Community discussions

MikroTik App
  4. RouterOS
  5. General

Port Forwarding through Mikrotik and a Cisco 2900 router

Post Reply
 
Elemoprime
just joined
Topic Author
Posts: 5
Joined: Sun Mar 11, 2018 2:53 pm

Port Forwarding through Mikrotik and a Cisco 2900 router

Sun Mar 11, 2018 3:16 pm

Hello.

I needed to port forward the port 4370 through a static real IP that I've on the cisco router, so I've done the following..
Code: Select all
/ip firewall nat
chain=src-nat action=src-nat out-interface=Local src-address=192.168.88.252 to-addresses=192.168.2.5
add chain=dstnat action=dst-nat to-addresses=192.168.88.252 protocol=tcp dst-port=4370
Where 192.168.2.5 is the defined on Mikrtik for the leased line, and the IP 192.168.2.1 is the IP of the interface on cisco router connecting to port 2 on Mikrotik.

I am already sure from the configuration on the Cisco Router as it was given by my ISP
Code: Select all
 Ip nat inside source static tcp 192.168.2.5 4370 x.x.x.203  4370
What is missing on this configuration ??
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11252
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Sun Mar 11, 2018 3:42 pm

Hello.

I needed to port forward the port 4370 through a static real IP that I've on the cisco router, so I've done the following..
Code: Select all
/ip firewall nat
chain=src-nat action=src-nat out-interface=Local src-address=192.168.88.252 to-addresses=192.168.2.5
add chain=dstnat action=dst-nat to-addresses=192.168.88.252 protocol=tcp dst-port=4370
Where 192.168.2.5 is the defined on Mikrtik for the leased line, and the IP 192.168.2.1 is the IP of the interface on cisco router connecting to port 2 on Mikrotik.

I am already sure from the configuration on the Cisco Router as it was given by my ISP
Code: Select all
 Ip nat inside source static tcp 192.168.2.5 4370 x.x.x.203  4370
What is missing on this configuration ??
I'm not sure whether the src-nat rule is necessary at all, but if it is, out-interface=Local is only correct if it is the name of the interface connected to the Cisco.
Top
 
erfanurmia
newbie
Posts: 31
Joined: Wed Mar 07, 2018 11:14 am
Contact:
Contact erfanurmia

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Sun Mar 11, 2018 6:54 pm

you connected cisco and mikrotik in same subnet
so what do you need to nat??
your inside subnets on cisco side reach to mikrotik and in mikrotik in the routing table added and in firewall you can manage any connection that which ip reach to which one


in other way if you connect to mikrotik through the internet connection your configuration on mikrotik side is :
mikrotik:
/ip firewall nat
chain = dst-nat
dst-add = ip public on mikrotik side
dst-port = 4370
action = dst-nat
to-address = your server address 0r client address
to-port = 4370

on cisco :
for connecting to (mikrotik public ip : 4370 ) your subnets on cisco side must be have an internet simply
if you want your subnets on cisco side have an internet :
ip nat inside source list (access-list number ) (wan interface) overload
or you wanna set static nat :
ip nat inside source static (subnets ips) (ip public on cisco side)

gone!!
Top
 
Elemoprime
just joined
Topic Author
Posts: 5
Joined: Sun Mar 11, 2018 2:53 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Mon Mar 12, 2018 5:31 pm

Hello.

I needed to port forward the port 4370 through a static real IP that I've on the cisco router, so I've done the following..
Code: Select all
/ip firewall nat
chain=src-nat action=src-nat out-interface=Local src-address=192.168.88.252 to-addresses=192.168.2.5
add chain=dstnat action=dst-nat to-addresses=192.168.88.252 protocol=tcp dst-port=4370
Where 192.168.2.5 is the defined on Mikrtik for the leased line, and the IP 192.168.2.1 is the IP of the interface on cisco router connecting to port 2 on Mikrotik.

