Community discussions

MikroTik App
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Tue Feb 20, 2024 4:38 pm

Hello

Yet another forwarding problem ;-)

I have followed: https://help.mikrotik.com/docs/display/ ... forwarding
also tried using the: Quick Set > Port mapping

but they both have failed.

I have 2 Unifi APs connected to the router. The whole network is on 192.168.88.x
Let's say I want to redirect the 8000 port to 192.168.88.253

I have ISP router plugged in ETH1 as WAN and for now I have double NAT (working on that) with DMZ.
The other subnet is 192.168.100.1 (and Mikrotik has .100 static IP)
I think I either get the In. interface wrong or it is some default firewall rule that blocks my forwarding.

It is my first time with Mikrotik so any help would be great!
Thanks!

---

Strange sidenote.
I am running python webserver to test it:
python3 -m http.server
And at first it works with both: http://192.168.88.253:8000/ or http://localhost:8000/
But when i try to connect later with http://192.168.88.1:8000/ or http://192.168.100.100:8000/ or http://my-public-ip:8000/
The localhost and local ip stops working as well. It all hangs on my mac & I need to restart the python webserver.
Even wget/curl hangs. Strange?

# 2024-02-20 16:30:40 by RouterOS 7.12.1
# software id = ABCD-8UDB
#
# model = L009UiGS
# serial number = ABCD
/interface bridge
add admin-mac=78:9A:18:62:43:F8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:10:5b:ad:1:a6:28 mac-address=\
    10:5B:AD:01:A6:28 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http8000 dst-address=0.0.0.0 \
    dst-port=8000 in-interface-list=all protocol=tcp to-addresses=\
    192.168.88.253 to-ports=8000
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by atais on Fri Feb 23, 2024 11:57 am, edited 1 time in total.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 6:08 pm

So you are attempting to get fancy by reachin an internal server by using the public IP address as if you were coming in from externally.
Boggles my mind, why not just use the LANIP address LOL.

In any case you are running into hairpin NAT.

1. Solved partially by adding this sourcenat rule put at the top of the order
add action=srcnat chain=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
EDIT Above is wrong should be
add chain=srcnat action=masquerade

2. Modify your forward chain rules to be more inclusive of direction of port forwarding so remove old default rule and replace with three better rules that are clearer and block more traffic (better security). As stated you have connections from both internal and external to wan port......... thus we accept all dstnat traffic, and this is good.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO:
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


3. Your port forwarding rule is incorrect............
Typically for port forwarding with a dynamic IP the standard port forwarding rule looks like this......
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=8000 protocol=tcp to-addresses=192.168.88.253

Note: To-ports is only really required for port translation and thus is assumed to be same as dst-port otherwise.

However, due to hairpin nat, this rule will not work (since the actual connection is not just from external to the WAN). The easiest fix is to use your IP CLOUD DNS mynetname address.
First put it in as a firewall address list item (will be resolved automatically).

firewall address-list
add 22d877dd.sn.mynetname.net list=MyRouter

Then modify port forwarding rule:
add action=dst-nat chain=dstnat dst-address-list=MyRouter dst-port=8000 protocol=tcp to-addresses=192.168.88.253
Last edited by Mesquite on Tue Feb 20, 2024 6:37 pm, edited 2 times in total.
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 6:25 pm

Boggles my mind, why not just use the LANIP address LOL.
So, well, that was my usual way of testing that it works... And later I'd test it works outside of my network.
So I scratched my head, took my phone, disconnected from WiFi and... to my surprise - the forwarding from outside works!

And the issue is, as you stated, to reach the internal server by the public IP. I guess my previous routers must have done it for me.

---

Still... if possible, I'd like to get it fixed, because I tend to reach to my services via the domain, hooked to external ip, that is later redirected by the internal NGiNX server to the correct internal address. I am not sure how to simplfy that, that's the way I know how to do it ;-)

Starting with:
1.
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
Works fine

2.
a) I have disabled manually the filter "defconf: drop all from WAN not DSTNATed"
I don't know what command I can use to disable the rule :)

b)
/ip/firewall/filter/
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
worked and it seems all is still OK, thanks

3. Where did you take
22d877dd.sn.mynetname.net
from?

I actually have a dynamic public IP, btw.
Last edited by atais on Tue Feb 20, 2024 6:41 pm, edited 3 times in total.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 6:34 pm

So, well, that was my usual way of testing that it works... And later I'd test it works outside of my network.
Quite correct, most have that built-in, whereas the MT RoS is very configurable if one knows networking, even when I used consumerPRO zyxel models,
they had a simple checkbox for this, think it was called loopback.

