port forwarding on v.2.9.8

mrirh · Thu Dec 08, 2005 4:39 am

Hello,

The Mikrotik router is set up and works great. However, I am having a terrible time forwarding public addresses and ports to internal addresses and the corresponding ports.

My public NIC has multiple addresses. For example, I want to forward html traffic from public address 10.0.0.20, port 80 to internal address (our web server) 192.168.0 20 port 80, and FTP traffic from public address 10.0.0.5, ports 20 & 21 to internal address (our ftp server) 192.168.0.5 ports 20 & 21. I tried several filter combinations but traffic is not getting through. I must not be setting up the filters correctly.

What would be the proper way to accomplish this?

Many thanks in advance.

~James

Tonda · Thu Dec 08, 2005 10:14 am

You can find all necessary information here:
http://www.mikrotik.com/docs/ros/2.9/ip/nat
you can use examples from this chapter, only add apropriate ports to dst-nat rules.

mrirh · Fri Dec 09, 2005 2:10 am

Thank you for your reply. Followed the instructions and there is no reply from the public side. For example, here are my rules;

2   chain=dstnat dst-address=10.0.0.5 action=dst-nat to-addresses=192.168.0.5 to-ports=20-21

 3   chain=srcnat src-address=192.168.0.5 action=src-nat to-addresses=10.0.0.5 to-ports=20-21

However, when I ftp to 10.0.0.5, from outside public network, there is no reponse from ftp; packets aren't getting through to the local network.

What do I need to correct?

Thank you,

~James

Tonda · Fri Dec 09, 2005 8:53 pm

What address do you use for ftp access from public internet?

mrirh · Fri Dec 09, 2005 8:58 pm

Hello,

Thank you for pointing me in the right direction. There error was my mistake.

I left the gateway of the inside target machine pointing to the old router. Changed that and everything works perfectly.

Thank you again for sending me the link. The problem was solved.

Regards,

~James

subxtech · Fri Dec 09, 2005 10:22 pm

I am confused... Plain and simple

I have given the router an external IP address XXX.XXX.XXX.254/24 on the first port, stated the gateway XXX.XXX.XXX. 1 for the same port.

On the internal interface, I have given the IP of 10.8.0.254/16.
I have made all the internal elements point to 10.8.0.254 for their gateway.

I can ping yahoo.com and any machine on the internal network from within, but when I forward ports to a internal device, I see the traffic coming in on the External interface, but nothing on the internal firewall rules?

Should I be telling the router that 10.8.0.254 is the internal gateway for the network, and if so, how do I do that, as when I set this, it will not go active?

Thanks in advance.

Tonda · Sat Dec 10, 2005 12:30 pm

Post your actual configuration..

subxtech · Sat Dec 10, 2005 4:46 pm

Mind you this is for UDP use only.

ip address
add address=209.120.218.254/24 network=209.120.218.0 broadcast=209.120.218.255 \
interface=core2 comment="Core03" disabled=no
add address=10.64.0.254/16 network=10.64.0.0 broadcast=10.64.255.255 \
interface=internal comment="Gateway" disabled=no
add address=10.64.0.35/16 network=10.64.0.0 broadcast=10.64.255.255 \
interface=internal comment="DNS" disabled=no
add address=209.120.218.89/24 network=209.120.218.0 broadcast=209.120.218.255 \
interface="Ext VPN" comment="Ext VPN" disabled=no
add address=192.168.1.1/30 network=192.168.1.0 broadcast=192.168.1.3 \
interface="Int VPN" comment="Internal VPN" disabled=no
add chain=srcnat out-bridge-port="Ext VPN" action=masquerade comment="" \
disabled=yes
add chain=dstnat dst-address=209.120.218.89 action=dst-nat \
to-addresses=192.168.1.2 to-ports=0-65535 comment="" disabled=no
add chain=srcnat src-address=192.168.1.2 action=src-nat \
to-addresses=209.120.218.89 to-ports=0-65535 comment="" disabled=no

subxtech · Sat Dec 10, 2005 9:15 pm

Am I on the right track?

Tonda · Sun Dec 11, 2005 3:08 pm

Can you please post also your routes and explain a little bit purpose of these all interfaces?

subxtech · Sun Dec 11, 2005 4:35 pm

Sure,

I am trying to set up openvpn where it would reside behind a firewall. So I choose to buy/use the ISP version of Mikrotik.

I had openvpn running on our network with a real world IP address. Now I have it behind a server with 5 (five) - 10/100 ether ports. I did this so I could have another port open just incase a config brought down the router/firewall.

We already have in place carrier class cisco routers in front of the mikrotik.
I have taken two of the real world IP addresses and assigned them to the mikrotik. One on ether1 (External), the other ether3 (External VPN). On the inside network, I also have two of the 5 ethernet ports assigned. Ether2 (Internal) and Ether4 (Internal VPN).

===Carrier Router
209.120.218.0/24 - IP 209.120.218.1
~|~
Switch 10/100/1000
~|~
209.120.218.254 Ext.\ 209.120.218.79 Ext. VPN Gateway 209.120.218.1
===Mikrotik
10.8.0.254 Internal \ 10.8.0.1 Internal VPN
~|~
Switch 10/100
~|~
~| 10.8.0.70 eth0 10.8.0.2 Br0 10.8.0.3 eth1
~~ == VPN server
~|~
== Other internal Network Elements ==

And then you can see my config above... I am really stuck here, it is like I can't get the vpn to send or receive anything directly?

Tonda · Mon Dec 12, 2005 9:24 am

Can you also post your routes?It is necessary because you have two external interfaces.

subxtech · Mon Dec 12, 2005 5:09 pm

# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 X S 10.8.0.0/16 10.8.0.254 u 0.0.0.0
1 DC 10.8.0.0/16 10.8.0.35 internal
2 ADC 10.8.0.0/16 10.8.0.1 Int VPN
3 ADC 209.120.218.0/24 209.120.218.254 core2
4 DC 209.120.218.0/24 209.120.218.89 Ext VPN
5 A S ;;; added by setup
0.0.0.0/0 r 209.120.218.1 core2