I am already sure from the configuration on the Cisco Router as it was given by my ISP
Code: Select all
 Ip nat inside source static tcp 192.168.2.5 4370 x.x.x.203  4370
What is missing on this configuration ??
I'm not sure whether the src-nat rule is necessary at all, but if it is, out-interface=Local is only correct if it is the name of the interface connected to the Cisco.
The local interface is port 1 on Mikrotik, leased line is connected to port 2 on Mikrotik, Local is the load balanced lines connected to each other to give the network Internet connection.
Top
 
Elemoprime
just joined
Topic Author
Posts: 5
Joined: Sun Mar 11, 2018 2:53 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Mon Mar 12, 2018 5:44 pm

you connected cisco and mikrotik in same subnet
so what do you need to nat??
your inside subnets on cisco side reach to mikrotik and in mikrotik in the routing table added and in firewall you can manage any connection that which ip reach to which one


in other way if you connect to mikrotik through the internet connection your configuration on mikrotik side is :
mikrotik:
/ip firewall nat
chain = dst-nat
dst-add =ip public on mikrotik
dst-port = 4370
action = dst-nat
to-address = your server address 0r client address
to-port = 4370

on cisco :
for connecting to (mikrotik public ip : 4370 ) your subnets on cisco side must be have an internet simply
if you want your subnets on cisco side have an internet :
ip nat inside source list (access-list number ) (wan interface) overload
or you wanna set static nat :
ip nat inside source static (subnets ips) (ip public on cisco side)
gone!!
What do you mean by IP public on Mikrotik side ??
The IP for leased line is defined on Mikrotik as 192.168.2.5, and the cisco interface connecting port 2 on Mikrtoik is as 192.168.2.1

As for the the rest of my subnet, they already all come out with ip x.x.x.201 and I do have from 202 till 205 free, this is why I used the command
>> Ip nat inside source static tcp 192.168.2.5 4370 x.x.x.203 4370

So what could have gone wrong on my end to not translate between cisco and mikrotik ?
There is a check in/out device that I needed accessible from outside.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11252
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Mon Mar 12, 2018 6:10 pm

A diagram never makes things worse.

Does the physical topology look as follows?

Internet --- [pub.lic.ip.addr Cisco 192.168.2.1] --- [ether2/192.168.2.5 Mikrotik ether1/x.x.x.1] --- x.x.x.205?

If yes, when you attempt to connect from somewhere in the internet to pub.lic.ip.addr:4370, can you see the packet counter on your Mikrotik firewall rule
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.88.252 protocol=tcp dst-port=4370
to grow?

Or have you only tried to connect to pub.lic.ip.addr:4370 from another device in x.x.x.0/24?
Top
 
Elemoprime
just joined
Topic Author
Posts: 5
Joined: Sun Mar 11, 2018 2:53 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Tue Mar 13, 2018 4:46 pm

A diagram never makes things worse.

Does the physical topology look as follows?

Internet --- [pub.lic.ip.addr Cisco 192.168.2.1] --- [ether2/192.168.2.5 Mikrotik ether1/x.x.x.1] --- x.x.x.205?

If yes, when you attempt to connect from somewhere in the internet to pub.lic.ip.addr:4370, can you see the packet counter on your Mikrotik firewall rule
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.88.252 protocol=tcp dst-port=4370
to grow?

Or have you only tried to connect to pub.lic.ip.addr:4370 from another device in x.x.x.0/24?
I try to connected from the online service (website) that needs to access the check in device, and it fails to do so.

The topology looks like this, notice that I've the IPs 203-205 as free statics.

Internet >> GE0/1 (x.x.x.201) on Cisco >> GE0/2 (192.168.2.1) on Cisco >> ether2 (192.168.2.5) on Mikrotik >> ether1 or local (192.168.88.0/24) on Mikrotik >> Check in device (192.168.88.252)
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11252
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Tue Mar 13, 2018 5:50 pm

I try to connected from the online service (website) that needs to access the check in device, and it fails to do so.
OK, so I repeat my question, does the packet counter of the rule
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.88.252 protocol=tcp dst-port=4370
grow when the website attempts to access the check in device?
To avoid some additional question, can you place here the output of
Code: Select all
/ip firewall export
?
Top
 