SHOULD BE:
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 6:52 pm

With steps 1 & 2 + changed the NAT Rule In. Inerface List to: "all"

It works.
I have no idea what I have done, but slowly learning "on the job" :D

The config I am using now is based on the commands on top, and it sum up to:
Screenshot 2024-02-20 at 17.51.19.png
Screenshot 2024-02-20 at 17.51.25.png
Thanks a lot for all the help!
You do not have the required permissions to view the files attached to this post.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 7:07 pm

GO to my IP tab upper left on winbox, select IP and near the top select CLOUD.
Enable DDNS, hit apply. Soon a DNS name should show up near the bottom.

This is the tried and true method of setting this up. I cannot recommend in-interface-list=ALL as a solution, mainly because I dont know if there are any security implications.
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 7:24 pm

I see...

Well, I am not sure what is worse, using DDNS for a firewall loopback or ALL in the interface list :D

But,
1. I have enabled the cloud service
2.
/ip/firewall/address-list/
add address=myaddress.sn.mynetname.net list=MyRouter
3. Modified the NAT rule to:
Screenshot 2024-02-20 at 18.23.49.png
and it does not work at all :(
nor outside (like it used to) nor inside (fake loopback)

4. Changing back to "ALL" - everything works fine
You do not have the required permissions to view the files attached to this post.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 8:30 pm

Thats weird, okay I must have overlooked something..............
Post the complete config for me to review.................. NM, found the issue...............
Okay, so the public IP is that of the upstream router and not your own WANIP 192.168.100.100.

That makes a huge difference my apologies, forget the MYNETNAME, you can disable/remove it...........
Instead............
Change the dstnat rule to:

add action=dst-nat chain=dstnat dst-address=192.168.100.100/32 dst-port=8000 protocol=tcp to-addresses=192.168.88.253
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 8:44 pm

With that setting:

- http://192.168.88.1:8000/ - does not work
- http://192.168.100.100:8000/ - works (expected ;-))
- http://my-public-ip:8000/ - works only outide of home network

:shock:

I kind of feel that "ALL" will stick with me for a while :-)
# 2024-02-20 20:43:15 by RouterOS 7.12.1
# software id = xxx
#
# model = L009UiGS
# serial number = xxx
/interface bridge
add admin-mac=78:9A:18:62:43:F8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:10:5b:ad:1:a6:28 mac-address=\
    10:5B:AD:01:A6:28 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=hf309b9swdy.sn.mynetname.net list=MyRouter
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="internet access" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding connection-nat-state=\
    dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http dst-address=192.168.100.100 \
    dst-port=8000 in-interface-list=all protocol=tcp to-addresses=\
    192.168.88.253 to-ports=8000
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 9:00 pm

It does not work because 192.168.88.1 is nonsensical. Nobody uses the interface address of the subnet to reach a server......

Either you are connect to the ROUTER WANIP, like you were coming in externally and get port forwarded to the router.
dst-address=actual WANIP for static,
in-interface=WAN for dynamic. ( dst-address-list=some dyndns URL for hairpin)

OR
you connect directly to the LANIP of the server from internally.

THere is no such thing or even a good idea to connect using the interface address of the subnet.
Its a hack, and not correct.
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 9:46 pm

Well, 192.168.88.1:8000 i could live without.
I just compared it, as with "ALL" it works even with that.

But unfortunately, specifying 192.168.100.100 it does not work with the external IP (if I am inside the network), so the loopback does not work :(.
Wonder if there is a way to fix it?
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 11:04 pm

Post your complete config please, it should work well?
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Tue Feb 20, 2024 11:46 pm

 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Wed Feb 21, 2024 12:41 am

Because your Port Forwarding rule is incorrect. You still have the in-interface part in there, should be removed.

