just set up my 4011 a few days back, and it has been fantastic so far.

Today however, I went to start streaming one of my games, and I was getting a 60% network frame loss. This has not happened before. It could be the streaming service having issues, but, its more likely something on my end. The only changes I have made have been swapping out the router I had for the 4011.

It actually seems like its blocking a lot of outbound stuff? I’m reading that it doesn’t have any outbound firewall, but, I can’t get to anything on the outside from my emby server, or my php server, or my streaming computer.

I’d like to get this sorted as soon as possible. I posted in general around 18 hours ago, and it still hasn’t been approved. thought I’d try my luck here.

post your config
/export hide-sensitive file=anynameyouwish

dec/01/2020 10:30:32 by RouterOS 6.47.8

software id = VYLD-A8V1

model = RB4011iGS+

serial number = D4450CB79C24

/interface bridge
add name=bridge1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d10m name=
dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:b4:2e:99:ac:10:b1 mac-address=
B4:2E:99:AC:10:B1 server=dhcp1
add address=192.168.1.51 mac-address=70:BC:10:26:54:95 server=dhcp1
add address=192.168.1.100 mac-address=10:BE:F5:20:7A:D4 server=dhcp1
add address=192.168.1.111 mac-address=D8:31:34:D3:58:A3 server=dhcp1
add address=192.168.1.120 client-id=1:98:b8:ba:52:80:7c mac-address=
98:B8:BA:52:80:7C server=dhcp1
add address=192.168.1.53 client-id=1:70:bc:10:30:1b:17 mac-address=
70:BC:10:30:1B:17 server=dhcp1
add address=192.168.1.122 client-id=1:98:b8:ba:5b:14:a9 mac-address=
98:B8:BA:5B:14:A9 server=dhcp1
add address=192.168.1.34 mac-address=D8:28:C9:0E:D5:C9 server=dhcp1
add address=192.168.1.50 client-id=1:70:bc:10:30:1a:b mac-address=
70:BC:10:30:1A:0B server=dhcp1
add address=192.168.1.113 client-id=1:0:7c:2d:9b:f4:39 mac-address=
00:7C:2D:9B:F4:39 server=dhcp1
add address=192.168.1.52 client-id=1:70:bc:10:30:1a:39 mac-address=
70:BC:10:30:1A:39 server=dhcp1
add address=192.168.1.121 client-id=1:64:89:f1:45:f7:8d mac-address=
64:89:F1:45:F7:8D server=dhcp1
add address=dhcp client-id=1:0:18:dd:7:41:2d disabled=yes mac-address=
00:18:DD:07:41:2D server=dhcp1
add address=192.168.1.33 client-id=1:0:18:dd:7:5f:3f mac-address=
00:18:DD:07:5F:3F server=dhcp1
add address=192.168.1.3 client-id=1:b4:2e:99:cd:32:9d mac-address=
B4:2E:99:CD:32:9D server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=accept chain=forward comment=“COD TCP” connection-nat-state=dstnat
dst-address=192.168.1.2 dst-port=3074,27014-27050 protocol=tcp
add action=accept chain=forward comment=“COD UDP” connection-nat-state=dstnat
dst-address=192.168.1.2 dst-port=3074,3478,4379-4380,27000-27031,27036
protocol=udp
add action=drop chain=input comment=“drop ftp brute forcers” dst-port=21
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=“530 Login incorrect” dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login incorrect”
protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
add action=drop chain=input comment=“drop telnet brute forcers” dst-port=23
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list
address-list-timeout=1d chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp
add action=accept chain=forward comment=“WOW TCP” dst-address=192.168.1.2
dst-port=1119,3724,6012 protocol=tcp
add action=accept chain=forward comment=“WOW UDP 1119,3724,6012” dst-address=
192.168.1.2 dst-port=1119,3724,6012 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“COD TCP 3074” dst-port=3074
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=3074
add action=dst-nat chain=dstnat comment=“COD TCP 27014-27050” dst-port=
27014-27050 in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
to-ports=27014-27050
add action=dst-nat chain=dstnat comment=“COD UDP 3074” dst-port=3074
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=3074
add action=dst-nat chain=dstnat comment=“COD UDP 3478” dst-port=3478
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=3478
add action=dst-nat chain=dstnat comment=“COD UDP 4379-4380” dst-port=
4379-4380 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
to-ports=4379-4380
add action=dst-nat chain=dstnat comment=“COD UDP 27000-27031” dst-port=
27000-27031 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
to-ports=27000-27031
add action=dst-nat chain=dstnat comment=“COD UDP 27036” dst-port=27036
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=27036
add action=dst-nat chain=dstnat comment=“WOW TCP 1119” dst-port=1119
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=1119
add action=dst-nat chain=dstnat comment=“WOW TCP 3724” dst-port=3724
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=3724
add action=dst-nat chain=dstnat comment=“WOW TCP 6012” dst-port=6012
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=6012
add action=dst-nat chain=dstnat comment=“WOW UDP 1119” dst-port=1119
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=1119
add action=dst-nat chain=dstnat comment=“WOW UDP 3724” dst-port=3724
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=3724
add action=dst-nat chain=dstnat comment=“WOW UDP 6012” dst-port=6012
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=6012
/ip upnp
set enabled=yes
/ip upnp interfaces
add forced-ip=192.168.1.1 interface=ether1 type=external
/system clock
set time-zone-name=America/New_York