Elemoprime
just joined
Topic Author
Posts: 5
Joined: Sun Mar 11, 2018 2:53 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Sun Mar 18, 2018 3:56 pm

I try to connected from the online service (website) that needs to access the check in device, and it fails to do so.
OK, so I repeat my question, does the packet counter of the rule
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.88.252 protocol=tcp dst-port=4370
grow when the website attempts to access the check in device?
To avoid some additional question, can you place here the output of
Code: Select all
/ip firewall export
?
Sadly the packet counter doesn't grow, no traffic at all on that part.
Here is the exported firewall rules, I replaced the leased line IP with x.x.x.#
Code: Select all
/ip firewall layer7-protocol
add name="Extension \" .exe \"" regexp="^.get.+\\.exe.\$"
add name="Extension \" .rar \"" regexp="^.get.+\\.rar.\$"
add name="Extension \" .zip \"" regexp="^.get.+\\.zip.\$"
add name="Extension \" .7z \"" regexp="^.get.+\\.7z.\$"
add name="Extension \" .cab \"" regexp="^.get.+\\.cab.\$"
add name="Extension \" .asf \"" regexp="^.get.+\\.asf.\$"
add name="Extension \" .mov \"" regexp="^.get.+\\.mov.\$"
add name="Extension \" .wmv \"" regexp="^.get.+\\.wmv.\$"
add name="Extension \" .mpg \"" regexp="^.get.+\\.mpg.\$"
add name="Extension \" .mpeg \"" regexp="^.get.+\\.mpeg.\$"
add name="Extension \" .mkv \"" regexp="^.get.+\\.mkv.\$"
add name="Extension \" .avi \"" regexp="^.get.+\\.avi.\$"
add name="Extension \" .flv \"" regexp="^.get.+\\.flv.\$"
add name="youtube Download" regexp=videoplayback
add name="Extension \" .pdf \"" regexp="^.get.+\\.pdf.\$"
add name="Extension \" .wav \"" regexp="^.get.+\\.wav.\$"
add name="Extension \" .wma \"" regexp="^.get.+\\.wma.\$"
add name="Extension \" .rm \"" regexp="^.get.+\\.rm.\$"
add name="Extension \" .mp3 \"" regexp="^.get.+\\.mp3.\$"
add name="Extension \" .mp4 \"" regexp="^.get.+\\.mp4.\$"
add name="Extension \" .ram \"" regexp="^.get.+\\.ram.\$"
add name="Extension \" .rmvb \"" regexp="^.get.+\\.rmvb.\$"
add name="Extension \" .dat \"" regexp="^.get.+\\.dat.\$"
add name="Extension \" .daa \"" regexp="^.get.+\\.daa.\$"
add name="Extension \" .iso \"" regexp="^.get.+\\.iso.\$"
add name="Extension \" .nrg \"" regexp="^.get.+\\.nrg.\$"
add name="Extension \" .bin \"" regexp="^.get.+\\.bin.\$"
add name="Extension \" .vcd \"" regexp="^.get.+\\.vcd.\$"
add name="shady Download" regexp=videoplayback
add comment="Youtube Block" name="Youtube Block" regexp=^.+youtube.com.*S
add comment="Facebook block" name="Facebook block" regexp=^.+facebook.*S
add comment="Chess Block" name="Chess Block" regexp=^.+chess.com.*S
/ip firewall address-list
add address=111.221.74.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=111.221.77.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=157.55.130.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=157.55.235.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=157.55.56.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=157.56.52.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=194.165.188.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=195.46.253.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=213.199.179.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=63.245.217.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=64.4.23.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
add address=65.55.223.0/24 comment=disable_skype disabled=yes list=\
    skype_servers_z
/ip firewall filter
add action=drop chain=forward comment="youtube layer 7 protocol" \
    layer7-protocol="Youtube Block" src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Facebook layer 7 block" \
    layer7-protocol="Facebook block" src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward disabled=yes layer7-protocol="Youtube Block" \
    src-address=192.168.88.30
add action=drop chain=forward disabled=yes layer7-protocol=\
    "Facebook block" src-address=192.168.88.30
add action=drop chain=forward comment="facebook layer 7 block" \
    layer7-protocol="Facebook block" src-address=\
    192.168.88.2-192.168.88.20
add action=drop chain=forward comment="youtube layer 7 block" \
    layer7-protocol="Youtube Block" src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward comment="block spotify" dst-address=\
    192.182.8.0/21 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=194.68.28.0/22 src-address=\
    192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=78.31.8.0/21 src-address=\
    192.168.88.2-192.168.88.20
add action=drop chain=forward dst-port=4070 protocol=tcp src-address=\
    192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=194.182.8.0/21 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward dst-address=194.68.28.0/22 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward dst-address=78.31.8.0/21 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward dst-port=4070 protocol=tcp src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="block soundcloud" dst-address=\
    93.184.220.127 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=93.184.220.127 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="facebook 1st range block" \
    dst-address=66.220.144.0/24 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=66.220.144.0/24 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="facebook 2nd range block" \
    dst-address=69.63.176.0/24 src-address=192.168.88.37-192.168.88.249
add action=drop chain=forward comment="facebook 3rd range block" \
    dst-address=204.15.20.0/24 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=204.15.20.0/24 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="facebook 4th range block" \
    dst-address=179.60.192.36 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward comment="facebook 2nd range block" \
    dst-address=69.63.176.0/24 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward comment="facebook 4th range block" \
    dst-address=179.60.192.36 src-address=192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 1st IP block" dst-address=\
    213.158.178.46 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=213.158.178.46 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 2nd IP block" dst-address=\
    213.158.178.53 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=213.158.178.53 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Facebook 5th range block" \
    dst-address=31.13.91.0/24 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=31.13.91.0/24 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="facebook 6th range block" \
    dst-address=31.13.64.0/24 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=31.13.64.0/24 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="facebook 5th range modified block" \
    dst-address=31.13.92.0/24 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=31.13.92.0/24 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 3rd IP Block" dst-address=\
    213.158.198.46 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=213.158.198.46 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 4th IP Block" dst-address=\
    216.58.212.14 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=216.58.212.14 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 5th IP Block" dst-address=\
    216.58.209.174 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=216.58.209.174 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 6th IP Block" dst-address=\
    213.158.178.31 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=213.158.178.31 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 7th IP Block" disabled=yes \
    dst-address=216.58.198.46 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward disabled=yes dst-address=216.58.198.46 \
    src-address=192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 8th IP Block" dst-address=\
    213.158.178.18 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=213.158.178.18 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Youtube 9th IP Block" dst-address=\
    213.158.178.52 src-address=192.168.88.2-192.168.88.20
add action=drop chain=forward dst-address=213.158.178.52 src-address=\
    192.168.88.37-192.168.88.249
add action=drop chain=forward comment="Chess.com block" dst-address=\
    104.17.238.85 src-address=192.168.88.0-192.168.88.254
/ip firewall mangle
add chain=prerouting disabled=yes in-interface=WAN1
add chain=prerouting in-interface=WAN2
add chain=prerouting in-interface=WAN3
add chain=prerouting in-interface=WAN4
add chain=prerouting disabled=yes in-interface=WAN5
add chain=prerouting disabled=yes in-interface=WAN6
add chain=prerouting disabled=yes in-interface=WAN7
add chain=prerouting disabled=yes in-interface=WAN8
add chain=prerouting disabled=yes in-interface=WAN9
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local new-connection-mark=wan1_conn per-connection-classifier=\
    both-addresses-and-ports:9/0 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:4/0 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan3_conn per-connection-classifier=\
    both-addresses-and-ports:4/1 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:4/2 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan4_conn per-connection-classifier=\
    both-addresses-and-ports:4/3 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:9/5 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:9/6 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:9/7 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:9/8 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    disabled=yes new-routing-mark=to_wan1 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=to_wan2 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
    new-routing-mark=to_wan3 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan4_conn \
    new-routing-mark=to_wan4 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan5_conn \
    new-routing-mark=to_wan5 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan6_conn \
    disabled=yes new-routing-mark=to_wan6 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan7_conn \
    disabled=yes new-routing-mark=to_wan7 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan8_conn \
    disabled=yes new-routing-mark=to_wan8 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan9_conn \
    disabled=yes new-routing-mark=to_wan9 src-address=192.168.88.0/24
add action=mark-packet chain=forward new-packet-mark=SKY src-address-list=\
    skype_servers_z
add action=mark-connection chain=prerouting comment="7z DOWNS" \
    layer7-protocol="Extension \" .7z \"" new-connection-mark="7z DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="7z DOWNS" \
    new-packet-mark=7z passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="asf DOWNS" \
    layer7-protocol="Extension \" .asf \"" new-connection-mark="asf DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="asf DOWNS" \
    new-packet-mark=asf passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="avi DOWNS" \
    layer7-protocol="Extension \" .avi \"" new-connection-mark="avi DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="avi DOWNS" \
    new-packet-mark=avi passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="bin DOWNS" \
    layer7-protocol="Extension \" .bin \"" new-connection-mark="bin DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="bin DOWNS" \
    new-packet-mark=bin passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="flv DOWNS" \
    layer7-protocol="Extension \" .flv \"" new-connection-mark="flv DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="flv DOWNS" \
    new-packet-mark=flv passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="iso DOWNS" \
    layer7-protocol="Extension \" .iso \"" new-connection-mark="iso DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="iso DOWNS" \
    new-packet-mark=iso passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mkv DOWNS" \
    layer7-protocol="Extension \" .mkv \"" new-connection-mark="mkv DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="mkv DOWNS" \
    new-packet-mark=mkv passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="exe DOWNS" \
    layer7-protocol="Extension \" .exe \"" new-connection-mark="exe DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="exe DOWNS" \
    new-packet-mark=exe passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mov DOWNS" \
    layer7-protocol="Extension \" .mov \"" new-connection-mark="mov DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="mov DOWNS" \
