MikroTik

Posted: **Tue Sep 20, 2011 3:02 am**

I am using a RB433UAH with software 5.6 installed on the RB.

I am trying to reach a website on a private IP of 10.1.0.2 through my public IP address. I have it configured as so:

GENERAL TAB:
Chain: dstnat
Protocol: 6 (TCP)
SRC. Port: 8100

ACTION TAB:
Action: dst-nat
To Address: 10.1.0.2
Port: 80

I am trying to navigate to http://x.x.x.x:8100 and reach the internal web server on 10.1.0.2.

(x.x.x.x is the public IP address)

Can you help me understand why this is not working?

Thanks for your help.

Posted: **Tue Sep 20, 2011 4:55 am**

Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Posted: **Tue Sep 20, 2011 10:19 am**

Are you trying that from your local network? Then here is an explanation: http://wiki.mikrotik.com/wiki/Hairpin_NAT

Posted: **Tue Sep 20, 2011 4:30 pm**

Are you trying that from your local network? Then here is an explanation: http://wiki.mikrotik.com/wiki/Hairpin_NAT

No, I am attempting to connect from external the network, using a public ip address.

Posted: **Tue Sep 20, 2011 4:42 pm**

Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Posted: **Tue Sep 20, 2011 4:53 pm**

No, I am attempting to connect from external the network, using a public ip address.

You still haven't sent anything fewi has asked you for.

You are using dst-nat - it means server is "seeing" real IP address of client and must respond him. Make sure server has ip route to client and that you don't have firewall blocking foreign clients.

Otherwise you may use src-nat - server will "see" only local router asking his services. I don't recommend that, but sometimes it is neccessary - for example I have some WiFi routers in AP mode that don't support "default gateway", nor "static route" and they are located in other network, so only way to access them is to use src-nat.

Posted: **Wed Sep 21, 2011 6:57 pm**

Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Here is the response you have asked for:

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; hotspot network
     address=10.1.0.1/22 network=10.1.0.0 interface=HotSpots 
     actual-interface=HotSpots 

 1   address=x.x.x.x/30 network=x.x.x.x interface=ether6 
     actual-interface=ether6

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; hotspot network
     address=10.1.0.1/22 network=10.1.0.0 interface=HotSpots 
     actual-interface=HotSpots 

 1   address=x.x.x.x/30 network=x.x.x.x interface=ether6 
     actual-interface=ether6 
[gk2inc@14th] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=x.x.x.x 
        gateway-status=x.x.x.x reachable ether6 distance=1 scope=30 
        target-scope=10 

 1 ADC  dst-address=10.1.0.0/22 pref-src=10.1.0.1 gateway=HotSpots 
        gateway-status=HotSpots reachable distance=0 scope=10 

 2 ADC  dst-address=x.x.x.x/30 pref-src=x.x.x.x gateway=ether6 
        gateway-status=ether6 reachable distance=0 scope=10

Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether2" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522 

 1     name="ether5" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522 

 2  R  name="HotSpots" type="bridge" mtu=1500 l2mtu=1522 

 3  R  name="ether6" type="ether" mtu=1500 l2mtu=1526 max-l2mtu=1526

# jan/03/1970 09:37:47 by RouterOS 5.7
# software id = N5SQ-DB04
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=drop chain=input disabled=no src-address=75.75.254.0/24
add action=drop chain=input disabled=no src-address=211.253.242.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=10.1.0.0/22
add action=dst-nat chain=dstnat disabled=no protocol=tcp src-port=8100 \
    to-addresses=10.1.0.2 to-ports=80
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

Posted: **Wed Sep 21, 2011 7:18 pm**

add action=dst-nat chain=dstnat disabled=no protocol=tcp src-port=8100 \
    to-addresses=10.1.0.2 to-ports=80

That's wrong. The source port isn't 8100, it's some ephemeral port. The destination port is 8100. Change it to:

add action=dst-nat chain=dstnat disabled=no protocol=tcp dst-port=8100 \
    to-addresses=10.1.0.2 to-ports=80

Posted: **Wed Sep 21, 2011 8:01 pm**

worked like a charm. Thank you FEWI and the others that have replied.

Posted: **Wed Sep 28, 2011 9:30 pm**

Code: Select all
add action=dst-nat chain=dstnat disabled=no protocol=tcp src-port=8100 \
    to-addresses=10.1.0.2 to-ports=80
That's wrong. The source port isn't 8100, it's some ephemeral port. The destination port is 8100. Change it to:
Code: Select all
add action=dst-nat chain=dstnat disabled=no protocol=tcp dst-port=8100 \
    to-addresses=10.1.0.2 to-ports=80

fewi ...
from your nat configuration, is it possible to redirect Radmin (Remote Administrator) port ??? the default port from radmin is 4899. i'm already change it to 6886

here my config at nat.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no protocol=tcp dst-port=4899,6886
    to-addresses=192.168.0.253 to-ports=6886

but, when i try at outside office, i'm still can't remote using Radmin

or, maybe have another conifg at Filter Rules, Mangle, or Route ???

Posted: **Wed Sep 28, 2011 10:15 pm**

On what port is radmin on 192.168.0.253 listening on?