From:
add action=dst-nat chain=dstnat comment=http dst-address=192.168.100.100 \
dst-port=8000 in-interface-list=all protocol=tcp to-addresses=\
192.168.88.253



What do you mean by specifying the external IP?
DO you mean LAN users put 192.168.100.100:8000 and it doesnt work ??

Can you confirm external users can put the DYNDNS name of your public IP and it works.
URL:8000 ??
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Wed Feb 21, 2024 12:55 pm

Hi.

Sorry, my bad.
I actually noticed that issue as well, but I must have exported the config before removing "in-interface-list=all"

Anyways, answering your question
What do you mean by specifying the external IP?
Do you mean LAN users put 192.168.100.100:8000 and it doesnt work ??
Can you confirm external users can put the DYNDNS name of your public IP and it works.
URL:8000 ??
I think there is extra confusion because of my double-NAT situation, the problem is that so far "in-interface-list=all" is working exactly like I'd like it to...
Maybe I should contact Mikrotik if they see any issue with that setup? Not sure how to approach it.

I will sum up the whole thing with a table, which will I think explain best my requirements and the situation:
Screenshot 2024-02-21 at 11.54.57.png
green - works
red - does not work
You do not have the required permissions to view the files attached to this post.
 
DeadStik
just joined
Posts: 18
Joined: Thu Jan 04, 2024 4:35 pm

Re: Problem with port forwarding on L009UiGS

Wed Feb 21, 2024 4:57 pm

Your last firewall filter is dropping all forwards including LAN to LAN. The previous rule is allowing LAN out WAN so your internet still works, but the loopback is LAN to LAN.
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Wed Feb 21, 2024 5:07 pm

Ok, I understand... But I guess I lack knowledge how to fix that.

All the beginner sources:
- viewtopic.php?t=129322
- https://www.youtube.com/watch?v=_kw_bQyX-3U

Seem to propose what @Mesquite mentioned, but that's not really what works best in my case.
 
DeadStik
just joined
Posts: 18
Joined: Thu Jan 04, 2024 4:35 pm

Re: Problem with port forwarding on L009UiGS

Wed Feb 21, 2024 5:22 pm

You can remove the last 2 rules as the default drop/dst-nat rule performs most of the same purpose.

Or narrow the scope of that last drop rule by adding src-address=192.168.88.0/24
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Wed Feb 21, 2024 5:39 pm

I have changed the NAT rule to, like in the tutorials, Dst. Address to 192.168.100.100, removed ALL from In Interface List

And I have applied both your suggestions (separately)

1) Added src-address=192.168.88.0/24 to the last filter rule

Still the external-ip:8000, requested from the internal network does not provide any response

2) Disabled the two last rules

No difference. Basically for both cases the above table with colors still apply.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Wed Feb 21, 2024 11:10 pm

Good day atais.

After some sobering thought and discussion with someone who knows better........

There are TWO methods that users should use to reach the server.

A. Directly is the most foolproof for internal users 192.168.88.253:8000
B. Through the DYNDNS URL you are using, be it from a free or paid provider on the web, or by using your free IP CLOUD DNS name.
- this is valid for external users
- this is valid for internal lan users if they are instructed to use the dyndnsname:8000

C. Yes if the External IP is static, on the upstream router, and does not change then you can instead use the staticWAN-IP:8000 for all users

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Where I sent you off wrongly the second time was the format of the dsnat rule......

1. For a dynamic WANIP on the upstream router
add chain=dstnat action=dst-nat dst-address-list=MyServer dst-port=8000 protocol=tcp to-addresses=192.168.88.253

Where the firewall address list entry is
add address=dyndns-name ( could be your IP cloud DNS name ) list=MyServer

2. If the WANIP is static, then simply use that
add chain=dstnat action=dst-nat dst-address=43.567.57.4 dst-port=8000 protocol=tcp to-addresses=192.168.88.253
( sample wanIP only)

Anything else your are doing is non-standard and not recommended.

In terms of rules, you need a basic firewall rule allowing port forwarding
add chain=forward action=accept connection-nat-state=dstnat comment="port fowarding"

You need a hairpin nat source nat rule in case you want internal users to be able to access the server by the WANIP or DNS name.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Fri Feb 23, 2024 12:36 am

I think I have finally made my peace with this functionality.

