MikroTik

Hi all - fairly new to Mirotik so would appreciate your assistance.

I have a Mikrotik router v6.27 running in VM with a public IP on the WAN interface. LAN IP of the fw is 10.254.5.254/24

Inside the LAN I have a windows 2012 server at 10.254.5.1/24

I am trying to configure the firewall to forward RDP traffic to 10.254.5.1 but I have not been able to get it to work.

I can ping both sides of the vlan and the windows server is configured for remote access and has its firewall disabled. I can RDP to the same server from inside the LAN so I am confident that there are no issues with the windows machine.

Here is my current NAT config:

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT rule to allow LAN access to Internet
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

1 ;;; Inbound Port Forward to 10.254.5.1:3389
chain=dstnat action=dst-nat to-addresses=10.254.5.1 to-ports=3389 protocol=tcp dst-address=xxx.xxx.xxx.xxx in-interface=ether1 dst-port=3389 log=no log-prefix=""

note: xxx.xxx.xxx.xxx is my public IP.

I have copied this from another working firewall.

When I try to RDP to the public IP the rdp client fails to initiate a connection. A port scan shows that port 3389 is open but I can't see in Winbox that there are any packets being processed by this rule.

I am wondering if I may have missed another setting in WinBox somewhere.

I would really appreciate any suggestions on how to resolve this or at least troubleshoot to the point I can find out where the problem is.

Cheers

NAT is OK. Post

/ip firewall filter print chain=input
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept log=no log-prefix=""

Hi, it look like the same issue that i have, and still struggling with if you have find a way to make this work please let me know

Thanks

Do you have the same rule in forward chain?

To be honest I don't know enough about Mikrotik to give you an answer to that question!

Can you tell me where i should check in Winbox or what code I need to use in the terminal?

Appreciate your support n this!

Cheers

Do you get no connection occurring at all or a black screen? I had to clear the df bit in a mangle rule to get RDP working across a remote VPN subnet. If I didn't I could ping and portscan but connecting just gave me a black screen. Sounds like you're not quite getting that far though?

@normalcy - no not even getting a connection in the first place.

copy and paste the NAT and Filter, it will help us a lot.
and

here you go...

/ip firewall filter export
# jul/24/2015 06:45:54 by RouterOS 6.22
# software id = 19IQ-KBRL
#
/ip firewall filter
add chain=input



/ip firewall nat export
# jul/24/2015 06:47:02 by RouterOS 6.22
# software id = 19IQ-KBRL
#
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT rule to allow LAN access to Internet" out-interface=ether1
add action=dst-nat chain=dstnat comment="Inbound Port Forward to 10.254.5.1:3389" dst-address=103.225.70.2 dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=10.254.5.1 to-ports=3389

I think your setup, while very insecure, is working. But you just don't have access from the LAN.

Try this:
I think that will get you what you are looking for.

@IntrusDave

that looks to be exactly the fix I needed. I can now access the internal host via RDP - many thanks!

I take note of your comment that the current config is very insecure. Since I am only just starting with Mikrotik I am more than happy to hear any recommendations you might like to provide. Or if you can point me in the right direction of anything documenting best practice I'd really appreciate it. I will need to roll out more of these in the near future and want to build a standard config I can basically copy & paste.

Thanks for your help to resolve my initial problem -

Cheers

First place to learn about RouterOS is Mikrotik Wiki, there are many examples. About firewall here

Head over to this topic. This is my Blacklist and firewall rules. I think just the last two rules in the filter will need to be changed for you, my internet interfaces are called "WAN1" and "WAN2". Yours is "ether1". if you adjust them for your situation, it will provide you with a pretty secure unit.

http://forum.mikrotik.com/viewtopic.php?f=9&t=98804

But also, read up on the Wiki, so you can understand what the script and rules are doing.

@karlisi, @InrtusDave

Thanks for your great support and pointers! Looks like I have more studying to do.

Cheers

Hey all - just further to my original question if I may...

I have RDP working fine however I have noticed that I am not able to RDP to the host via the public IP when I am on the same public IP. To be honest I don't have a reason to actually access the server via the public IP when I am inside my network however I figure there is something here that I can learn more about.

My question then is: what do I need to do to allow the fw to process incoming requests from the same IP?

Hoping someone can educate me on this!

Cheers

It sounds like you want to read about hairpin NAT.

@sob - yes I think you are right. thanks for pointing me in the right direction.

