Community discussions

MikroTik App
 
BackwardsCire
just joined
Topic Author
Posts: 21
Joined: Tue Jun 26, 2012 3:19 pm

Port Forwarding setup frusterations with Dynamic IP (Home)

Wed Jun 27, 2012 8:45 pm

Port Forwarding setup frusterations with Dynamic IP (home service) on RB450G


I'm very new to MikroTik gear and having a heck of a time trying to get simple port forwarding working on my RB450G. I'm using this as my home router after getting sick of crappy home level gear failing and crashing on me (linksys, netgear, etc.). I'm upgrading from a Linksys WRT120N where port forwarding was as simple as going in and telling it which IP to forward to.

I've done a fair amount of searching and reading threads here as well as familiarzing myself with the MikroTik interface. Using WinBox, I've got the router up and running, changed the internal IP and DHCP to my prefered address space, setup custom DNS, NTP, and upgraded the system to the latest 5.18 code. As this is residential service, I have a DHCP (dynamic) IP from the Internet Provider.

All of this is working great and I've seen a fair speed increase over the Linksys in Internet and LAN traffic. Plus the thing doesn't feel so hot I could cook eggs either.

I have three systems that I want to forward services to:

- Windows RDP 3389 Internal IP 172.27.27.251
- Linux web server 22, 80, and 443 Internal IP 172.27.27.252
- Synology NAS 1194 and 1723 Internal IP 172.27.27.254


The internal IP of the router is 172.27.27.1


All of the examples that I could find through searching specify a static external IP to setup the port forwarding. In this case, I have a Dynamic IP and that won't work long term.

This is a fresh config on the RB as well, so I don't even see the DST-NAT chain in the Firewall screen under NAT. Trying to set it up asks for an external IP and won't accept an inferface name.

If I try to just setup a new port forward rule, I actually don't see the "to-address" field anywhere, just an "address list" field and not sure what to set for the action pull down.

My next thing will be to just try command line and paste in some modified commands from the Wiki, but I think that I'm just overlooking some obvious config steps.


I'm hoping that some of you most experienced gurus can pity a newb and spell out everything that needs to be done for port forwarding on a Dynamic IP to get this to work from a fresh config.


Thanks
 
User avatar
lordkappa
Member Candidate
Member Candidate
Posts: 133
Joined: Wed May 16, 2012 1:53 pm
Location: Vancouver, Canada

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Thu Jun 28, 2012 1:17 pm

I assume you've set up a master SRC-Nat rule to NAT all your privately addressed traffic over your outbound interface. Your issue is only that the examples used a specific external destination IP for the DST-Nat rule?

When you're setting up the specific DST-Nat rule, about halfway down the window, there's an "in-interface" match option. (See attached) If you change the highlighted options from my screenshot, you should be able to get it working for your specific setup.
You do not have the required permissions to view the files attached to this post.
 
BackwardsCire
just joined
Topic Author
Posts: 21
Joined: Tue Jun 26, 2012 3:19 pm

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Thu Jun 28, 2012 4:51 pm

Thanks for the reply. I ended up figuring it out last night before this topic was approved. The problem is that I was making the assumption that a dstnat chain needed to be setup on the IP>Firewall>NAT tab so that I could set the port forwarding with rules on the IP>Firewall>Filter tab. In reality, the port forwarding rules go directly on the NAT tab without having to setup an overall dstnat chain. So simple, yet I over looked it.

So in short, the problem existed between the chair and the keyboard. :?

For anyone who may be in the same boat with this, the solution is actually very easy for a dynamic IP.

Once you have your router setup at home passing packets, doing source NAT (should be in there by default, at least it was on my 450G), and handing out your preferred DHCP address, do the following:

a) Command Line

Select a terminal in Webfig or Winbox
Enter the following command with your ports and IPs:
/ip firewal nat add chain=dstnat dst-port=<PORT> action=dns-nat protocol=<tcp/udp> to-address=<INTERNAL IP> in-interface=<NAME OF EXTERNAL INTERFACE>
If you have the NAT tab open, you'll see the new rule pop up.

Now I was trying to setup port forwarding on port 80, and using the example in the manual it does NOT specify an in-interface so it will forward ALL port 80 traffic from any interface to the specified IP. Not good since it will keep any other computer from browsing the web over port 80.