Definietely, 'in-interface=ALL' is not the solution, because it actually started conflicting my ports on the router...

So, based on what you have written, most valid case for me is B:
B. Through the DYNDNS URL you are using, be it from a free or paid provider on the web, or by using your free IP CLOUD DNS name.
- this is valid for external users
- this is valid for internal lan users if they are instructed to use the dyndnsname:8000
And is exactly what I wanted to achieve.

--------

I followed your steps for dynamic WANIP, but for whatever reason it did not work for the internal users to reach the services using dyndnsname:8000
But I noticed, it does, when I change the dst-address(-list) to 192.168.100.100, so my NAT IP for the router.

After some thought, I have managed to ADD SECOND IP to the MyServer list:
  • so one is Dynamic, obtained from the domain name
  • the other one is Static: 192.168.100.100
and they both are added to the MySever list which is used in NAT rules.

It works.
Should I be happy :D? Or I have hacked something again ;-)?
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS

Fri Feb 23, 2024 3:02 am

Very good question.
So external users can access the server no problem with they dyndns URL pointing the public IP of the upstream router,
but the internal servers are unsuccessful using the same?
However if they simply use 192.168.100.100:8000 they are successful?
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS

Fri Feb 23, 2024 11:40 am

Sorry I have even confused myself because it is even more strange:

1) For the external access to work correctly, the list have to point to the 192.168.100.100
2) For the internal access to work correctly, the list have to point to the DOMAIN, resulting in dynamic WAN IP

Its in the case, when I am using only my domain as an access point, having no distinction between internal or external use.

Of cource, if internally I would be using 192.168.100.100 - the access is there.
But the problem is that I am using domain names for everything, with subdomains for different services.

Maybe instead, I should override my domain locally to 192.168.100.100 :D?
Should I then host a DNS server as well :D? Or is there a simplier "/etc/hosts" like override method?
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Fri Feb 23, 2024 2:52 pm

Please print your latest config, so I can see where we are going wrong.
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Fri Feb 23, 2024 5:39 pm

Right, sorry
# 2024-02-23 17:37:38 by RouterOS 7.13.5
# software id = xxx
#
# model = L009UiGS
# serial number = xxx
/interface bridge
add admin-mac=78:9A:18:62:43:F8 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 \
    path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:10:5b:ad:1:a6:28 mac-address=\
    10:5B:AD:01:A6:28 server=defconf
add address=192.168.88.5 client-id=1:24:5e:be:a:df:e8 mac-address=\
    24:5E:BE:0A:DF:E8 server=defconf
add address=192.168.88.226 mac-address=02:42:05:D1:F2:FE server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.100.100 list=MyIP
add address=mydomain.pl list=MyIP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="internet access" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding connection-nat-state=\
    dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=MyIP dst-port=80 protocol=\
    tcp to-addresses=192.168.88.5 to-ports=81
add action=dst-nat chain=dstnat dst-address-list=MyIP dst-port=443 protocol=\
    tcp to-addresses=192.168.88.5 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=MyIP dst-port=10001 \
    protocol=tcp to-addresses=192.168.88.5 to-ports=10001
add action=dst-nat chain=dstnat dst-address-list=MyIP dst-port=32400 \
    protocol=tcp to-addresses=192.168.88.5 to-ports=32400
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Fri Feb 23, 2024 6:02 pm

Can you confirm the upstream router correctly port forwards traffic to port 8000 to 192.168.100.100
(jpeg)??

I think I see one problem, you didnt remove a rule, when it was replaced by three other rules. ( AS STATED CLEARLY in post #2 ) I am not sure it will change anything, but please
see if external user can now access the server (with 192.168.100.100) removed from the MYIP list.

add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN

add action=accept chain=forward comment="internet access" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding connection-nat-state=\
dstnat

add action=drop chain=forward comment="drop all else"
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Fri Feb 23, 2024 6:07 pm

If not using IPV6 you can disable it AND REMOVE all the firewall address lists and firewall rules associated.
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Fri Feb 23, 2024 6:16 pm

Can you confirm the upstream router correctly port forwards traffic to port 8000 to 192.168.100.100
Is something missing here :)?

