I'm seeng alot of port-forwarding question on the forum... i guess that's becuse of auto-generated masquerading that does not allow port-forwarding.

Posted: **Mon Oct 31, 2016 8:45 pm**

You also need to add second rule if you want to get access from outside of your network.

Posted: **Mon Oct 31, 2016 8:56 pm**

You also need to add second rule if you want to get access from outside of your network.

Sorry, I don't understand you... my current rules:

add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 protocol=tcp to-addresses=192.168.88.2 to-ports=8080

What else should i add?
I guess i have to make srcnat like in iptables prerouting/postrouting dnat/snat...

Posted: **Mon Oct 31, 2016 9:00 pm**

add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.2 to-ports=8080

Add interface & try to access from WAN.

Posted: **Mon Oct 31, 2016 9:12 pm**

Add interface & try to access from WAN.

Now its not working completely... not from WAN, nor from LAN...

Posted: **Mon Oct 31, 2016 9:23 pm**

Maybe i miss something in firewall rule.

Yes, quite a lot. You need to make sure that incoming connections go back to same ISP. Something like this. One more helpful tip, do not post your problems to other people's topics, even if they are similar. Unless it's exactly the same problem, opening new topic is better for everyone, including yourself.

I guess that's because masquerading was affecting all traffic to ether1-gateway including port-forwarding...

No, that was probably because you were testing it from LAN and port forwarding doesn't work from there by default. By removing out-interface from masquerade rule, you created variant of hairpin NAT. Your last rules should work. If not, it's either blocked by target machine (make sure it allows connections from any address) or in router's forward chain. Add this rule to allow all forwarded ports:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

Posted: **Mon Oct 31, 2016 9:27 pm**

Agree with sob.

Posted: **Mon Oct 31, 2016 9:51 pm**

No, that was probably because you were testing it from LAN and port forwarding doesn't work from there by default. By removing out-interface from masquerade rule, you created variant of hairpin NAT. Your last rules should work. If not, it's either blocked by target machine (make sure it allows connections from any address)

I was checking from both WAN and LAN... With no luck... Target machine accepts all traffic, web-server listen on 0.0.0.0 ...

or in router's forward chain.Add this rule to allow all forwarded ports:
Code: Select all
/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat

This rule did not helped.

I've read about Hairpin NAT... I can see that i'm trying to do exactly the same scenario... But with my configuration i'm able to port-forward in LAN, but not from WAN... Wich is different from what is described in the article... I will try to dive deeper to better understand whats happening... Thank you...

Posted: **Mon Oct 31, 2016 9:57 pm**

You can also try to post whole firewall config, maybe someone will spot something obvious.

Posted: **Mon Oct 31, 2016 10:19 pm**

I've enabled logging on filtering rule(that allows all port-forwarding) and port-forwarding itsef with web-filter and web-nat respectively. Here is logs:

here is my firewall rules:

[admin@MikroTik] > /ip firewall export                                                            
# oct/31/2016 22:17:39 by RouterOS 6.37.1
# software id = X4W2-RPHY
#
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-nat-state="" connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat log=yes log-prefix=web-filter
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=80 log=yes log-prefix=web-nat protocol=tcp to-addresses=192.168.88.2 to-ports=80

I'm concerned about "dstnat out:(none)" ... looks like this is my problem...
Thanks.

Posted: **Mon Oct 31, 2016 10:33 pm**

Packets in dstnat chain don't yet know where they'll go, so "dstnat out:(none)" is fine. Looking at your log with all those repeating SYN packets, it looks like port forwarding is ok, but 192.168.88.2 is not accepting the connection.

Posted: **Mon Oct 31, 2016 10:53 pm**

Ok, you are right here is tcpdump from the host(ubuntu 14.04)...

# tcpdump -i eth1 tcp port 80 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:50:47.556804 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087187 ecr 0,nop,wscale 7]
20:50:48.554298 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087437 ecr 0,nop,wscale 7]
20:50:50.558430 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087938 ecr 0,nop,wscale 7]
20:50:54.566136 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990088940 ecr 0,nop,wscale 7]
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

# ufw status
Status: inactive

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

# netstat -tulpn | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5211/nginx -g daemo

So i don't have any firewall, my web-server is listening on all interfaces...
But i have tcp SYN packets without answer... WTF???=\

Posted: **Mon Oct 31, 2016 11:41 pm**

Thanks to all of you!
I think i'm nailed down the issue to my Ubuntu server not responding to SYN tcp packets...
Not a Mikrotik related issue... just bad network configuration on my Ubuntu server...
Thank you again!

Posted: **Tue Nov 01, 2016 12:10 am**

Thanks to all of you!
I think i'm nailed down the issue to my Ubuntu server not responding to SYN tcp packets...
Not a Mikrotik related issue... just bad network configuration on my Ubuntu server...
Thank you again!

Can you elaborate, and post what you did to fix? I have also been troubleshooting intermittent connectivity issues with hairpin enabled...and it's been to a ubuntu server thus far (running different servers on unique ports). Was thinking it was hairpin, then fasttrack issue. Neither have panned out.

Thx

Posted: **Tue Nov 01, 2016 1:00 am**

Can you elaborate, and post what you did to fix? I have also been troubleshooting intermittent connectivity issues with hairpin enabled...and it's been to a ubuntu server thus far (running different servers on unique ports). Was thinking it was hairpin, then fasttrack issue. Neither have panned out.
Thx

My problem was really simple. I had two ethernet cards, with default ethernet card looking to other network. Thus my eth1 was facing mikrotik router but isn't default route. That's why SYN packets was coming to eth1 syn/ack was going to eth0 and dropped by the kernel.
Pretty stupid issue... Sorry for taking your time guyz!

MikroTik

Port forwarding

Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding