Community discussions

MikroTik App
  4. RouterOS
  5. General

Port forwarding issue, unable to nc to the port.  [SOLVED]

Post Reply
 
krizzo
just joined
Topic Author
Posts: 3
Joined: Thu May 17, 2018 4:12 am

Port forwarding issue, unable to nc to the port.

Tue Jul 17, 2018 9:37 am

This is my first mikrotik, been working on it for the past 5 days. I've spent the last 3 days reading form posts and the wiki to understand what I might be doing incorrectly with trying to port forward. All the configurations seem to be close to the same setup which I have.

External scans of my public IP on the port show it as closed and I'm unable to netcat to the port validating that the port is truly blocked. The counters are staying at zero for the NAT rule 1 and filter 6 below as well so the rules aren't even receiving any packets. I've tried disabling the fastrack rule as well to see if it was causing the issues with no success.

Based on what I have read from other posts, the wiki, and other websites this should work, it's starting to make me wonder if other parts of the router aren't configured properly and might impact port forwarding.

I've also moved the ordering around for the filter chain which didn't change anything.

What could I be missing? Do I need to provide more information from the router?
Code: Select all
# jul/16/2018 23:31:02 by RouterOS 6.42.6
# software id = CPAM-LK5T
# model = RouterBOARD 3011UiAS
[admin@mikrotik-rt1] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; SRCNAT MASQUERADE
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" ipsec-policy=out,none 

 1    ;;; MAKE PLEX EXTERNALLY AVAILABLE
      chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=32400 protocol=tcp dst-address=PUBLIC_IP_ADDRESS in-interface=ether1 src-port=32400 log=yes 
      log-prefix="" 
      
[admin@mikrotik-rt1] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; ALLOW ESTABLISHED,RELATED TO ROUTER
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 2    ;;; ALLOW LAN TO ROUTER
      chain=input action=accept src-address-list=allowed_to_rt1 log=no log-prefix="" 

 3    ;;; ALLOW ICMP TO ROUTER
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 4    ;;; DROP ANYTHING ELSE TO THE ROUTER
      chain=input action=drop log=no log-prefix="" 

 5    ;;; FastTrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 6    ;;; ALLOW PLEX SERVICE
      chain=forward action=accept connection-state=established,related connection-nat-state=dstnat protocol=tcp in-interface=ether1 dst-port=32400 log=no 
      log-prefix="" 

 7    ;;; ALLOW ESTABLISHED,RELATED TO INTERNAL
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 8    ;;; DROP INVALID TO INTERNAL
      chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid" 

 9    ;;; DROP TO NON-PUBLIC ADDRESSES FROM LAN
      chain=forward action=drop dst-address-list=NotPublic in-interface=bridge out-interface=!bridge log=yes log-prefix="!public_from_LAN" 

10    ;;; DROP INCOMING PACKETS THAT ARE NOT NATTED
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=yes log-prefix="!NAT" 

11    ;;; DROP INCOMING FROM INTERNET WHICH IS NOT PUBLIC IP
      chain=forward action=drop src-address-list=not_in_internet dst-address-list=NotPublic in-interface=ether1 log=yes log-prefix="!public" 

12    ;;; DROP PACKETS FROM LAN THAT DO NOT HAVE LAN IPS
      chain=forward action=drop src-address=!192.168.1.0/24 in-interface=bridge log=yes log-prefix="LAN_!LAN"
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10551
Joined: Mon Jun 08, 2015 12:09 pm

Re: Port forwarding issue, unable to nc to the port.

Tue Jul 17, 2018 11:18 am

It works OK when you use the default configuration and just add a dst-nat entry to the NAT table as you have done.
I suggest resetting the router to defaults and add the entry again, do not change the firewall filters until you understand how it works.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11289
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding issue, unable to nc to the port.  [SOLVED]

Tue Jul 17, 2018 12:03 pm

I am afraid you have missed the meaning of src-port. Like dst-port, it is a match condition referring to a field in the original packet, not to the "original" (src) and "new" (dst) port number before and after taking the rule action.
On the other hand, to-ports defines the new value after translation, but as you actually don't need to change the destination port, it is not necessary.

So your dst-nat rule should actually read
chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp dst-address=PUBLIC_IP_ADDRESS in-interface=ether1 dst-port=32400
meaning "redirect to 192.168.1.2 whatever arrives to TCP port 32400 at PUBLIC_IP_ADDRESS via ether1".

Also in the /ip firewall filter part, your rule 6 doesn't do what you expect it to do but rule 10 permits and dst-nat'ed connections to establish, which is sufficient adn secure enough.
Top
 
krizzo
just joined
Topic Author
Posts: 3
Joined: Thu May 17, 2018 4:12 am

Re: Port forwarding issue, unable to nc to the port.

Tue Jul 17, 2018 5:07 pm

Wow I feel embarrassed now staring at the issue over the weekend and not realizing I entered the value in the src-port instead of dst-port, configured via webfig, still getting use to the cli it's a bit different from Cisco, more like Juniper from what I've seen. I was thinking something about the filters must be blocking it and was focusing on that more which is why I created rule 6 in desperation. Thanks for the help!
Top
 
demian85
just joined
Posts: 2
Joined: Wed Jul 18, 2018 11:26 pm

Re: Port forwarding issue, unable to nc to the port.

Thu Jul 19, 2018 1:41 am

Can someone please explain to me how to hardcode the public IP address if it's dynamic? I don't get it and there isn't a single example out there...

btw, I submitted a new topic and it is not here, is there an approval process?
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11289
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding issue, unable to nc to the port.

Thu Jul 19, 2018 1:58 pm

Can someone please explain to me how to hardcode the public IP address if it's dynamic? I don't get it and there isn't a single example out there...

btw, I submitted a new topic and it is not here, is there an approval process?
No approval process I'd be aware of, so it is more likely some failure at forum or your side. I had an experience of connecting from a dynamic address of a mobile operator which was blacklisted due to some suspicious activity of the previous assignee of that address, but I've got a notification about that when I tried to submit a post. Try again.

If you get a public address from your ISP, it is their decision whether it will be static or dynamic. Some ISPs provide you with a static IP address for an additional fee. Or you can use a dynamic DNS service (such as Mikrotik cloud) to assign an fqdn to your device. The DNS A record is then updated each time your address changes, so the remote equipment can be configured to connect to the fqdn rather than to a particular IP number.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10551
Joined: Mon Jun 08, 2015 12:09 pm

Re: Port forwarding issue, unable to nc to the port.

Thu Jul 19, 2018 2:16 pm

Can someone please explain to me how to hardcode the public IP address if it's dynamic? I don't get it and there isn't a single example out there...
You don't need to specify the dst-address when you use another selector to make the rule match only the cases you want to match.
Your comment indicates that you want it to match on in-interface=ether1 so you can do that.
Top
Post Reply
  4. RouterOS
  5. General