Answering question: with both IPs in the list (external + 192.168.100.100) all the traffic is properly routed.

One note on my side;
sorry I forgot to mention, port 8000 was just a test at the beginning, but I have already migrated my services and working with the final setup.
The ports I am forwarding are 80, 443, 10001 and 32400 to 192.168.88.5, but that does not matter really.
It works the same as port 8000 before with my test http server.

-------------------

I think I see one problem, you didnt remove a rule, when it was replaced by three other rules.
Strange thing. I have disabled it...
Thats how it looks in the GUI:
Screenshot 2024-02-23 at 17.11.42.png
So it is already not applied.

I am not using IPv6, it must be some default configuration that is there.
You do not have the required permissions to view the files attached to this post.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Fri Feb 23, 2024 6:42 pm

All good, thanks for letting me know.
Yup the rule is disabled, should have noticed. I am of the ilk of removing rules not used, so IF i see it, assume its working.

Okay, So one last time by MYIP
If it contains ONLY DOMAIN name
a. external users like you on your cell phone Do NOT reach the servers!
b. internal users using the DOMAIN name Do reach the servers.

If the MYIP list only contains 192.168.100.100
a. external users like you on your cell phone DO reach the servers
b. internal users using the DOMAIN name Do NOT reach the servers

In both cases direct access to the LAN from other LAN users, works fine, using the direct LANIP address of the server.

Please confirm!

Also when you put the domain name into any whats my IP or resolve URL via the browser, do you get the public IP of the upstream router?
Also when you look at your IP cloud resolved address in winbox IP cloud.. you get the public IP of the upstream router.
when your look at firewall address list, the entry after the Domain name shows the public IP of the upstream router?
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Fri Feb 23, 2024 9:27 pm

1.
Yup the rule is disabled, should have noticed. I am of the ilk of removing rules not used, so IF i see it, assume its working.
:) resolved

2.
Okay, So one last time by MYIP
If it contains ONLY DOMAIN name
a. external users like you on your cell phone Do NOT reach the servers!
b. internal users using the DOMAIN name Do reach the servers.

Yes thats correct

3.
If the MYIP list only contains 192.168.100.100
a. external users like you on your cell phone DO reach the servers
b. internal users using the DOMAIN name Do NOT reach the servers
Exactly. It seems counter-intuitive to me, but that's, what it is.

4.
In both cases direct access to the LAN from other LAN users, works fine, using the direct LANIP address of the server.
Well, assuming internal-clients only, of course, I can reach any other client in the same network and all the ports without port-forwarding/NAT rules.

I hope it clarifies all the "input" :D
What to do with it, though?
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 24, 2023 6:43 am

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 3:46 am

Hello atais & Mesquite.

Hoping I can help out on this one. Looking at the Hairpin NAT rule. It's missing the protocol & you might as well add the out-interface-list=LAN. I've got the same scenario that's been working well for a long time. I can access my server behind my LAN via external web-address:port or LAN-IP:port. Doesn't matter which you use. Below is how it's configured in NAT rules. Change IP's & ports as needed. Add more rules for the remaining ports.

In your NAT rule, you've got 2 items mismatched here. "to-ports" isn't needed. The dst-port will handle that unless this was intentional? Coming in from external port 80 & going to internal port 81? And btw, your address-list shows that MyIP is: " 192.168.100.100 & mydomain.pl " Another mismatch in this rule. Your "MyIP" address list doesn't include 192.168.88.5
add action=dst-nat chain=dstnat dst-address-list=MyIP dst-port=80 protocol=\
tcp to-addresses=192.168.88.5 to-ports=81
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Server" dst-address=192.168.88.5 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.5
[code]
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 4:07 am

Hey MTNICK.
(1) The hairpin nat rule is port/protocol agnostic. Not required. He has the correct rule.
(2) The dstnat (port forwarding rules) can very much so have a different dst port, the one hitting the router, and a to-port the one hitting the server.
Its called port translation. If your ISP blocks a common server port, tell your users to come in on 15,678 and then translate to the port the server is expecting etc......

