port forwarding help needed - 2 WAN's

iredden · Fri Jun 08, 2018 5:13 pm

Hi Mikrotik Forums!

I need help with NAT/Hairpin NAT.

/ip firewall nat
add action=masquerade chain=srcnat comment="main nat" dst-address=!192.168.2.1 out-interface-list=WAN src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=PORT-FORWARD-80 protocol=tcp dst-port=80 dst-address=!192.168.0.0/16 dst-address-type=local in-interface=pppoe-out2 to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment=PORT-FORWARD-443 protocol=tcp dst-port=443 dst-address=!192.168.0.0/16 dst-address-type=local in-interface=pppoe-out2 to-addresses=192.168.2.10

I can access my external website from an external network. That works fine. I can also from internal, access the internet.

However,

add action=masquerade chain=srcnat comment=PORT-FORWARD-80-INTERNAL dst-address=192.168.2.10 dst-port=80 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=PORT-FORWARD-443-INTERNAL dst-address=192.168.2.10 dst-port=443 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16

From internal, I can't seem to access my external domain from internal. It just times out.

I believe this has something todo with my 2 WAN connections (pppoe-out1 and pppoe-out2). If I set the DNS on my domain to the IP of pppoe-out1, everything seems to work fine. If I set the DNS to the IP on pppoe-out2, it does not.

Thanks!

iredden · Fri Jun 08, 2018 5:25 pm

this works, but is not 100% what I want:

/ip firewall nat
add action=masquerade chain=srcnat comment="main nat" dst-address=!192.168.2.1 out-interface-list=WAN src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=PORT-FORWARD-80-INTERNAL dst-address=192.168.2.10 dst-port=80 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=PORT-FORWARD-443-INTERNAL dst-address=192.168.2.10 dst-port=443 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=PORT-FORWARD-32400-INTERNAL dst-address=192.168.2.10 dst-port=32400 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=PORT-FORWARD-5000-INTERNAL dst-address=192.168.2.10 dst-port=5000 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=PORT-FORWARD-5001-INTERNAL dst-address=192.168.2.10 dst-port=5001 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=PORT-FORWARD-80 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment=PORT-FORWARD-443 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment=PORT-FORWARD-32400 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=32400 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment=PORT-FORWARD-5000 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=5000 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment=PORT-FORWARD-5001 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=5001 protocol=tcp to-addresses=192.168.2.10

On both my WAN IP's (1.1.1.1 and 1.1.1.2) can access the ports I'm forwarding. I want to 1-to-1 nat a public IP to an internal source being able to access everything internally and externally by that IP (i.e. 1.1.1.2). 1.1.1.1, would or could be a separate box internally.

How would I set this up?

Ian.

CZFan · Fri Jun 08, 2018 5:52 pm

...
On both my WAN IP's (1.1.1.1 and 1.1.1.2) can access the ports I'm forwarding. I want to 1-to-1 nat a public IP to an internal source being able to access everything internally and externally by that IP (i.e. 1.1.1.2). 1.1.1.1, would or could be a separate box internally.

How would I set this up?

Ian.

/ip firewall nat
add action=dst-nat chain=dstnat comment="1 - 1 NAT" in-interface=WAN dst-address=1.1.1.1 to-addresses=192.168.2.10
add action=src-nat chain=srcnat comment="1 - 1 NAT" out-interface=WAN src-address=192.168.2.10 to-addresses=1.1.1.1

add action=dst-nat chain=dstnat comment="1 - 1 NAT" in-interface=WAN dst-address=1.1.1.2 to-addresses=192.168.2.11
add action=src-nat chain=srcnat comment="1 - 1 NAT" out-interface=WAN src-address=192.168.2.11 to-addresses=1.1.1.2

iredden · Fri Jun 08, 2018 8:07 pm

That only half works. Here is my configuration:

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input src-address-list=local-net
/ip firewall nat
add action=masquerade chain=srcnat comment="main nat" dst-address=!192.168.2.1 out-interface-list=WAN src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment="1 - 1 NAT" dst-address=174.XX.80.6 in-interface=synology to-addresses=192.168.2.10
add action=src-nat chain=srcnat comment="1 - 1 NAT" out-interface=synology src-address=192.168.2.10 to-addresses=174.XX.80.6
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
add interface=synology list=WAN
add interface=devbox list=WAN

I am able (from external) to access my domain which has its dns pointed to 174.xx.80.6 (which is held by the 'synology' pppoe-client). I'm accessing it from my cellular connected phone and able to access tcp/port 80. If I'm on the 192.168.2.0/24 network, I get a ERR_CONNECTION_REFUSED. Do I need a filter rule of some sort? There is no firewall on the 192.168.2 box (it works externally).

pppoe-out1 and devbox are other interfaces (both pppoe-clients).

 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.2.1/24     192.168.2.0     ether2
 1 D 76.XX.52.186/32    10.11.7.113     pppoe-out1
 2 D 184.XX.11.243/32  10.11.7.113     devbox
 3 D 174.XX.80.6/32     10.11.7.113     synology

UPDATE: I was using https not http. If I use http I get the RouterOS page instead of my website (so its just hitting the router). externally it works.

CZFan · Fri Jun 08, 2018 8:46 pm

Place the 1-1 NAT rules above the main NAT rule.

Then to access the website via external IP from internal, look at Hairpin NAT

anav · Fri Jun 08, 2018 9:16 pm

Dont you need some routing rules. It appears as though you are settin up permitting such traffic by rules but not telling the traffic where to go formally?

/ip firewall mangle
add chain=prerouting src-address=192.168.2.10 in-interface=bridge1 action=mark-connection new-connection-mark=cm_1-1MAP passthrough=yes
add chain=prerouting mark-connection=cm_1-1MAP action=mark-routing new-routing-mark=use1-1MAP passthrough=No

/ip route
add destination=0.0.0.0/0 gatewayIP routing-mark=use1-1MAP pref-src=174.xx.80.6 distance=1
add destination=0.0.0.0/0 gatewayIP distance=1

iredden · Fri Jun 08, 2018 10:45 pm

Still similar behavior even with routes added. I was 'adding default route' on the pppoe client.

Route

/ip route
add distance=1 gateway=devbox routing-mark=devbox-rm
add distance=1 gateway=synology routing-mark=synology-rm
add distance=1 gateway=pppoe-out1

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=bridge1 new-connection-mark=synology-cm passthrough=yes src-address=192.168.2.10
add action=mark-routing chain=prerouting connection-mark=synology-cm new-routing-mark=synology-rm passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment="1 - 1 NAT" out-interface=synology src-address=192.168.2.10 to-addresses=74.XX.70.50
add action=dst-nat chain=dstnat comment="1 - 1 NAT" dst-address=74.XX.70.50 in-interface=synology to-addresses=192.168.2.10
add action=masquerade chain=srcnat comment="Main NAT" dst-address=!192.168.2.1 out-interface-list=WAN src-address=192.168.2.0/24

Addresses
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                                                 
 0   192.168.2.1/24     192.168.2.0     ether2                                                                                                                                                                                                                                                    
 1 D 174.XX.215.64/32   10.11.7.113     devbox                                                                                                                                                                                                                                                    
 2 D 76.XX.52.186/32    10.11.7.113     pppoe-out1                                                                                                                                                                                                                                                
 3 D 74.XX.70.50/32     10.11.7.113     synology

sindy · Fri Jun 08, 2018 11:00 pm

What happens is that the client request comes to the IP address of the WAN2, is dst-nated to the IP address of the server on the LAN and delivered there. However, the response of the server uses the routing rules which do not use WAN2 as gateway, so the response is sent out via WAN1. I'm not sure whether it is sent out with the source address of WAN2 and thus the ISP doesn't let it through, or whether it is sent with the source address of WAN1 so the client doesn't accept it, but the result is effectively the same in both cases.

So what you need to do is to use connection-marking and routing-marking, so that requests which came from outside to WAN2's address would be responded via WAN2 and requests which came to WAN1's address would be responded via WAN1.

Look here for details.

iredden · Sat Jun 09, 2018 3:28 pm

Thx Sindy,

I gathered that as well. I put a sniffer on 'devbox' (my secondary pppoe interface), and performed a ping. I see the ping (dst 8.8.8.8, src 174.xx.83.83). This tells me the connection marking and routing is working. I also see the nat rule (Outbound NAT for 192.168.2.4) working. However, the packets never arrive back to the .2.4 box. I added a dst-nat, but still no luck.

