[HamWAN PSDR] Mikrotik port forwarding

Dean Gibson AE7Q hamwan at ae7q.com
Thu Apr 3 17:17:29 PDT 2014 

Objective: When an external (ie, wlan) connection is attempted to port 
26 on the radio, forward that traffic ("destination NAT") to a computer 
on my internal LAN.

Firewall rules in the radio (rules #3 & #7 in the filter chain, and rule 
#1 in the NAT chain, have been inserted by me):

//ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
  0   ;;; default configuration
      chain=input action=accept protocol=icmp src-address=44.0.0.0/8

  1   ;;; default configuration
      chain=input action=accept connection-state=established

  2   ;;; default configuration
      chain=input action=accept connection-state=related

  3   chain=input action=accept protocol=tcp in-interface=wlan1-gateway 
dst-port=26

  4   ;;; default configuration
      chain=input action=drop in-interface=wlan1-gateway

  5   ;;; default configuration
      chain=forward action=accept connection-state=established

  6   ;;; default configuration
      chain=forward action=accept connection-state=related

  7   chain=forward action=accept protocol=tcp 
in-interface=wlan1-gateway dst-port=26

  8   ;;; default configuration
      chain=forward action=drop connection-state=invalid

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
  0   ;;; default configuration
      chain=srcnat action=masquerade to-addresses=0.0.0.0 
out-interface=wlan1-gateway

  1   chain=dstnat action=dst-nat to-addresses=192.168.0.250 
protocol=tcp in-interface=wlan1-gateway dst-port=26/

I use the same technique on my Linux boxes, and it works fine (albeit 
iptables is slightly different).  However, when accessing my radio from 
an external IP address, no connection is made (times out).  If I change 
the dstnat rule action to "accept", the connection is refused.  The logs 
for port 26 on the target device (192.168.0.250) show no connection 
attempt.  In the (default) srcnat chain, "action=masquerade" implies 
NATting on the return trip (into the LAN).  The same thing needs to 
happen in a dstnat chain, but I don't see a way to do that;  I'm 
"assuming" that the OS automatically does that.  When doing DNAT on 
Linux, I have to do that manually, with the same rule in the 
"PREROUTING" and "OUTPUT" NAT chains, but those chains don't exist in my 
radio.

Ideas welcome (note that "action=masquerade" is not valid in a dstnat 
chain).

-- Dean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140403/fc97049a/attachment.html>

More information about the PSDR mailing list