192.168.1.3 is the system that I stream from, which was losing 60% of the frames
192.168.1.31 is the TNAS, which hosts my php server, as well as my emby server, both of which are failing.

(1) /ip address
add address=192.168.1.1/24 interface**=ether2** network=192.168.1.0 Should be the bridge
(2) Your firewall filter chain is a bloated mess and contains nothing of what you really need,
Replace with default settings IS ALL YOU NEED…

(3) why is UPNP on, or required if you have forwarded so many ports??? I would start by turning that off until the config is fixed and if still needed.

(4) NAT RULES - dont need to-ports if same as dst ports. It is clear that you have nothing forwarded to any IP other than 192.168.2. So its no surprize to me nothing happens on 192.168.1.31

/ip firewall nat
add action=dst-nat chain=dstnat comment=“COD UDP 27000-27031” dst-port=
27000-27031 in-interface=ether1 protocol=udp to-addresses=192.168.1**.2**
add action=dst-nat chain=dstnat comment=“COD UDP 27036” dst-port=27036
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW TCP 1119” dst-port=1119
in-interface=ether1 protocol=tcp to-addresses=192.168.1**.2**
add action=dst-nat chain=dstnat comment=“WOW TCP 3724” dst-port=3724
in-interface=ether1 protocol=tcp to-addresses=192.168.1**.2**
add action=dst-nat chain=dstnat comment=“WOW TCP 6012” dst-port=6012
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW UDP 1119” dst-port=1119
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW UDP 3724” dst-port=3724
in-interface=ether1 protocol=udp to-addresses=192.168.1**.2**
add action=dst-nat chain=dstnat comment=“WOW UDP 6012” dst-port=6012
in-interface=ether1 protocol=udp to-addresses=192.168.1.2

Ip firewall filter approach

/ip firewall filter
[input chain - default rules in italics, admin added rules otherwise]
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=adminaccess [only admin should be able to fully access the router]
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=53
add action=accept chain=input in-interface-list=LAN protocol=udp dst-port=53
add action=drop chain=input comment=“drop all else” (caution put in this rule only when admin access rules are in place!!)

[forward chain -default rules in italics, admin added rules otherwise]
add action=accept chain=forward comment=“defconf: accept all that matches IPSec policy” disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface=list=WAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment=“drop all else”

/ip firewall address list
add address=IP address of admindesktop list=adminaccess
add address=IP address of adminlaptop list=adminaccess
add address=IP address of adminIpad list=adminaccess

1. The bridge was set up by the default system. Once I plugged in the router, and went to the default ip address in the browser, set my settings and hit save, it created the bridge. Ether 2 is plugged into my gaming pc. Ether 1, is inet, and ether 3 goes to my unmanaged switch. If I run the command you provided, what will that change?

