Community discussions

MikroTik App
  4. RouterOS
  5. General

port forwarding needs what kind of firewall rules?

Post Reply
 
mkonsultor
just joined
Topic Author
Posts: 12
Joined: Sun Oct 20, 2019 6:37 pm

port forwarding needs what kind of firewall rules?

Sun Oct 20, 2019 10:42 pm

A server on the LAN needs access from the Internet via a hAP ac lite (ver 6.45.6). Have created dst-nat entries for several TCP ports (Since it is a dynamic IP address from the ISP, the src address is not used. When attempting to connect, so far I get 'connection refused.' This is true for SSH, Telnet, and http.
Saw a comment in this forum about enabling the port in the Forward chain, but it was incomplete about how to do that and where in the rule list that rule should be placed. I have enteed rules:
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    ;;; WAN access to Cockpit on Metrics
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=9090 
      protocol=tcp dst-address-type="" src-port=9090 dst-port=9090 log=no 
      log-prefix="" 

 2 X  ;;; ssh to Metrics
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=22 
      protocol=tcp src-port=22 dst-port=22 log=no log-prefix="" 

 3    ;;; port 3000 access
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=3000 
      protocol=tcp src-port=3000 dst-port=3000 log=no log-prefix="" 

 4 X  ;;; telnet port forwarding
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=23 
      protocol=tcp src-port=23 dst-port=23 log=no log-prefix=""
Have not specified protocols above TCP: could be http, https, or something else.
Suggestions and hints greatly appreciated.
Top
 
akschu
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Thu Mar 15, 2012 2:09 am

Re: port forwarding needs what kind of firewall rules?

Mon Oct 21, 2019 6:16 pm

Telling the router to do destination nat is one thing, allowing that packet through the firewall is different. So if you have:

chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=9090 protocol=tcp dst-address-type="" src-port=9090 dst-port=9090 log=no log-prefix=""

then in /ip firewall filter you would also need:
Code: Select all
add chain=forward action=accept dst-address=192.168.1.5 protocol=tcp dst-port=9090
or if you want a catch-all rule that works well:
Code: Select all
add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN
That will match all new connection packets that have been modified by dstnat that also show up on any interface in the WAN list and allow them to forward.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13062
Joined: Thu Mar 03, 2016 10:23 pm

Re: port forwarding needs what kind of firewall rules?

Mon Oct 21, 2019 6:39 pm

The NAT rules are too restrictive ... src-port and dst-port are both selection criteria (those are compared against to check if certain rule needs to apply or not). It's a thin chance that some client from internet, trying to connect to ssh port, will use port 22 on its own side (that's what src-port is about). On the other hand the same rule is too permissive and (after src-port gets removed as selection criteria) will capture also out-going ssh connections.

So usual DST-NAT rule for ssh would look something like this (catching only connections originating from internet):
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat in-interface-list=WAN protocol=tcp dst-port=<WAN port> to-addresses=<LAN IP address> to-ports=22

where <WAN port> can either be standard ssh port 22 or some other random port. If WAN port number is the same as port on the LAN server, then setting to-ports is not necessary.

BTW, the catch-all firewall filter rule from post by @akschu above is present in default firewall setup (on SOHO routerboards, the pro boxes come without default firewall).
Top
 
JohnRauner
just joined
Posts: 1
Joined: Sun Oct 27, 2019 8:08 am

Re: port forwarding needs what kind of firewall rules?

Sun Oct 27, 2019 8:34 am

Can somebody help me with this please. I have tried several different options but cannot get the router to port forward. I am new to Mikrotik so this is a bit confusing. I am pretty sure the NAT rule is correct and I suspect the firewall filter rule is the problem.
Top
 
mkonsultor
just joined
Topic Author
Posts: 12
Joined: Sun Oct 20, 2019 6:37 pm

Re: port forwarding needs what kind of firewall rules?

Wed Nov 06, 2019 6:36 pm

Working more on the network, I realize that I didn't describe the configuration fully. Access from the Internet is needed to reach a different subnet (192.168.88.0/24) through a second MikroTik router whose WAN port is 192.168.1.15. The first (gateway) router dst-nat function maps a connection to the ...88.x subnet. The second router then routes that to the proper subnet.
Forwarding rules are needed in the g/w router for a DstAddress of ...88.0 . Does that sound right? Unfortunately, connections from the Internet intended for ...88.x are refused.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13062
Joined: Thu Mar 03, 2016 10:23 pm

Re: port forwarding needs what kind of firewall rules?

Wed Nov 06, 2019 7:10 pm

There are a few things to be configured/checked:
  1. WAN router needs to perform DST-NAT to LAN2 address and its firewall has to allow it
  2. WAN router needs a route towards LAN2 using Router2 as gateway
  3. Router2 firewall has to allow the connection

Now there are two possibilities:
  1. if LAN2 devices use Router2 as their default gateway and Router2 uses WAN router as its default gateway, then the above list is more or less complete.
  2. if LAN2 devices don't use Router2 as their default gateway, only specific gateway towards LAN1 ... or if LAN2 devices don't know that Router2 is router at all, then another NAT (src-nat in particular) has to be done as step #4. Whether to do it on WAN router or Router2 depends on how LAN2 devices see Router2, but in any case this NAT can be done on Router2.
    If this NAT gets done, then LAN2 devices won't get information about real originator of incoming connection.

Surely there are other possibilities, such as double DST-NAT (done on both routers) ...
Top
 
GrasDK
just joined
Posts: 12
Joined: Thu Apr 06, 2023 11:42 pm

Re: port forwarding needs what kind of firewall rules?

Tue Apr 18, 2023 6:19 pm

Code: Select all
add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN
That will match all new connection packets that have been modified by dstnat that also show up on any interface in the WAN list and allow them to forward.
I liked this for its genericity, worked like a charm.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22143
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: port forwarding needs what kind of firewall rules?

Tue Apr 18, 2023 6:37 pm

viewtopic.php?t=179343
Top
 
ckonsultor
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Sun Nov 21, 2021 7:57 pm

Re: port forwarding needs what kind of firewall rules?

Tue Apr 18, 2023 8:58 pm

Dear MKX,

You did it for me. Along with a typo or two your outline let me gain all the accesses I want.
Thanks
Top
Post Reply
  4. RouterOS
  5. General