    new-packet-mark=mov passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mp3 DOWNS" \
    layer7-protocol="Extension \" .mp3 \"" new-connection-mark="mp3 DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="mp3 DOWNS" \
    new-packet-mark=mp3 passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mp4 DOWNS" \
    layer7-protocol="Extension \" .mp4 \"" new-connection-mark="mp4 DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="mp4 DOWNS" \
    new-packet-mark=mp4 passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mpeg DOWNS" \
    layer7-protocol="Extension \" .mpeg \"" new-connection-mark=\
    "mpeg DOWNS" protocol=tcp
add action=mark-packet chain=postrouting connection-mark="mpeg DOWNS" \
    new-packet-mark=mpeg passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mpg DOWNS" \
    layer7-protocol="Extension \" .mpg \"" new-connection-mark="mpg DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="mpg DOWNS" \
    new-packet-mark=mpg passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="nrg DOWNS" \
    layer7-protocol="Extension \" .nrg \"" new-connection-mark="nrg DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="nrg DOWNS" \
    new-packet-mark=nrg passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="pdf DOWNS" \
    layer7-protocol="Extension \" .pdf \"" new-connection-mark="pdf DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="pdf DOWNS" \
    new-packet-mark=pdf passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="ram DOWNS" \
    layer7-protocol="Extension \" .ram \"" new-connection-mark="ram DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="ram DOWNS" \
    new-packet-mark=ram passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="rar DOWNS" \
    layer7-protocol="Extension \" .rar \"" new-connection-mark="rar DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="rar DOWNS" \
    new-packet-mark=rar passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="rm DOWNS" \
    layer7-protocol="Extension \" .rm \"" new-connection-mark="rm DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="rm DOWNS" \
    new-packet-mark=rm passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="rmvb DOWNS" \
    layer7-protocol="Extension \" .rmvb \"" new-connection-mark=\
    "rmvb DOWNS" protocol=tcp
add action=mark-packet chain=postrouting connection-mark="rmvb DOWNS" \
    new-packet-mark=rmvb passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="wav DOWNS" \
    layer7-protocol="Extension \" .wav \"" new-connection-mark="wav DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="wav DOWNS" \
    new-packet-mark=wav passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="wma DOWNS" \
    layer7-protocol="Extension \" .wma \"" new-connection-mark="wma DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="wma DOWNS" \
    new-packet-mark=wma passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="wmv DOWNS" \
    layer7-protocol="Extension \" .wmv \"" new-connection-mark="wmv DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="wmv DOWNS" \
    new-packet-mark=wmv passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="zip DOWNS" \
    layer7-protocol="Extension \" .zip \"" new-connection-mark="zip DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="zip DOWNS" \
    new-packet-mark=zip passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="daa DOWNS" \
    layer7-protocol="Extension \" .daa \"" new-connection-mark="daa DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="daa DOWNS" \
    new-packet-mark=daa passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="dat DOWNS" \
    layer7-protocol="Extension \" .dat \"" new-connection-mark="dat DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="dat DOWNS" \
    new-packet-mark=dat passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="vcd DOWNS" \
    layer7-protocol="Extension \" .vcd \"" new-connection-mark="vcd DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="vcd DOWNS" \
    new-packet-mark=vcd passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment=YouTube \
    layer7-protocol="youtube Download" new-connection-mark="youtube DOWNS" \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark="youtube DOWNS" \
    new-packet-mark=youtube passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment=shady layer7-protocol=\
    "shady Download" new-connection-mark="shady DOWNS" protocol=tcp \
    src-address-list=www.shady.com
add action=mark-packet chain=postrouting connection-mark="shady DOWNS" \
    new-packet-mark=shady passthrough=no protocol=tcp src-address-list=\
    www.shady.com
add action=mark-packet chain=prerouting comment=Ping-Request \
    new-packet-mark=ping_requests protocol=icmp
add action=mark-packet chain=prerouting new-packet-mark=all passthrough=no
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=sameh src-address=192.168.88.23
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=Jonah src-address=192.168.88.168
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=Amir src-address=192.168.88.32
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=Khater src-address=192.168.88.27
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=YSammy src-address=192.168.88.36
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=Musalam src-address=192.168.88.181
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=Kareem src-address=192.168.88.30
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \
    new-routing-mark=PrintIn src-address=192.168.88.252
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=WAN1 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat out-interface=WAN3 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat out-interface=WAN4 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WAN5 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WAN6 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WAN7 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WAN8 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WAN9 \
    src-address=192.168.88.0/24
add action=add-src-to-address-list address-list=0.0.0.0 chain=srcnat \
    disabled=yes dst-port=80,443,1024 out-interface=WAN2 protocol=tcp \
    src-address=192.168.88.0/24 src-port=80,443,1024
