1

I have a MikroTik router with v7.1beta2 firmware installed

It's WAN (eth1) has an IP address of 192.168.7.122

There are two devices connected to its LAN

  • Device #1 is a webserver, communicating on port 80 TCP 192.168.88.254
  • Device #2 is a PLC that communicates on port 9999 UDP 192.168.88.250

I've successfully setup a dst-nat to exposes Device #1 webserver on port 8080 from the WAN.

I cannot, however, get the PLC to communicate through the NAT. I've configured the dstnat similar to the webserver, changing only the port, address and protocol. Here's what I have configured right now:

Chain: dstnat
Protocol: 17 (udp)
Dst. Port: 9999
Action: dst-nat
Log: x
To Addressess: 192.168.88.250
To Ports: 9999

I've disabled all drops on the Firewall.

When I use the communication utility I point it to the WAN address and configured port: 192.168.7.122:9999 and search for the device, the MikroTik RateGraph shows a spike (so it's coming in) but the utility reports the device as 'Missing' (e.g. it's not getting a response).

When I connect to the LAN directly and point to 192.168.88.250:9999 directly the device shows up instantly as 'Available'.

To the best of my knowledge the PLC device doesn't care whether or not the src address is from the local network, as we've had the same model communicating via a NAT in the past (and I don't believe any special treatment was done). Other hardware in the field currently uses a socat of UDP 9999 through a Linux box (not NAT) and that works perfectly fine, so I'd be open to figuring out how to configure a socat-like NAT for testing.

I have also tried to configure a srcnat in case the dstnat wasn't reversing the traffic back through. Here's that:

Chain: srcnat
Src. Address: 192.168.88.250
Protocol: 17 (udp)
Dst. Port: 9999
Action: src-nat
To Addresses: 192.168.7.122
To Ports: 9999

Which, this also doesn't work, and this srcnat does not show any traffic on the Rate Graph.

I'm new to RouterOS, and networking has never been a particular strong suit (I'm a software engineer by trade), so I'm not familiar with ways to properly debug this situation, especially with RouterOS.

Using WireGuard on the host while directly connected to the LAN I see both traffic going out, and then the response.

Using it to monitor via the WAN it goes out but I never see a response.

Help?

CenterOrbit
  • 111
  • 1
  • 5
  • Why do you have a NAT here at all? Can't you get rid of it? – Michael Hampton Oct 05 '20 at 21:24
  • It's the only way I know how to expose a port on a device internally through the WAN. Is there another mechanism or configuration I could try to pass the traffic directly though? – CenterOrbit Oct 05 '20 at 21:25
  • But you have an RFC1918 address on the "WAN" interface. Is that not just another part of your own network? – Michael Hampton Oct 05 '20 at 21:44
  • Yes the "WAN" is on my home network I have it setup here for testing and configuration. My laptop, which is coming in through the WAN is also on my home network. My home network is in the 192.168.7.0/24 range. And then on this routers LAN, it's 192.168.88.0/24.... could this choice of address ranges affect the UDP traffic? – CenterOrbit Oct 06 '20 at 00:37
  • Then yes, you should disable NAT and just route normally. – Michael Hampton Oct 06 '20 at 01:39
  • I can't do that. I'm just testing the configuration at home, once things are working this will be deployed as an edge device into the field. Customers will have a whole array of different networks that we'll be plugging this into, so this router will inevitably act as a VPN (WireGuard) termination point, and firewall for devices behind it. I can't rely on the customers network being within the same range, hence why I'm employing NAT instead of just trying to route directly. – CenterOrbit Oct 06 '20 at 14:28

2 Answers2

1

I have had the same problem, but looks like there is a solution at Mikrotic wiki: https://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS#Port_forwarding_on_RouterOS

In addition to the srcnat rule I have added

/ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related

before FastTrack rule and looks like it did the trick

Artiom
  • 41
  • 3
  • Yes! This got me in the right direction to solve the issue. I had to slightly modify the rule to also allow `new` connection states and it all fell into place. – JinnKo Aug 22 '21 at 18:41
0

In the end, the solution I found was to flash the router (RB750Gr3) with OpenWrt and configure it in the exact same fashion that I had in RouterOS. Everything works perfectly as expected.

While, I wouldn't necessarily consider "change the OS" as a viable solution to the problem, I spent several days trying to figure out what I was doing wrong with a simple NAT port forwarding, yet was able to accomplish the exact same thing on the same hardware in less than a half-day (which includes figuring out how to flash a different OS onto the hardware).

It's a shame, because I was really starting to like RouterOS with its in-depth feature-set, but OpenWrt is quite nice as well.

CenterOrbit
  • 111
  • 1
  • 5