MikroTik

Community discussions
https://forum.mikrotik.com/

Port Forwarding Woes :(

https://forum.mikrotik.com/viewtopic.php?t=122851

Page 1 of 1

Port Forwarding Woes :(

Posted: Thu Jun 22, 2017 6:06 am
by ChipP
For some reason, I can't get port forwarding to work to save my life :( No one can connect externally, and until I get that working I don't want to add the hairpin rules just yet.
Code: Select all
[admin@XXXXX] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=ether1-WAN-1 log=no 
      log-prefix="" 

 1    ;;; Windows Server RDP TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=3389 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3389 log=no log-prefix="" 

 2    ;;; Windows Server RDP UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=3389 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3389 log=no log-prefix="" 

 3    ;;; Windows Server GameSvrs 1 TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=6001-9999 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=6001-9999 log=no log-prefix="" 

 4    ;;; Windows Server GameSvrs 1 UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=6001-9999 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=6001-9999 log=no log-prefix="" 

 5    ;;; Windows Server GameSvrs 2 TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 
      to-ports=25000-50000 protocol=tcp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=25000-50000 log=no log-prefix="" 

 6    ;;; Windows Server GameSvrs 2 UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 
      to-ports=25000-50000 protocol=udp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=25000-50000 log=no log-prefix="" 

 7    ;;; Linux Server Lower Web TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=80-3300 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=80-3300 log=no log-prefix="" 

 8    ;;; Linux Server Lower Web UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=80-3300 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=80-3300 log=no log-prefix="" 

 9    ;;; Linux Server Upper Web Web TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=3400-6000 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3400-6000 log=no log-prefix="" 

10    ;;; Linux Server Upper Web Web UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 to-ports=3400-6000 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3400-6000 log=no log-prefix="" 

11    ;;; Linux Server WebMin TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 
      to-ports=10000-20000 protocol=tcp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=10000-20000 log=no log-prefix="" 

12    ;;; Linux Server WebMin UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.250 
      to-ports=10000-20000 protocol=udp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=10000-20000 log=no log-prefix="" 

13    ;;; Joe Dirt RDP TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 to-ports=3390 
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3390 log=no log-prefix="" 

14    ;;; Joe Dirt Games TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 
      to-ports=24100-24299 protocol=tcp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=24100-24299 log=no log-prefix="" 

15    ;;; Joe Dirt RDP UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 to-ports=3390 
      protocol=udp dst-address=107.x.x.x in-interface=ether1-WAN-1 
      dst-port=3390 log=no log-prefix="" 

16    ;;; Joe Dirt Games UDP
      chain=dstnat action=dst-nat to-addresses=192.168.0.230 
      to-ports=24100-24299 protocol=udp dst-address=107.x.x.x 
      in-interface=ether1-WAN-1 dst-port=24100-24299 log=no log-prefix=""
Code: Select all
[admin@XXXXX] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

 2    ;;; Allow Existing Connections
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

 3    ;;; Allow Outbound
      chain=forward action=accept src-address=192.168.0.0/16 log=no 
      log-prefix="" 

 4    ;;; Allow WindowsServer
      chain=forward action=accept protocol=udp 
      dst-port=3389,6001-9999,25000-50000 log=no log-prefix="" 

 5    ;;; Allow WindowsServer
      chain=forward action=accept protocol=tcp 
      dst-port=3389,6001-9999,25000-50000 log=no log-prefix="" 

 6    ;;; Allow JoeDirt Server
      chain=forward action=accept protocol=tcp dst-port=3390,24100-24299 log=no 
      log-prefix="" 

 7    ;;; Allow JoeDirt Server
      chain=forward action=accept protocol=udp dst-port=3390,24100-24299 log=no 
      log-prefix="" 

 8    ;;; Allow LinuxServer
      chain=forward action=accept protocol=tcp 
      dst-port=2-3300,3400-6000,10000-20000 log=no log-prefix="" 

 9    ;;; Allow LinuxServer
      chain=forward action=accept protocol=udp 
      dst-port=2-3300,3400-6000,10000-20000 log=no log-prefix=""
Anyone mind lending a hand?

Re: Port Forwarding Woes :(

Posted: Thu Jun 22, 2017 6:40 am
by emikrotik
1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH

Re: Port Forwarding Woes :(

Posted: Thu Jun 22, 2017 6:54 am
by ChipP
1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH
I've already tried reordering (moved the masqurade rule to the bottom) earlier, that didn't help, no one can open a port to anything but the router.

I'll try fowarding the router's port 22 and see if that works.

Hang on, I'm not even forwarding port 22, that rule shouldn't impact anything.

Re: Port Forwarding Woes :(

Posted: Thu Jun 22, 2017 9:34 am
by aacable
Sometimes, few common ports are silently blocked by the upstream providers,
Try PAT, Example forward port 55510 to your local server ip - port 3389

Re: Port Forwarding Woes :(

Posted: Thu Jun 22, 2017 4:00 pm
by ajack46
Sometimes, few common ports are silently blocked by the upstream providers,
Try PAT, Example forward port 55510 to your local server ip - port 3389
But why is that so that the common ports are blocked?

Re: Port Forwarding Woes :(

Posted: Thu Jun 22, 2017 5:11 pm
by BartoszP
Do you have public IP on WAN interface ?

To check if common blocks are blocked try to change the first rule to:
Code: Select all
 1    ;;; Windows Server RDP TCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=3389
      protocol=tcp dst-address=107.x.x.x in-interface=ether1-WAN-1
      dst-port=53389 log=no log-prefix=""
so you need to make RDP connection to 53389 port on WAN side. You will see if NAT works.

Re: Port Forwarding Woes :(

Posted: Mon Jul 24, 2017 3:05 am
by emikrotik
Sometimes, few common ports are silently blocked by the upstream providers,
Try PAT, Example forward port 55510 to your local server ip - port 3389
But why is that so that the common ports are blocked?
To stop people with residential Internet connections hosting mail servers .etc

Re: Port Forwarding Woes :(

Posted: Mon Jul 24, 2017 3:08 am
by emikrotik
1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH
I've already tried reordering (moved the masqurade rule to the bottom) earlier, that didn't help, no one can open a port to anything but the router.

I'll try fowarding the router's port 22 and see if that works.

Hang on, I'm not even forwarding port 22, that rule shouldn't impact anything.
Where you able to get this working?

If you are testing ssh to the firewall you will have to select the input chain.

Re: Port Forwarding Woes :(

Posted: Mon Jul 24, 2017 5:05 am
by ChipP
1 to 1 NAT
;;; RDP
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=3389
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=3389
log=no log-prefix=""

Port Redirection
;;; SSH
chain=dstnat action=dst-nat to-addresses=10.x.x.x to-ports=22
protocol=tcp dst-address=x.x.x.x in-interface=sfp3 dst-port=2233
log=no log-prefix=""

May also have to do with the order your rules are in.

Order should be:
1. NAT Bypass for IPSec tunnels
2. Source NAT rules
3. Destination NAT rules
4. Masquerade

HTH
I've already tried reordering (moved the masqurade rule to the bottom) earlier, that didn't help, no one can open a port to anything but the router.

I'll try fowarding the router's port 22 and see if that works.

Hang on, I'm not even forwarding port 22, that rule shouldn't impact anything.
Where you able to get this working?

If you are testing ssh to the firewall you will have to select the input chain.
I did. It seems like something was not working within the router cache or something, after restart it started working with my old configuration :S
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/