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=5060-5061
add action=src-nat chain=srcnat protocol=udp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=5060-5061
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=80
add action=src-nat chain=srcnat protocol=udp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=80
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=443
add action=src-nat chain=srcnat protocol=udp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=443
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=1718-1720
add action=src-nat chain=srcnat protocol=udp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=1718-1720
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=1503
add action=src-nat chain=srcnat protocol=udp src-address=192.168.88.0/24 \
    to-addresses=0.0.0.0 to-ports=1503
add action=dst-nat chain=dstnat dst-address=x.x.x.201 dst-port=443,8200 \
    protocol=tcp to-addresses=192.168.88.0 to-ports=443
add action=dst-nat chain=dstnat dst-address=x.x.x.201 dst-port=443,8200 \
    protocol=tcp to-addresses=192.168.88.0 to-ports=8200
add action=dst-nat chain=dstnat disabled=yes dst-address=66.151.98.0/26 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=189.8.82.112/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=199.195.235.64/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=209.197.28.0/25 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=216.133.231.0/26 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=117.120.4.96/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=\
    115.187.137.232/29 dst-port=5060-5100 protocol=tcp to-addresses=\
    192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=185.167.188.0/22 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=66.151.98.0/26 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=189.8.82.112/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=199.195.235.64/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=209.197.28.0/25 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=216.133.231.0/26 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=117.120.4.96/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=\
    115.187.137.232/29 dst-port=7800-32000 protocol=udp to-addresses=\
    192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=66.151.98.0/26 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=189.8.82.112/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=199.195.235.64/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=209.197.28.0/25 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=216.133.231.0/26 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=117.120.4.96/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=\
    115.187.137.232/29 dst-port=5060-5100 protocol=tcp to-addresses=\
    192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=185.167.188.0/22 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=66.151.98.0/26 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=189.8.82.112/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=199.195.235.64/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=209.197.28.0/25 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=216.133.231.0/26 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=117.120.4.96/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=\
    115.187.137.232/29 dst-port=7800-32000 protocol=udp to-addresses=\
    192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=66.151.98.0/26 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=189.8.82.112/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=199.195.235.64/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=209.197.28.0/25 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=216.133.231.0/26 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=117.120.4.96/28 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=\
    115.187.137.232/29 dst-port=5060-5100 protocol=tcp to-addresses=\
    192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=185.167.188.0/22 \
    dst-port=5060-5100 protocol=tcp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=66.151.98.0/26 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=189.8.82.112/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=199.195.235.64/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=209.197.28.0/25 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=216.133.231.0/26 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-address=117.120.4.96/28 \
    dst-port=7800-32000 protocol=udp to-addresses=192.168.88.216
add action=dst-nat chain=dstnat disabled=yes dst-port=993 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=993
add action=dst-nat chain=dstnat disabled=yes dst-port=110 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=110
add action=dst-nat chain=dstnat disabled=yes dst-port=995 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=995
add action=dst-nat chain=dstnat disabled=yes dst-port=465 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=465
add action=dst-nat chain=dstnat disabled=yes dst-port=143 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=143
add action=dst-nat chain=dstnat disabled=yes dst-port=587 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=587
add action=dst-nat chain=dstnat disabled=yes dst-port=636 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=636
add action=dst-nat chain=dstnat disabled=yes dst-port=389 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=389
add action=dst-nat chain=dstnat disabled=yes dst-port=3269 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=3269
add action=dst-nat chain=dstnat disabled=yes dst-port=3268 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=3268
add action=dst-nat chain=dstnat disabled=yes dst-port=1023 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=1023
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    to-addresses=192.168.88.0/24 to-ports=53
add action=dst-nat chain=dstnat dst-port=4370 log=yes protocol=tcp \
    to-addresses=192.168.88.252
add action=src-nat chain=srcnat out-interface=Local protocol=tcp \
    src-address=192.168.88.252 to-addresses=192.168.2.5
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11252
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Sun Mar 18, 2018 5:17 pm