I havent yet figured out why is config is working bass ackwards LOL.
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 24, 2023 6:43 am

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 4:25 am

Hi Mesquite. Stop yelling at me lmao

(1) The hairpin nat rule is port/protocol agnostic. Not required. He has the correct rule. ----- Didn't know this. But still, this rule works haha.
(2) The dstnat (port forwarding rules) can very much so have a different dst port, the one hitting the router, and a to-port the one hitting the server.
Its called port translation. If your ISP blocks a common server port, tell your users to come in on 15,678 and then translate to the port the server is expecting etc...... ----- I know. That's why I said "The dst-port will handle that unless this was intentional? Coming in from external port 80 & going to internal port 81? "

I havent yet figured out why is config is working bass ackwards LOL. ----- Someone once said this to me... We'll get this figured out. It's the fun part :wink:


If still using the subnet 192.168.100.100, try this rule in firewall filter above the last drop all else rule (14)

Add another address list with the following. Name it whatever you want, but make sure it matches the firewall filter rule:
/ip firewall address-list
add address=192.168.88.0/24 comment=Local list=expected-address-from-LAN
add address=192.168.100.0/24 comment=Local list=expected-address-from-LAN

/ip firewall filter
add action=accept chain=forward comment="allow multi-subnet access" \
dst-address-list=expected-address-from-LAN src-address-list=\
expected-address-from-LAN
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 24, 2023 6:43 am

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 5:32 am

I think I found the problem. In the NAT rule for the server, the "dst-address=" should be your ISP address, not the local LAN IP.
add action=dst-nat chain=dstnat dst-address-list=MyIP dst-port=80 protocol=tcp to-addresses=192.168.88.5 to-ports=81

Should be:
add action=dst-nat chain=dstnat dst-address-list=expected-dst-address-to-my-ISP dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.5

As an example, below is a firewall-address-list, firewall filter rules & NAT rules. Make yours similar to the below. Add & edit the first 2 lines with your "admin" devices' IP or range & your ISP IP address. There is a firewall filter rule below to allow admin access. It is disabled for now. Enable if you're going to implement it. All the firewall filter & NAT rules are using the firewall address lists. No need to edit anything other than the address list.
/ip firewall address-list
add address=ADD-YOUR-ADMIN-IP comment="Admin - Devices" list=admin
add address=ADD-YOUR-ISP-ADDRESS comment="ISP Address" list=expected-dst-address-to-my-ISP
add address=192.168.100.100 list=MyIP
add address=mydomain.pl list=MyIP
add address=192.168.88.5 list=MyServer
add address=192.168.88.0/24 comment=Local list=expected-address-from-LAN
add address=192.168.100.0/24 comment=Local list=expected-address-from-LAN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" disabled=yes in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN DNS/NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="allow multi-subnet access" dst-address-list=expected-address-from-LAN src-address-list=expected-address-from-LAN
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="ISP Masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=expected-address-from-LAN out-interface-list=LAN protocol=tcp src-address-list=expected-address-from-LAN
add action=dst-nat chain=dstnat comment="Server-80" dst-address-list=expected-dst-address-to-my-ISP dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.5
add action=dst-nat chain=dstnat comment="Server-443" dst-address-list=expected-dst-address-to-my-ISP dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.5
add action=dst-nat chain=dstnat comment="Server-10001" dst-address-list=expected-dst-address-to-my-ISP dst-address-type=local dst-port=10001 protocol=tcp to-addresses=192.168.88.5
add action=dst-nat chain=dstnat comment="Server-32400" dst-address-list=expected-dst-address-to-my-ISP dst-address-type=local dst-port=32400 protocol=tcp to-addresses=192.168.88.5
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 6:30 am

Remember he has an upstream router with a dynamic public IP.
Hence he uses a dyndnsurl to reach the upstream router, which forward the incoming trafffic with destnation port to the lanip 192.168.100.100.
This is also the WANIP of the MT device.
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 24, 2023 6:43 am

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 4:34 pm

Good morning Mesquite.

You're absolutely right. I either missed that part or forgot about while going over the config. Conclusion: beer, configs & forum don't mix. Apologies!

From the config, I'm the same, it should be working.

