Port forwarding not working, please help

redcool · Mon Jan 07, 2013 7:43 pm

Hi I am new to MikroTik Router OS, and I am still learning. I encountered a problem with port forwarding. I spent hours on Google and trying to figure out my problem but got no luck, so I am posting my issue here and hope to get some help. Thanks in advance.

Hardware: MikroTik RouterBoard 750GL
OS version: "5.2"

I followed the "port mapping" instruction in the following page:
http://wiki.mikrotik.com/wiki/Manual:IP ... rt_mapping

The command I use is :

/ip firewall nat add chain=dstnat dst-address=xx.xxx.xxx.xxx protocol=tcp dst-port=3000 action=dst-nat to-addresses=192.168.88.237 to-ports=3000

xx.xxx.xxx.xxx is the IP address from my ISP.

Before I add the rule, telnet command returns:

# telnet xx.xxx.xxx.xxx 3000
Trying xx.xxx.xxx.xxx...
telnet: connect to address xx.xxx.xxx.xxx: Connection refused

After I add the NAT rule, I got:

# telnet xx.xxx.xxx.xxx 3000
Trying xx.xxx.xxx.xxx...
telnet: connect to address xx.xxx.xxx.xxx: Connection timed out

ssh to xx.xxx.xxx.xxx port 3000 got timeout too:

$ ssh -v user@xx.xxx.xxx.xxx -p 3000
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to xx.xxx.xxx.xxx [xx.xxx.xxx.xxx] port 3000.
debug1: connect to address xx.xxx.xxx.xxx port 3000: Connection timed out

I can ssh to server 192.168.88.237 from LAN, and the "iptables" on server 192.168.88.237 is disabled. ssh service is running on port 3000.

Please help.

mixig · Tue Jan 08, 2013 2:16 pm

Does the counter on your firewall rule for dst-nat is growing?

redcool · Tue Jan 08, 2013 4:22 pm

Thanks Mixig, for your reply. I think I cleaned all the rules and re-added the following two: I assume 0, 1, 2 is the counter you mean?

/interface> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=accept protocol=tcp dst-port=8291 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.237 to-ports=3000 protocol=tcp dst-port=3000 

 2   chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=!192.168.88.0/24 out-interface=pppoe-out1

mixig · Tue Jan 08, 2013 5:01 pm

Counters on that dst-rule in firewall/NAT rule (look the attach, on right side), clear the counters then try telnet from outside and see is your traffic hits that rule, if does that traffic is forwarded to you local ip. Default gateway on that local computer is mikrotik?

redcool · Tue Jan 08, 2013 7:21 pm

I reset the counter for that rule in winbox, then tired to telnet to the port again:

$ telnet xx.xxx.xxx.xxx 3000
Trying xx.xxx.xxx.xxx...
telnet: connect to address xx.xxx.xxx.xxx: Connection timed out

I can see the counter increased, so the traffic is forwarded to my local ip.

In my local server, I set the router IP (192.168.88.1) to be the default GW:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.38.12.0      10.8.0.9        255.255.255.0   UG    0      0        0 tun0
10.8.0.0        10.8.0.9        255.255.255.0   UG    0      0        0 tun0
192.168.88.0    0.0.0.0         255.255.255.0   U     1      0        0 eth0
0.0.0.0         192.168.88.1    0.0.0.0         UG    0      0        0 eth0

$ ifconfig 
eth0      Link encap:Ethernet  HWaddr 1C:6F:65:4F:54:6B  
          inet addr:192.168.88.237  Bcast:192.168.88.255  Mask:255.255.255.0

Still get the timeout.

mixig · Tue Jan 08, 2013 9:57 pm

Does your PC 192.168.88.237 have access to the Internet? Can you for this rule:

chain=dstnat action=dst-nat to-addresses=192.168.88.237 to-ports=3000 protocol=tcp dst-port=3000

add "in-interface = pppoe-out1" and try again

redcool · Wed Jan 09, 2013 12:24 am

Thanks mixig, just verified, my PC has internet access:

$ ifconfig | grep 192; ping www.google.ca
          inet addr:192.168.88.237  Bcast:192.168.88.255  Mask:255.255.255.0
PING www.google.ca (74.125.226.95) 56(84) bytes of data.
64 bytes from yyz06s07-in-f31.1e100.net (74.125.226.95): icmp_seq=1 ttl=58 time=12.5 m

Also I updated the rule according to your post, the new rule is:

chain=dstnat action=dst-nat to-addresses=192.168.88.237 to-ports=3002 protocol=tcp in-interface=pppoe-out1 dst-port=3002

I updated the ssh port on my local PC from 3000 to 3002 because 3000 has been used by other service. But still no luck.

[root@localhost ~]# service iptables status
iptables: Firewall is not running.
[root@localhost ~]# netstat -atnp | grep 3002
tcp        0      0 0.0.0.0:3002                0.0.0.0:*                   LISTEN      3871/sshd           
tcp        0      0 :::3002                     :::*                        LISTEN      3871/sshd

Now I am getting telnet: connect to address xx.xxx.xxx.xxx : Connection refused

Our interface list looks like the following:

Mikrotik-troubleshoot.jpeg

eth1-mdm1 and eth2-mdm2 are two DSL lines from our ISP, they plugged into MikroTik router board port 1 and port2, eth5-gw is port 5 and connected to our D-Link switch. pppoe-out1 includes both eth1-mdm1 and eth2-mdm2 interfaces.

I also tried change in-interface to eth5-gw, still get the "Timeout".

I really appreciate the time you spent on this and your help.

AsciiWolf · Wed Jan 09, 2013 2:09 am

Try adding "src-address=0.0.0.0/0" to the rule...
edit: Also try changing the "action=dst-nat" to "action=netmap".

cbrown · Wed Jan 09, 2013 3:47 am

Try adding "src-address=0.0.0.0/0" to the rule...
edit: Also try changing the "action=dst-nat" to "action=netmap".

No, this is wrong.

Are you trying the public IP from the same LAN the server is on or from outside the network? This will cause problems with the connection without hairpin NAT setup and trying from the same LAN. Resulting in the server refusing the connection.

http://wiki.mikrotik.com/wiki/Hairpin_NAT