Posted: **Fri Sep 30, 2011 5:52 am**

On what port is radmin on 192.168.0.253 listening on?

on 6886

The default port come from software is 4899. but, i already change Radmin default port (4899) to 6886
Let me say IP 192.168.0.253 is Billing CPU System. so, after i'm done remote to that IP, i can easy Remote to another client using IP 192.168.0.253

(Remote to IP 192.168.0.253, from that using Radmin again to control client. so, i'm suppose can remote to IP 192.168.0.253:6886)

Thanks for reply fewi

Posted: **Fri Sep 30, 2011 6:07 am**

I'm confused now.

So here an example. I hope it helps.

There's a router with IP address 1.1.1.1. When you connect to it on port tcp/10000 it forwards the connection to port 20000 on a host with IP 2.2.2.2

/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=10000 action=dst-nat to-addresses=2.2.2.2 to-port=20000

Posted: **Sat Oct 01, 2011 7:25 pm**

I'm confused now.

So here an example. I hope it helps.

There's a router with IP address 1.1.1.1. When you connect to it on port tcp/10000 it forwards the connection to port 20000 on a host with IP 2.2.2.2
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=10000 action=dst-nat to-addresses=2.2.2.2 to-port=20000

Ok Mr/Mrs fewi

i let you know after i try remote to this computer

here my conifg like you said

/ip firewall nat
add chain=dstnat dst-address=0.0.0.0/0 protocol=tcp dst-port=4899,1122 action=dst-nat to-addresses=192.168.0.253 to-port=6886

NB : i put 0.0.0.0/0 (random) ... coz, sometimes i'm not remote to IP Public still busy. so, i'm remote to another IP Public

Thanks fewi

Posted: **Sat Oct 08, 2011 10:15 am**

Mr/Ms fewi

you give me the rule for Nat is working

but, the problem is, working fine if i'm disable all "Firewall Filter"

what's wrong with my "Firewall Filter"

or, should i add a new Filter ???

here my code

# oct/08/2011 14:10:01 by RouterOS 5.6
# software id = 4ZK3-D2MU
#
/ip firewall filter
add action=accept chain=chk-conn disabled=no src-address-type=local
add action=drop chain=chk-conn connection-state=invalid disabled=no
add action=drop chain=chk-conn disabled=no src-address-type=\
    broadcast,multicast
add action=drop chain=chk-conn disabled=no dst-address-type=\
    broadcast,multicast
add action=jump chain=chk-conn disabled=no jump-target=virus
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus disabled=no protocol=tcp src-port=445
add action=drop chain=virus disabled=no protocol=tcp src-port=135-139
add action=drop chain=virus disabled=no protocol=udp src-port=135-139
add action=jump chain=input comment="Check Conn" disabled=no jump-target=\
    chk-conn
add action=accept chain=input comment="Accept WinBox" disabled=no dst-port=\
    8291,8866 protocol=tcp
add action=accept chain=input comment="Accept icmp" disabled=no protocol=icmp
add action=accept chain=input comment="Accept client" disabled=no \
    in-interface=ether1-lan src-address=192.168.168.0/24 src-address-list=\
    client
add action=accept chain=input comment="Acceot est rel Speedy" \
    connection-state=established disabled=no in-interface=ether2-speedy
add action=accept chain=input connection-state=related disabled=no \
    in-interface=ether2-speedy
add action=accept chain=input comment="Acceot est rel Speedy" \
    connection-state=established disabled=no in-interface=pppoe-Speedy
add action=accept chain=input connection-state=related disabled=no \
    in-interface=pppoe-Speedy
add action=accept chain=input comment="Accept Local Conns" disabled=no \
    dst-address-type=local in-interface=ether2-speedy
add action=accept chain=input comment="Accept Local Conns" disabled=no \
    dst-address-type=local in-interface=pppoe-Speedy
add action=log chain=input comment="Default Drop" disabled=no log-prefix=\
    "[--IN--]"
add action=drop chain=input disabled=no
add action=jump chain=forward comment="Check Conn" disabled=no jump-target=\
    chk-conn
add action=drop chain=forward comment="Drop p2p" disabled=no p2p=all-p2p
add action=accept chain=forward comment="Forward client" disabled=no \
    in-interface=ether1-lan src-address=192.168.168.0/24 src-address-list=\
    client
add action=accept chain=forward comment="Forward est rel Speedy" \
    connection-state=established disabled=no in-interface=ether2-speedy
add action=accept chain=forward connection-state=related disabled=no \
    in-interface=ether2-speedy
add action=accept chain=forward comment="Forward est rel Speedy" \
    connection-state=established disabled=no in-interface=pppoe-Speedy
add action=accept chain=forward connection-state=related disabled=no \
    in-interface=pppoe-Speedy
add action=log chain=forward comment="Default Drop" disabled=no log-prefix=\
    "[--FW--]"
add action=drop chain=forward disabled=no
add action=log chain=chk-conn comment="Logging system" disabled=yes \
    log-prefix="[--IN--]"
add action=log chain=forward disabled=yes log-prefix="[--IN--]"
add action=log chain=output disabled=yes log-prefix="[--IN--]"

PLEASE Help Me fewi

MikroTik

port forward / nat

port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

Re: port forward / nat

port forward / nat

Re: port forward / nat

Re: port forward / nat