3.
If the MYIP list only contains 192.168.100.100
a. external users like you on your cell phone DO reach the servers
b. internal users using the DOMAIN name Do NOT reach the servers
Exactly. It seems counter-intuitive to me, but that's, what it is.
The above points to the hairpin NAT rule. The domain name shouldn't be needed in the address list. But I see what's trying to be accomplished. Has a static DNS been attempted on the Mikrotik?
/ip dns static
add address=192.168.88.5 name=https://your.domain.com

You can delete the default one that exists
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
 
atais
just joined
Topic Author
Posts: 16
Joined: Tue Feb 20, 2024 12:36 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 7:49 pm

@MTNick

I can confirm that adding a static DNS rule:
/ip/dns/static
add name=mydomain.com match-subdomain=yes address=192.168.88.5
allows me to disable the WANIP from the AddressList and everything is still working.
This configuration basically overrides the need for the port forwarding locally.
It is more-less what I want to have, because 192.168.88.5 holds NGiNX proxy that redirects all the traffic according to my needs.

But if I follow your example exactly and point it to the router - 192.168.88.1 - it does not work.

Which configuration is more beneficial?
Last edited by atais on Sat Feb 24, 2024 7:53 pm, edited 1 time in total.
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 24, 2023 6:43 am

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 7:53 pm

@MTNick

I can confirm that adding a static DNS rule:
/ip/dns/static
add name=mydomain.com match-subdomain=yes address=192.168.88.5
allows me to disable the WANIP from the AddressList and everything is still working.

Which configuration is more beneficial?

That I'm not sure of. Mesquite may be able to answer that. In my opinion, if the DNS static is working, I'd use that. As the less rules you have on the router, the less taxing it is on the router. But again, I'm no expert, not by far & it really needs advice of a forum guru.

But if I follow your example exactly and point it to the router - 192.168.88.1 - it does not work.
Which example are you referring to?

I mimicked the setup of what you have in the topology. Already had it for testing purposes (load balancing with Mesquite) but just had to move a server behind it. I have total access, from external & internal using web address:port.
The main Mikrotik router provides WAN to Mikrotik test router via LAN. In the main router, I have a NAT rule forwarding port 443 to the test router WAN IP 192.168.87.2. In the test router (192.168.88.0/24), the server is using 192.168.88.200 port 443. In the test router, the following NAT rules are applied:

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Server - HTTPS" dst-address=192.168.87.2 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.200
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sat Feb 24, 2024 8:39 pm

I would say the DNS approach, is favoured by my favourite gateau, rextended............. He swears by it. ( orange cat is a close second by the way ).

Somewhat similar in concept to what you have offered, but since I dont understand it at all,,,,,,, just putting it out there.
I don't even think you need hairpin nat rule with this one. For the example 192.168.88.68 is the local LAN server IP and myserver is the domain name.

Create the following rule!
/ip dns static
add address=192.168.88.68 regexp="(^|www\\.)myserver\\.net\$" ttl=5m


The precedence for using DNS within the router is as follows...........
a. static first,
b. static regexp next, and
c. others...

This rule tells the router that for any DNS traffic that is generated to look for the domain name www.myserver.net location, there is no need to go to dynamic servers, cached servers, external internet internet servers etc., go directly to the location of the LAN IP indicated (our Server).

Two Points and One Reminder:
(i) You'd need to make sure "allow remote request" is turned on in /IP DNS,
(ii) Ensure there are no actual static entries in DNS as they take precedence, and
(iii) Confirm you block WAN traffic in the input chain ( aka block all else rule at end etc..)
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 24, 2023 6:43 am

Re: Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Sun Feb 25, 2024 12:27 am

You're right, the Hairpin NAT has 0 traffic in the counters. So, it's not needed. Tested, proved lol

If access using LAN is working, I'd say the OP is wrapped up. OP stated external access is good. Now internal access is as well.

The NAT rule is needed if not keeping DNS static. Seems you should according to forum guru's as Mesquite stated above. However, if you still want to add the NAT rule as an extra precaution or peace of mind, here's how it would look for your setup

/ip firewall nat
add action=dst-nat chain=dstnat comment="Server - HTTPS" dst-address=192.168.100.100 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.5

Who is online

Users browsing this forum: Bing [Bot], ilyav3, johnson73, Wxjeep and 56 guests