UDP NAT traffic but no response on MikroTik RouterOS

Question

I have a MikroTik router with v7.1beta2 firmware installed

It's WAN (eth1) has an IP address of 192.168.7.122

There are two devices connected to its LAN

• Device #1 is a webserver, communicating on port 80 TCP 192.168.88.254
• Device #2 is a PLC that communicates on port 9999 UDP 192.168.88.250

I've successfully setup a dst-nat to exposes Device #1 webserver on port 8080 from the WAN.

I cannot, however, get the PLC to communicate through the NAT. I've configured the dstnat similar to the webserver, changing only the port, address and protocol. Here's what I have configured right now:

Chain: dstnat
Protocol: 17 (udp)
Dst. Port: 9999
Action: dst-nat
Log: x
To Addressess: 192.168.88.250
To Ports: 9999

I've disabled all drops on the Firewall.

When I use the communication utility I point it to the WAN address and configured port: 192.168.7.122:9999 and search for the device, the MikroTik RateGraph shows a spike (so it's coming in) but the utility reports the device as 'Missing' (e.g. it's not getting a response).

When I connect to the LAN directly and point to 192.168.88.250:9999 directly the device shows up instantly as 'Available'.

To the best of my knowledge the PLC device doesn't care whether or not the src address is from the local network, as we've had the same model communicating via a NAT in the past (and I don't believe any special treatment was done). Other hardware in the field currently uses a socat of UDP 9999 through a Linux box (not NAT) and that works perfectly fine, so I'd be open to figuring out how to configure a socat-like NAT for testing.

I have also tried to configure a srcnat in case the dstnat wasn't reversing the traffic back through. Here's that:

Chain: srcnat
Src. Address: 192.168.88.250
Protocol: 17 (udp)
Dst. Port: 9999
Action: src-nat
To Addresses: 192.168.7.122
To Ports: 9999

Which, this also doesn't work, and this srcnat does not show any traffic on the Rate Graph.

I'm new to RouterOS, and networking has never been a particular strong suit (I'm a software engineer by trade), so I'm not familiar with ways to properly debug this situation, especially with RouterOS.

Using WireGuard on the host while directly connected to the LAN I see both traffic going out, and then the response.

Using it to monitor via the WAN it goes out but I never see a response.

Help?

Answer 1

I have had the same problem, but looks like there is a solution at Mikrotic wiki: https://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS#Port_forwarding_on_RouterOS

In addition to the srcnat rule I have added

/ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related

before FastTrack rule and looks like it did the trick

Answer 2

In the end, the solution I found was to flash the router (RB750Gr3) with OpenWrt and configure it in the exact same fashion that I had in RouterOS. Everything works perfectly as expected.

While, I wouldn't necessarily consider "change the OS" as a viable solution to the problem, I spent several days trying to figure out what I was doing wrong with a simple NAT port forwarding, yet was able to accomplish the exact same thing on the same hardware in less than a half-day (which includes figuring out how to flash a different OS onto the hardware).

• https://openwrt.org/toh/mikrotik/mikrotik_rb750gr3
• https://openwrt.org/toh/mikrotik/common

It's a shame, because I was really starting to like RouterOS with its in-depth feature-set, but OpenWrt is quite nice as well.