As the only firewall chains which precede the dstnat one are in the mangle table (and do not drop packets), and as there is no active dstnat rule which would shadow the one we are dealing with, I am afraid that this test has shown that the Mikrotik configuration is not the source of the trouble. You can use torch or sniffer tools to double-check this, something like
Code: Select all
/tool torch ether1 freeze-frame-interval=00:00:05 ip-protocol=tcp src-address=0.0.0.0/0 dst-address=0.0.0.0/0 port=4370

while generating the traffic which should reach the Mikrotik.

If you cannot see any packet to 192.168.2.5:4370 even this way, you have to concentrate to the Cisco part first.
Top
 
scofficial
just joined
Posts: 2
Joined: Wed Apr 17, 2019 12:28 pm

Re: Port Forwarding through Mikrotik and a Cisco 2900 router

Sun Apr 28, 2019 11:24 am

This setup will work even though the router on which the web server is connected, has no public IP. On router1, I will configure destination Nat to send http traffics from the internet, destined to the public IP on router1 to the private IP on router2 on port 80. After that, I will configure a second destination NAT on router2 to send all web traffics sent to the WAN interface of router2, to the IP address on the web server.
On Router1:
/ip firewall nat add chain=dstnat dst-address=41.40.11.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.10.253 to-ports=80

On Router2:
/ip firewall nat add chain=dstnat dst-address=192.168.10.253 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.20.253 to-ports=80

If you experience any issues implementing it, kindly drop a comment and I will be more than happy to assist. After implementing above mentioned steps try using https://sc-downloader.net/
Top
Post Reply
  4. RouterOS
  5. General