Cheers

Thanx also! I was also thinking what haipin nat is about and tonight i just figure out!!!

I am still struggling getting my NAT working. I understand hairpin NAT better now but not able to get it working with my network configuration as per the diagram below
I am trying to get access to the device at 10.254.5.1 from the 10.1.10.0/24 subnet.

My current config is:

0 ;;; NAT rule to allow LAN access to Internet
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""

1 ;;; RDP to dc1
chain=dstnat action=dst-nat to-addresses=10.254.5.1 to-ports=3389 protocol=tcp dst-address=1.1.1.1 dst-address-type=local in-interface=WAN dst-port=3389 connection-type="" log=no log-prefix=""

2 ;;; LDAP [389] to dc1
chain=dstnat action=dst-nat to-addresses=10.254.5.1 to-ports=389 protocol=tcp dst-address=1.1.1.1 in-interface=WAN dst-port=389 log=no log-prefix=""

3 ;;; TFTP to dc1
chain=dstnat action=dst-nat to-addresses=10.254.5.1 to-ports=69 protocol=udp dst-address=1.1.1.1 in-interface=WAN dst-port=69 log=no log-prefix=""

4 ;;; NAT Internal Traffic
chain=srcnat action=masquerade protocol=tcp src-address=10.254.254.0/29 dst-address=10.254.5.1 out-interface=HIP-DC dst-port=3389 log=no log-prefix=""



Rules 0 - 3 work fine but I don't have rule 4 correct (obviously!).

Appreciate any suggestions where I have gone wrong with this.

Cheers

try moving it to the top. It needs to come before the default "outbound nat" rule.

@intrusdave - thanks but still no luck.

here is what I now have:

0 ;;; NAT Internal Traffic
chain=srcnat action=masquerade protocol=tcp src-address=10.254.254.0/29 dst-address=10.254.5.1 out-interface=HIP-DC dst-port=3389 log=no log-prefix=""

1 ;;; NAT rule to allow LAN access to Internet
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""

2 ;;; RDP to dc1
chain=dstnat action=dst-nat to-addresses=10.254.5.1 to-ports=3389 protocol=tcp dst-address=1.1.1.1 dst-address-type=local in-interface=WAN dst-port=3389 connection-type="" log=no log-prefix=""

3 ;;; LDAP [389] to dc1
chain=dstnat action=dst-nat to-addresses=10.254.5.1 to-ports=389 protocol=tcp dst-address=1.1.1.1 in-interface=WAN dst-port=389 log=no log-prefix=""

I see problem with your dstnat rules. They have in-interface=WAN, but connection from 10.1.10.0/24 won't be coming from WAN.

Thanks Sob. I don't have the WAN interface as in-interface in my rule for internal NAT. in-interface=WAN is only in place for rules that are working OK.

I got the following code from the wiki (http://wiki.mikrotik.com/wiki/Hairpin_NAT) and am using it as an example.


/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.2 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade

In my config the source address is 10.254.254.0/29 (coming from 10.1.10.0/24) and destination is 10.254.5.1 on port 3889. Out interface is hip-mpn.

Based on the network diagram above that should mean my rule is:

add chain=srcnat src-address=10.254.254.0/29 \
dst-address=10.254.5.1 protocol=tcp dst-port=3389 \
out-interface=hip-mpn action=masquerade

Is that correct?

Problem is that when I enter this into my config I still can't get a response from my rdp host. So either I am not correct or I am missing something else.

Appreciate any thoughts/suggestions.

Cheers
Mal

Your srcnat rule will do any good only if dstnat rule works. If you are connecting to 1.1.1.1:3389, you need it forwarded to 10.254.5.1:3389. That would be rule #2 in your previous post, except it isn't, because it's only for packets coming from WAN. But if you're connecting from 10.1.10.0/24, packets are coming from hip-mpn interface. So your connection attempt does not get forwarded at all. That's what I'm trying to tell you.

If you remove in-interface from rule #2, it will work for both connections from outside and inside.

In fact, you should not need hairpin NAT at all in this case, because 10.254.5.1 and 10.1.10.0/24 are not in same subnet.

Thanks SOB - you are 100% correct. I couldn't see the wood for the trees. I also didn't realise that by not defining the incoming interface it means that it processes traffic on all interfaces. That was the crucial piece of information that you provided. Removing in-interface=WAN immediately solved my problem.

I really appreciate your input and assistance.

Cheers