Key point for dynamic IP is to specify the in-interface (the name of which can be found on the interfaces menu. By default, my external interface is "ether1-gateway")

If you wanted to use the GUI:

1) Go to IP > Firewall and select the NAT tab.
2) add a new rule
3) find the boxes to enter the info contained in the command line setup above and lordkappa's graphics above


Whew. All that to figure out the problem was me. :)

Out of curiosity, if you're in the same boat and this helped you with your dynamic IP port forwarding setup, please post a reply. Maybe I'll post this into the Wiki if I find I wasn't alone.
 
RomelSan
newbie
Posts: 37
Joined: Fri Jul 06, 2012 1:53 am

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Fri Jul 06, 2012 2:03 am

BackwardsCire! Thanks!
My settings works now! Trying for hours :p

and for remote administration via WinBox i used:
/ip firewall filter
add action=accept chain=input comment="WinBox Wan Administration" disabled=no \
dst-port=8291 protocol=tcp

It works, but now i am wondering.... How can you protect this port against brute force?
 
wirelessadweb
just joined
Posts: 14
Joined: Sat Dec 22, 2012 8:16 am

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Mon Jan 07, 2013 10:41 am

Hi I am new to Mikrotik too and wasted Sunday trying to get basic port 80 forwarding to an internal address running. I have tried configuring from scratch and used a default config. Even tried two differnt versions of the OS

I am looking top use webfig and forward 80 to a camera on the inside. I have used the rule from the wiki and now the one here replacing the dst-address with the In-Interface as described here.

Also combinations of dst-nat or netmap on action.

I have set IP/Services/www to 81 and that is available in the default config if I disable the filters.
I can not get to 80 what ever I try. I have even tried changing the port on the camera to take it away from 80 - but nothing.

Do I need to add a filter?
 
RomelSan
newbie
Posts: 37
Joined: Fri Jul 06, 2012 1:53 am

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Mon Jan 07, 2013 4:09 pm

Test it from outside your network... If you want to test this from inside too, then you must Hairpin NAT.

http://wiki.mikrotik.com/wiki/Hairpin_NAT
 
wirelessadweb
just joined
Posts: 14
Joined: Sat Dec 22, 2012 8:16 am

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Mon Jan 07, 2013 4:46 pm

Thanks for the post - I am testing from the outside this should be so simple.

I have done this with other routers I am not that familliar with the Mikrotik but I have followed the instructions here to the letter working from a default config on a omnitik with OS 5.20 and a RB751u-2Hnd with 5.22.

I can get to webfig on port 81 if i disable the last filter in the default config.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Mon Jan 07, 2013 7:56 pm

Thanks for the post - I am testing from the outside this should be so simple.

I have done this with other routers I am not that familliar with the Mikrotik but I have followed the instructions here to the letter working from a default config on a omnitik with OS 5.20 and a RB751u-2Hnd with 5.22.

I can get to webfig on port 81 if i disable the last filter in the default config.
Some ISPs block incoming connections to port 80. Its to prevent you from hosting a webserver at home.
 
wirelessadweb
just joined
Posts: 14
Joined: Sat Dec 22, 2012 8:16 am

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Tue Jan 08, 2013 9:33 am

I did not need the hairpin I needed a sanity check, so I plugged in a router I know the Ubiquity and the same result - that is when it clicked check the camera and bingo.

Thanks for all the responses I will ensure I test the test environment before I post again.
 
illuminet
just joined
Posts: 1
Joined: Mon May 19, 2014 4:50 am

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Mon May 19, 2014 4:55 am

i have tried to config shown but unfortunately it didnt work out. i have followed above steps..

my situation :
i have a server local ip address 192.168.2.3 port 9165
my public ip : 121.121.25.229

i've used dst nat.. followed every steps but it still cant get thru.. anyone can help me?
 
Trackboy
Member Candidate
Member Candidate
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Wed Oct 22, 2014 7:57 pm

Hello everybody! I have got a port forwarding problem. I did not want to strart a new thread. I have a server and there are 2 ports that i want to forwarding. The problem is that, the both port is not working at the same time.

