Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
karibskii_koks2017-06-21 07:07:08
Mikrotik
karibskii_koks, 2017-06-21 07:07:08

Why doesn't port forwarding work in Mikrotik?

Hello, friends!
Local network 192.168.0.0/24.
There is a Mikrotik with a white address, which it receives via pppoe:

ip address print                                                        
 0   172.21.139.2/16    172.21.0.0      ether1                                                                 
 1   192.168.0.254/24   192.168.0.0     LAN-bridge                                                             
 2   10.72.74.66/27     10.72.74.64     ether2                                                                 
 3 D 89.250.146.160/32  10.92.127.254   domru-ppppoe

Also, the second address is configured on the ether1 interface, for the city network.
Internet from Rostelecom is configured on the ether2 interface.
Set up Mangle:
/ip firewall mangle
add action=mark-connection chain=input in-interface=domru-ppppoe log-prefix=inpt_mark_domru \
    new-connection-mark=domru-conmark passthrough=yes
add action=mark-connection chain=input in-interface=ether1 new-connection-mark=domru-conmark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=domru-conmark dst-address-list=!workspace \
    log-prefix=pr_rout new-routing-mark=domru-pppoe passthrough=no src-address-list=platniy
add action=mark-routing chain=output connection-mark=domru-conmark new-routing-mark=domru-pppoe passthrough=\
    no
add action=mark-connection chain=forward connection-nat-state=dstnat dst-address=192.168.0.183 in-interface=\
    domru-ppppoe new-connection-mark=domru-connmark-f passthrough=yes
add action=mark-connection chain=forward comment="FWD traffic Mark" in-interface=domru-ppppoe log-prefix=\
    fwd_con new-connection-mark=domru-connmark-f passthrough=yes
add action=mark-connection chain=forward in-interface=ether1 new-connection-mark=domru-connmark-f \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=domru-connmark-f dst-address-list=!workspace \
    log-prefix=rt_mark new-routing-mark=domru-pppoe passthrough=no src-address-list=platniy
add action=mark-routing chain=prerouting dst-address-list=!workspace new-routing-mark=rtk passthrough=no 
    src-address-list=rtk

Set up NAT:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=89.250.146.160 dst-port=80 in-interface=domru-ppppoe log-prefix=\
    dst_natlog protocol=tcp to-addresses=192.168.0.183
add action=masquerade chain=srcnat out-interface=domru-ppppoe
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2

When I try to access an external address, I notice that the packet counter is increasing.
However, the web page does not work.
I noticed something else:
there are 2 addresses on the local network: 192.168.0.183 and 192.168.0.188, both belong to the address of the "platniy" list, however, when trying to trace from the address 89.250.146.160, we get the following:
tool traceroute src-address=89.250.146.160 address=192.168.0.183 max-hops=10
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                   
 1                                  100%    2 timeout                                                          
 2                                  100%    2 timeout                                                          
 3                                  100%    2 timeout                                                          
 4                                  100%    2 timeout                                                          
 5                                  100%    2 timeout                                                          
 6                                  100%    2 timeout                                                          
 7                                  100%    2 timeout                                                          
 8                                  100%    2 timeout                                                          
 9                                  100%    2 timeout                                                          
10                                  100%    1 timeout

tool traceroute src-address=89.250.146.160 address=192.168.0.188 max-hops=10 
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                   
 1 192.168.0.188                      0%    4   0.5ms       1     0.5     2.4     0.8

As you can see, if we try to trace to 192.168.0.183, then the path goes into an incomprehensible loop.
But at the same time, tracing to 192.168.0.188 goes directly and immediately.
Firewalls and firewalls are off.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
Z
Ziptar, 2017-06-21
@Ziptar

Could you explain the rules of the mangle? In my opinion there is some kind of chaos.

Similar questions
N
nfire2018-07-11 12:52:31
How to connect a computer via Mikrotik (or Mikrotik itself) to a wifi network with authorization via SMS? 1Reply
R
rus18reg2021-10-06 09:24:23
How to assign a gateway for one server from another subnet, which is a PC? 1Reply
C
Cacapach2018-07-13 10:53:04
How to close access to the Internet during working hours in Mikrotik, and open it during lunch and after work? 2Reply
A
Alexey Pups2020-07-11 15:22:36
Is there a way to easily make QoS on MikroTik for VoIP traffic? 1Reply
B
by_EL2020-07-11 19:26:19
I read it, but I don’t understand exactly what prerouting and postrouting are on Mikrotik? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question