2. The firewall stuff that I have is port forwarding for 2 games, as this is a router in home use. So, the ports are opened to make sure there is less delay. The other firewall stuff is blocking the constant login attempts that seem to happening in my router log. It black lists them. I got that off the microtik forums. I’m not sure what else I could do with it. I don’t know how else to stop the bruteforce.

3. UPNP is on because I am not the only person using this network, my kids are also gaming on their xboxs. I was told that the UPNP was pretty necessary for gaming on a home network. Should I still turn it off?

4. Why would what is forwarded TO the .2 address affect the outbound of the .31?

With the information I just replied with, will the provided information you gave me still be ok? I’ll give it a run if so.

From your post: " 192.168.1.3 is the system that I stream from, which was losing 60% of the frames
192.168.1.31 is the TNAS, which hosts my php server, as well as my emby server, both of which are failing."

So I would expect servers to be on 192.168.31.1 ???

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Yes get rid of the bloat, make the changes, full steam ahead. We want to get you up and running successfully.
After that is accomplished we can address the other issues if any crop up, in better ways.

Yes, my tnas is on 192.168.1.31, which is where the emby server and php server are running.

The streaming is coming from another pc, that is plugged into the switch that is plugged into ether 3.

Will changing the bridge affect the DHCP at all? I would like everything to stay on the 192.168.1.***, so when I run that command, will anything change in that regard?

Also, will running these commands results in my kids not being able to get responses from their game servers?

[admin@MikroTik] /ip address> add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
failure: already have such address

Here is the config file with the other changes so far.

dec/01/2020 18:57:34 by RouterOS 6.47.8

software id = VYLD-A8V1

model = RB4011iGS+

serial number = D4450CB79C24

/interface bridge
add name=bridge1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d10m name=
dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:b4:2e:99:ac:10:b1 mac-address=
B4:2E:99:AC:10:B1 server=dhcp1
add address=192.168.1.51 mac-address=70:BC:10:26:54:95 server=dhcp1
add address=192.168.1.100 mac-address=10:BE:F5:20:7A:D4 server=dhcp1
add address=192.168.1.111 mac-address=D8:31:34:D3:58:A3 server=dhcp1
add address=192.168.1.120 client-id=1:98:b8:ba:52:80:7c mac-address=
98:B8:BA:52:80:7C server=dhcp1
add address=192.168.1.53 client-id=1:70:bc:10:30:1b:17 mac-address=
70:BC:10:30:1B:17 server=dhcp1
add address=192.168.1.122 client-id=1:98:b8:ba:5b:14:a9 mac-address=
98:B8:BA:5B:14:A9 server=dhcp1
add address=192.168.1.34 mac-address=D8:28:C9:0E:D5:C9 server=dhcp1
add address=192.168.1.50 client-id=1:70:bc:10:30:1a:b mac-address=
70:BC:10:30:1A:0B server=dhcp1
add address=192.168.1.113 client-id=1:0:7c:2d:9b:f4:39 mac-address=
00:7C:2D:9B:F4:39 server=dhcp1
add address=192.168.1.52 client-id=1:70:bc:10:30:1a:39 mac-address=
70:BC:10:30:1A:39 server=dhcp1
add address=192.168.1.121 client-id=1:64:89:f1:45:f7:8d mac-address=
64:89:F1:45:F7:8D server=dhcp1
add address=dhcp client-id=1:0:18:dd:7:41:2d disabled=yes mac-address=
00:18:DD:07:41:2D server=dhcp1
add address=192.168.1.33 client-id=1:0:18:dd:7:5f:3f mac-address=
00:18:DD:07:5F:3F server=dhcp1
add address=192.168.1.3 client-id=1:b4:2e:99:cd:32:9d mac-address=
B4:2E:99:CD:32:9D server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall address-list
add address=192.168.1.2 list=adminaccess
add address=192.168.1.3 list=adminaccess
add address=192.168.1.32 list=adminaccess
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=adminaccess
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=
“defconf: accept all that matches IPSec policy” disabled=yes
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“COD TCP 3074” dst-port=3074
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“COD TCP 27014-27050” dst-port=
27014-27050 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“COD UDP 3074” dst-port=3074
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“COD UDP 3478” dst-port=3478
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“COD UDP 4379-4380” dst-port=
4379-4380 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“COD UDP 27000-27031” dst-port=
27000-27031 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“COD UDP 27036” dst-port=27036
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW TCP 1119” dst-port=1119
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW TCP 3724” dst-port=3724
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW TCP 6012” dst-port=6012
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW UDP 1119” dst-port=1119
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW UDP 3724” dst-port=3724
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=“WOW UDP 6012” dst-port=6012
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
/ip upnp
set enabled=yes
/ip upnp interfaces
add forced-ip=192.168.1.1 interface=ether1 type=external
/system clock
set time-zone-name=America/New_York