Server ip address is: 10.10.10.2

10.10.10.2: 40000 ( torrent )
10.10.10.2: 28000 ( this is another one service )

If i disable the torrent port the second one is works.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Port Forwarding setup frusterations with Dynamic IP (Hom

Sun Oct 26, 2014 2:52 pm

i have tried to config shown but unfortunately it didnt work out. i have followed above steps..

my situation :
i have a server local ip address 192.168.2.3 port 9165
my public ip : 121.121.25.229

i've used dst nat.. followed every steps but it still cant get thru.. anyone can help me?
/ip firewall nat
add action=dst-nat chain=dstnat comment="my server" dst-address=\
    121.121.25.229 dst-port=9165 protocol=tcp to-addresses=192.168.2.3
 
fearsome
just joined
Posts: 1
Joined: Sun Apr 12, 2015 5:53 am

Re: Port Forwarding setup frusterations with Dynamic IP (Home)

Sun Apr 12, 2015 6:08 am

I have been at this for quite some time and unable to get anything working. I am trying to make a half-life source engine dedicated server. Some people say all you need is port UDP 27015(27016 in my case)

However after 8 hours =[ it still doesn't work and the problem seems most likely to be on the router side of things. I have tried to add every possible port and combinations of ports I can and I just cant seem to figure it out. And I know some of them have to be right because I see traffic showing up on them.

I tried the above command line and it threw me a syntax error, I cannot make the action dns-nat that is the one thing that I cannot seem to do everything else I can do but I just don't see the server showing up in the server list.

In general the ports look like this
action dst-nat
chain dstnat
dst address my external IP
protocol tcp||udp
dst port 27016 and a slew of other ones, everything I could find on the internet
in interface ether1-gateway
to address LAN IP of server computer
to ports, the same port listed in dst port for each rule.

the most frustrating issue is I cannot seem to find any way to trouble shoot if anyone has any ideas I mean I don't even have a way outside of checking the game server list of checking if the specifc IP and port are reachable from outside to see if the configuration of the router is right or if its just me having the wrong ports or seomthing.
 
Admin529
just joined
Posts: 1
Joined: Thu Mar 17, 2016 2:05 am

Re: Port Forwarding setup frusterations with Dynamic IP (Home)

Sun Aug 07, 2016 11:11 pm

Can anyone assist me with port forwarding from the outside world into my security cameras
here is my setup WAN IP is static from ISP Verizon FiOS when I use the port checker tool it says the port is closed now is that because I am checking from the internal pc or is this a PEBKAC error


WAN ip = 100.9.62.250
PC IP = 192.168.100.15
Camera IP = 192.168.100.100
Ports needed to be open are several but lets go with one for now
Port = 1050
I have tried for 2 days on and off now with no luck, here are my steps
1. IP>FIREWALL>NAT>ACTION TAB
action=dst nat
to address = 192.168.100.15
to port = 1050
General Tab
chain = dstnat
src address = blank
dst address 100.9.62.250
protocol = tcp
src port = blank
dst port = 1050
the rest of fields blank

Anyone that can assist I would be very gratefull to !!!
Thank you very very much and hope to hear from someone soon..
Rob
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Port Forwarding setup frusterations with Dynamic IP (Home)

Mon Aug 08, 2016 5:11 am

Assuming the static ip from Verizon is actually on the router... and not nat'd behind a fios router...
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=\
    100.9.62.250 dst-port=1050 protocol=tcp to-addresses=192.168.100.15
 
jupiter95
just joined
Posts: 8
Joined: Tue Aug 30, 2016 9:32 pm

Re: Port Forwarding setup frusterations with Dynamic IP (Home)

Tue Aug 30, 2016 9:58 pm

Another new user which can not configure NAT:

Below command I found in tons of posts
/ip firewal nat add chain=dstnat dst-port=<PORT> action=dns-nat protocol=<tcp/udp> to-address=<INTERNAL IP> in-interface=<NAME OF EXTERNAL INTERFACE>
This concept is understood however still can not get it to work.

Can somebody explain what is correct setup for firewall section both filter and NAT? Suppose I will delete all entries and willing to do it from scratch.

In my situation LAN to Internet traffic works well.

What are diagnostics steps I can make?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Port Forwarding setup frusterations with Dynamic IP (Home)

Tue Aug 30, 2016 10:31 pm

In general, two things need to happen for a firewall pinhole to work properly:
1) translation rule in the NAT table which instructs the router on what changes to write into packets' headers
2) filter rules must allow the resulting packet flow to pass through the router

#1 can get an extra wrinkle thrown into the mix if you're trying to do hairpin NAT - trying to reach the "outside IP" from a host that is in the same IP network as the "inside IP"
When you do this, the dstnat rule may need to be modified depending on what the match criteria are, and you will also require a "hairpin nat rule" which translates the SRC address of the client host to be the lan IP of the router, so that replies from the server will be sent to the router for un-translation of the replies.

#2 isn't particularly special - the only "gotcha" there is that the filter rules see the packets AFTER the dst-nat action has taken place, so they should permit connections based on the inside IP of the server, and not the public IP.

Who is online

Users browsing this forum: PBondurant and 36 guests