A
A
awgur2015-09-04 15:33:02
MySQL
awgur, 2015-09-04 15:33:02

How to set up a filter in RouterOS to forward one port to another?

I am forwarding incoming traffic from published port 5922 to port 22 of host 192.168.255.2.
Works for Cisco.

!
interface Dialer0
 ip access-group FW_in in
!
ip nat inside source static tcp 192.168.255.2 22 interface Dialer0 5922
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended FW_in
 permit tcp any any eq 5922
!

Doesn't work on RouterOS.
/ip firewall filter
add chain=forward dst-port=5922 in-interface=ether1 protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=5922 in-interface=ether1 \
 protocol=tcp to-addresses=192.168.255.2 to-ports=22

If you disable the drop rule, at the end of the forward chain, it starts working.
Those. the filter does not catch the TCP call at 5922, but passes it on.
If the ports are the same everywhere, then everything works fine.
/ip firewall filter
add chain=forward dst-port=22 in-interface=ether1 protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 \
 protocol=tcp to-addresses=192.168.255.2 to-ports=22

Question: What am I doing those so? Or something with Mikrotik?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
R
Rsa97, 2019-03-26
@Fragman

SELECT `name`
  FROM `sm_groups`
  WHERE `id` IN (
    SELECT `group_id`
      FROM `sm_admins_groups`
      WHERE `admin_id` IN (
        SELECT `id` 
          FROM `sm_admin`
          WHERE `identity` = :identity AND `sid` = :sid
        )
    )

For the second query, change IN to NOT IN

I
irishmann, 2019-03-26
@irishmann

What's the problem with putting "unequal" in the query?

SELECT d.id, d.name 
FROM sm_admins m 
JOIN sm_admins_groups r ON m.id=r.admin_id 
JOIN sm_groups d ON r.group_id=d.id 
WHERE m.identity <> 'STEAM_0:1:427770368' AND m.sid <> '0'

A
awgur, 2015-09-07
@awgur

I confess! It's all about lack of knowledge.
It turns out that DST-NAT works even in PREROUTING => when the packet reaches the filter, the port in it has already been changed.
In my case, 5922 has already been changed to 22.
wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
Question: What am I doing like this? Or something with Mikrotik?
Answer: Mikrotik is fine.
Need to change the rule

/ip firewall filter add chain=forward dst-port=5922 in-interface=ether1 protocol=tcp
on the
/ip firewall filter add chain=forward dst-port=22 in-interface=ether1 protocol=tcp

R
Rainbird, 2015-09-04
@Rainberd

isn't
/ip firewall nat
add action=netmap chain=dstnat dst-port=5922 protocol=tcp to-addresses=192.168.255.2 to-ports=22
?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question