Super basic port forwarding doesn't work

WhatWhereAmI · Sun Mar 31, 2013 7:44 am

I can't get a basic dstnat to work at all. Ports show up as open, but traffic doesn't seem to get forwarded to the server behind the router. Port forwarding with my last router in the same exact configuration worked perfectly. Any help greatly appreciated.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     dst-address=*.*.*.* dst-port=25565 

 2   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     dst-address=*.*.*.* dst-port=8080

lambert · Sun Mar 31, 2013 8:12 am

Just to make sure, was your last router a MikroTik?

I've not tried matching all IPs with the syntax you are showing, Did you '*' out the real public IP? Or does your config really contain the '*'s?

If so, you might try this instead, untested:

/ip firewall nat
   add chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp in-interface=ether1-gateway dst-port=25565
   add chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp in-interface=ether1-gateway dst-port=8080

WhatWhereAmI · Sun Mar 31, 2013 9:56 am

Now these ports seem to just be timing out.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     in-interface=ether1-gateway dst-port=25565 

 2   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     in-interface=ether1-gateway dst-port=8080

docmarius · Sun Mar 31, 2013 10:07 am

Is it possible that your server doesn't accept non-local connection requests (e.g. a windows machine with default firewall settings)?
In this case an additional

chain=srcnat action=masquerade out-interface=ether2-master-local

(put your internal interface there...) would do the trick.

WhatWhereAmI · Mon Apr 01, 2013 6:25 am

I upgraded to v6.0rc12 because I've been having so many problems with this router.

My previous router was a random linksys. I had no problem forwarding these ports with it. The servers I have running are definitely configured to receive any incoming connections, as again, they were working fine before I got this MikroTik router.

This is what my firewall rules look like currently:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     in-interface=ether1-gateway dst-port=25565 

 2   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     dst-address=**.**.**.** dst-port=8080 

 3   chain=srcnat action=masquerade out-interface=ether2-master-local

I've tried a whole bunch of different configurations which should all work, but nothing ever seems to. Is there anything I could be missing?

cbrown · Mon Apr 01, 2013 6:45 am

Post your whole config just incase something else is messed up.

/export compact

WhatWhereAmI · Mon Apr 01, 2013 10:50 pm

Most of this stuff is just default. I added a couple static addresses, a public dns server, and the firewall rules. Please let me know if there's anything here I can improve.

[admin@MikroTik] > /export compact
# jan/02/1970 16:39:19 by RouterOS 6.0rc12
# software id = 2V3C-5786
#
/interface bridge
add admin-mac=D4:CA:6D:6A:CF:A3 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=\
    "MikroTik"
/interface ethernet
set 2 master-port=ether2-master-local
set 3 master-port=ether2-master-local
set 4 master-port=ether2-master-local
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=*** wpa2-pre-shared-key=***
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1 \
    network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no \
    interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.100 mac-address=00:13:D4:B9:A3:29
add address=192.168.88.200 mac-address=58:B0:35:61:EE:9D
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.2
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=\
    ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=25565 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.100
add action=dst-nat chain=dstnat dst-address=**.**.**.** dst-port=8080 protocol=\
    tcp to-addresses=192.168.88.100
add action=masquerade chain=srcnat out-interface=ether2-master-local
/system leds
set 0 interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes

cbrown · Tue Apr 02, 2013 2:36 pm

Disabled the last rule (drop rule) in /ip firewall filter and see if that works.

lordkappa · Sun Apr 07, 2013 7:32 am

It would be easier to use the Netmap action to perform port forwarding.

add action=netmap chain=dstnat comment="Your Comment" disabled=no dst-port=8888 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.50

This statically maps the external port "8888" on ether-1 to the specified machine 192.168.1.50.

aghsistemas · Tue Jun 07, 2016 10:06 am

Is it possible that your server doesn't accept non-local connection requests (e.g. a windows machine with default firewall settings)?
In this case an additional
Code: Select all
chain=srcnat action=masquerade out-interface=ether2-master-local
(put your internal interface there...) would do the trick.

You did it, thanks