Community discussions

MikroTik App
  4. RouterOS
  5. General

Port forwarding through two layers

Post Reply
 
jd6strings
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Tue Dec 20, 2005 8:24 pm

Port forwarding through two layers

Thu Sep 04, 2008 7:25 am

Hello all:

I've been using Mikrotik for a good while now and I've finally come to a scenario that I cannot get to work properly. The diagram below illustrates the basics of the setup. What I'm trying to achieve is logically simple BUT my configs are not working.

Image

I'm trying to port forward 5900 to a system behind a router and that router is behind another router.

Here's the NAT configs of the respective systems:

MT1:
0 chain=srcnat action=masquerade

1 chain=dstnat action=dst-nat to-addresses=172.0.0.2 to-ports=5900
dst-address=123.456.789.1 dst-port=5900 protocol=tcp

2 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=5900
dst-address=123.456.789.1 dst-port=5900 protocol=udp

MT2:
0 chain=srcnat action=masquerade

1 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=5900
dst-address=172.0.0.2 dst-port=5900 protocol=tcp

2 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=5900
dst-address=172.0.0.2 dst-port=5900 protocol=udp

The problem is that when I attempt connection from outside the network...the 192.168.0.2 client does NOT properly respond. What could be wrong?

It should be noted that Internet connectivity from the 192.168.0.0/24 network works fine...

Thanks my friends!!!
Top
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1770
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Port forwarding through two layers

Thu Sep 04, 2008 9:13 am

DO you really need double masquerade??? if it is your inner network - just route in it. and have only one dst-nat in your main router MT1
Top
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Port forwarding through two layers

Fri Sep 05, 2008 4:37 am

Your nat entries look correct. I do this all the time and it works fine.

When it doesn't work, the problem is usually that the client or the innermost router is
missing it's default route. In that case, the packets go in to the client, but they don't know how to go back out.

You said the client can get out to the Internet, that does not seem to be the problem

To debug, use winbox and open ip->firewall->nat.

Click reset all counters.

Try to reach your client and watch the packet count on the nat rule. It should count up.
This will give you an indication if your rules are firing as expected.

If not, look more carefully. If they are firing,
run packet sniffer and look for the client address on MT2. You should a packet go in, and a packet go back out.

If so, trace back to the MT1. If not, look more carefully and try to figure out why.

BTW, be sure connection tracking is on in ip->firewall->connections->Tracking.
Top
Post Reply
  4. RouterOS
  5. General