Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
SiriusGale2020-12-29 17:49:08
Computer networks
SiriusGale, 2020-12-29 17:49:08

Why doesn't port forwarding work?

Hello everyone, this is the situation.
There is a local network 172.16.0.0/12. A microtic with IP 172.19.172.5 is connected to it, it has its own network 192.168.0.0/24
. Inside it there is Synology, on the webcam of which I go to 192.168.0.4:5000. You need to set up access to this Synology from the network 172.16.0.0/12 through port forwarding.

The NAT rule is configured according to the standard manual:

chain=dstnat action=netmap to-addresses=192.168.0.4 to-ports=5000 protocol=tcp in-interface=ether1 dst-port=5000 log=yes log-prefix="nas"

All Firewall rules are disabled. There is a NAT rule for masquerade:

chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=ether1

When trying to access from the local network 172.16.0.0/12 to 172.19.172.5:5000, the following comes out in the logs:

nas dstnat: in:ether1 out:(unknown 0), src-mac 1:1:1:1:1:1, proto TCP (SYN), 172.19.118.3:55164->172.19.172.5:5000, len 52

Mikrotik itself is available from the local network (pings from the device).
What is my mistake and trouble?

I googled for a long time, but the tips that I found did not help.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
S
SiriusGale, 2021-01-11
@SiriusGale

Found and eliminated on December 31, but there was no time to unsubscribe. If suddenly someone is interested, then here)
Synology has 2 Ethernet interfaces, 192.168.0.0/24 subnet was configured on LAN1, 172.16.0.0/12 subnet was temporarily configured on LAN2. This, in fact, was the problem.
After disconnecting LAN2, redirection began to work correctly. I suppose the redirection itself worked anyway, but the response packets from the NAS did not go there, but via LAN2.

Report
A
akelsey, 2020-12-29
@akelsey

I could be wrong, but the rule needs to be removed
to-addresses=192.168.0.4
. on the 172.16.0.0/12 network, hardly anyone knows anything about this network, they should connect to 172.16.172.5:5000.
netmap is also redundant here, I would change it to dst-nat.
PS
Even at first I thought 172. 19 .172.5 is a typo, but below in the text again 19 or is it a typo twice?

Report
N
nApoBo3, 2020-12-30
@nApoBo3

Take a traffic dump. It is likely that you do not have a route on the device to a given network, or it blocks all requests from outside its network with its screen, for example, WD NAS behaves this way by default.
In the log, everything is normal at first glance, this is a SYN packet, i.e. attempt to establish a tcp session fails.

Report
M
Maxim Korneev, 2020-12-30
@MaxLK

why is it so difficult? what does NAT and masquerading have to do with it, and why natit the entire network? it is enough to register a route for each of the two addresses on IMHO

Similar questions
D
diiimonn2015-11-02 13:10:04
How to properly block rows? 2Reply
6
6yntar052020-05-05 09:09:10
Why is port 80 not opening? 1Reply
M
mic442020-05-05 11:34:22
How to properly segment an enterprise network? 3Reply
T
TijAY2011-12-07 09:50:24
Question about nginx 2Reply
V
Vasily Ivanov2021-07-07 16:54:07
How to run proxychains on a separate port? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question