[HamWAN PSDR] Mikrotik port forwarding

Bart Kus me at bartk.us
Thu Apr 3 18:11:39 PDT 2014 

You can do a bit more debugging here to bridge the gap between "config 
upload" and "connections don't work".  The router has a nice "/tool 
sniffer quick" utility built-in.  Try it with the arguments 
"interface=all ip-protocol=tcp port=26" and launch a connection in from 
the outside world.  You should be able to see everything going on, from 
the original packet coming in (or not), to it getting translated and 
sent to your server (or not), to your server replying (or not), to the 
un-NAT and retransmission (or not). Somewhere along the line you'll spot 
the root of the problem.  I don't know what it is, as the config looks 
fine to me.

Oh, and screen width DOES matter.  I believe if your window isn't wide 
enough (eg: just 80 columns) it'll omit MAC address details. So, max 
your window before running the sniffer.  Either that or use the winbox 
GUI sniffer.

Please report back!

--Bart


On 04/03/2014 05:17 PM, Dean Gibson AE7Q wrote:
> Objective: When an external (ie, wlan) connection is attempted to port 
> 26 on the radio, forward that traffic ("destination NAT") to a 
> computer on my internal LAN.
>
> Firewall rules in the radio (rules #3 & #7 in the filter chain, and 
> rule #1 in the NAT chain, have been inserted by me):
>
> //ip firewall filter print
> Flags: X - disabled, I - invalid, D - dynamic
>  0   ;;; default configuration
>      chain=input action=accept protocol=icmp src-address=44.0.0.0/8
>
>  1   ;;; default configuration
>      chain=input action=accept connection-state=established
>
>  2   ;;; default configuration
>      chain=input action=accept connection-state=related
>
>  3   chain=input action=accept protocol=tcp in-interface=wlan1-gateway 
> dst-port=26
>
>  4   ;;; default configuration
>      chain=input action=drop in-interface=wlan1-gateway
>
>  5   ;;; default configuration
>      chain=forward action=accept connection-state=established
>
>  6   ;;; default configuration
>      chain=forward action=accept connection-state=related
>
>  7   chain=forward action=accept protocol=tcp 
> in-interface=wlan1-gateway dst-port=26
>
>  8   ;;; default configuration
>      chain=forward action=drop connection-state=invalid
>
> /ip firewall nat print
> Flags: X - disabled, I - invalid, D - dynamic
>  0   ;;; default configuration
>      chain=srcnat action=masquerade to-addresses=0.0.0.0 
> out-interface=wlan1-gateway
>
>  1   chain=dstnat action=dst-nat to-addresses=192.168.0.250 
> protocol=tcp in-interface=wlan1-gateway dst-port=26/
>
> I use the same technique on my Linux boxes, and it works fine (albeit 
> iptables is slightly different).  However, when accessing my radio 
> from an external IP address, no connection is made (times out).  If I 
> change the dstnat rule action to "accept", the connection is refused.  
> The logs for port 26 on the target device (192.168.0.250) show no 
> connection attempt.  In the (default) srcnat chain, 
> "action=masquerade" implies NATting on the return trip (into the 
> LAN).  The same thing needs to happen in a dstnat chain, but I don't 
> see a way to do that;  I'm "assuming" that the OS automatically does 
> that.  When doing DNAT on Linux, I have to do that manually, with the 
> same rule in the "PREROUTING" and "OUTPUT" NAT chains, but those 
> chains don't exist in my radio.
>
> Ideas welcome (note that "action=masquerade" is not valid in a dstnat 
> chain).
>
> -- Dean
>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140403/7eb762ea/attachment.html>

More information about the PSDR mailing list