Current configuration below:

[admin@router] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.2.1/24     192.168.2.0     ether2
 1 D 76.67.43.190/32    10.11.7.113     pppoe-out1
 2 D 174.92.83.83/32    10.11.7.113     devbox

/ip firewall connection tracking
set enabled=yes

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=!192.168.2.0/24 new-connection-mark=devbox-cm passthrough=yes src-address=192.168.2.4
add action=mark-routing chain=prerouting connection-mark=devbox-cm new-routing-mark=devbox-rm passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="Main NAT" dst-address=!192.168.2.1 out-interface-list=WAN src-address=192.168.2.0/24 src-address-list=!special-boxes
add action=masquerade chain=srcnat comment="Outbound NAT for 192.168.2.4" out-interface=devbox src-address=192.168.2.4
add action=dst-nat chain=dstnat comment="1 to 1 NAT - for 192.168.2.4" in-interface=devbox to-addresses=192.168.2.4

-- works for what I need now, but in pppoe-out1
add action=dst-nat chain=dstnat comment=PORT-FORWARD-443 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.2.4
add action=masquerade chain=srcnat comment=PORT-FORWARD-443-INTERNAL dst-address=192.168.2.4 dst-port=443 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=PORT-FORWARD-80 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.2.4
add action=masquerade chain=srcnat comment=PORT-FORWARD-80-INTERNAL dst-address=192.168.2.4 dst-port=80 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=PORT-FORWARD-5000 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=5000 protocol=tcp to-addresses=192.168.2.4
add action=masquerade chain=srcnat comment=PORT-FORWARD-5000-INTERNAL dst-address=192.168.2.4 dst-port=5000 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=PORT-FORWARD-5001 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=5001 protocol=tcp to-addresses=192.168.2.4
add action=masquerade chain=srcnat comment=PORT-FORWARD-5001-INTERNAL dst-address=192.168.2.4 dst-port=5001 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=PORT-FORWARD-32400 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=32400 protocol=tcp to-addresses=192.168.2.4
add action=masquerade chain=srcnat comment=PORT-FORWARD-32400-INTERNAL dst-address=192.168.2.4 dst-port=32400 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=PORT-FORWARD-8888 dst-address=!192.168.0.0/16 dst-address-type=local dst-port=8888 protocol=tcp to-addresses=192.168.2.4
add action=masquerade chain=srcnat comment=PORT-FORWARD-8888-INTERNAL dst-address=192.168.2.4 dst-port=8888 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/16

sindy · Sat Jun 09, 2018 3:57 pm

I'm afraid I'm a bit lost in your setup. Instead of connection-marking only the initial packet of each connection, you connection-mark every packet sent by 192.168.2.4; well, for testing that may work (unless you have fasttracking enabled), but for real operation, you would have to connection-mark initial packets which arrive through one of the WAN interfaces so that the responses would be routed out through the same interface through which the requests came in.

Now you say that the response never comes back to 192.168.2.4, so I assume you ping from 192.168.2.4. But your problem is that you assign routing-marks also to packets coming from WAN2 towards the 192.168.2.4, which causes these packets to be routed out via WAN2 again because there is no route with routing-mark=devbox-rm which would lead to 192.168.2.4. So either add "dst-address=!192.168.2.4" to the action=mark-routing rule, or add a route dst-address=192.168.2.4/32 routing-mark=devbox-rm gateway=the-lan-inteface. Of course these exceptions should actually span all LAN subnets, I just don't know them so I refer to 192.168.2.4.

anav · Sat Jun 09, 2018 6:56 pm

I am lost.
The request was made for outgoing traffic from the LAN that was solved.
If you have external folks are coming in on the wrong WAN ISP that is the fault of the OP for giving folks the wrong WANIP address or DYDNS name.

sindy · Sat Jun 09, 2018 7:59 pm

I am lost.
The request was made for outgoing traffic from the LAN that was solved.
If you have external folks are coming in on the wrong WAN ISP that is the fault of the OP for giving folks the wrong WANIP address or DYDNS name.

Well, I read the OP as the usual requirement to be able to access the Mikrotik itself or the dst-nat'ed server(s) on its LAN via any of the Mikrotik's WAN addresses, which makes sense in various scenarios.

Only the test method the OP has chosen is a bit upside down here (pinging a device in the internet from a device on LAN instead of sending a http request from the internet), but that doesn't matter as it was enough to highlight the issue with assigning routing-marks to packets with dst-addresses of devices on the LAN side.

anav · Sat Jun 09, 2018 9:25 pm

Okay so if Hairpin was not involved my logic would be correct?

sindy · Sat Jun 09, 2018 9:47 pm

Okay so if Hairpin was not involved my logic would be correct?

Hairpin NAT is only necessary when you need the clients in a given LAN subnet to contact the server in the very same LAN subnet via the WAN address of the router (e.g. because the server's domain name is resolved to the WAN address and you need to use the domain name in the url). As the OP hasn't mentioned such need, I don't see any need to configure hairpin NAT.

But maybe I didn't get the essence of your question?

port forwarding help needed - 2 WAN's

port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's

Re: port forwarding help needed - 2 WAN's