Whats next? The servers still are not connecting so far.

HI there,
The only thing I see really wrong is this one…

/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0

That should be bridge not ether2.

Can you confirm that you are able to reach the internet?

Also you still do not have any port forwarding to your servers, they all point to one IP, which is not your 192.168.31.1
Perhaps I should have asked more directly what the heck is on 192..168.1.2 ??

By the way I have adult gamers in this house and they play all sorts of games, no ports forwarded and no UPNP.
They do not run servers however.

Also, are you expecting yourself and your kids to access the servers within the house? If so are you simply using the LANIP of the servers??

I am able to reach the internet from all devices currently.

192.168.1.2 is the pc I use to game on. The forwarded ports are for Call of Duty, and World of Warcraft (example: https://portforward.com/call-of-duty-modern-warfare). This is why there are ports forwarded to this device.

The emby server, is a media server that is accessible from all devices on the network. I also use this devices for network storage as well. So, any of my computers or kids computers use it to stare pictures, videos, etc.

I did just reinstall the OS on the TNAS, as it was acting up, and it seems to have resolved that issue. Its now allowing for my emby server to reach outside the network. I have NO idea what the actual cause of the issue was. It never did that on previous routers. But at least its resolved, hopefully.

From my understanding, without the upnp, it makes for delay and even blocked connections for games that are going out to the internet. This may not be noticeable in slower paced games, but in competitive fast paced ones, it can make or break the game play. I noticed a big difference on previous routers before and after I set up the port forwarding.

I appreciate all the help so far. This one was really bugging me.

I’m going to try my stream out here in a bit and see if the frame drop is still happening. If it is, I’ll probably have some more questions on what to do for that.

I stream using a 2 pc set up. The other pc is on 192.168.1.3, and it uses OBS to stream my game to facebook. I really hope that this issue is resolved as well. We will see.

Oh, also, what should I do about this? The interface should be ‘bridge’? Or does the bridge get assigned to ether2 by default when the system bridges all LAN ports together?

Just tried some things out. My xbox live chat is now not working, and its displaying as moderate and blocked. It was working fine prior to the changes made tonight.

Remember that we set this rule
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

In other words there is nothing blocking your streaming to the interent, so it should simply work.
If it doesnt work then its something wrong on the device itself (PC or application).

Also port forwarding all those ports to your computer is most bizarre for a modern game.
Typically if you start the game you are the one initiating the connection and thus all returning related traffic should be allowed back through and there should be no need to open ports as that negotiation should be done transparently within the program.

Also be aware that since you forward all those ports to your PC, they are unavailable for any other PCs on the network.

The setting must be to the bridge, ether2 is not the dhcp server and all the other etherports belong to the bridge not ether 2… its logical lol !!

I just confirmed with my adults, that COD and WOW works fine for them and they use PCs.
I cannot vouch for Xboxs and playstations etc, thats a different kettle of fish…


My settings… which have no ports forwarded for games and my UPNP is off.

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" log-prefix=\
    AdminAccess src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow NTP service" connection-state=\
    new dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
    NTPserver
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="ENABLE HomeLAN  to WAN" \
    in-interface=Home-LAN_V11 log-prefix="ALLOWED LAN 2 WAN TRAFFIC" \
    out-interface-list=WAN
add action=accept chain=forward comment="allow VLANS  to WAN " \
    in-interface-list=VLANSwInt out-interface-list=WAN
add action=accept chain=forward comment=VlanUsers_TO_Printer \
    dst-address-list=House_Printers in-interface-list=LAN log-prefix=\
    "ALLOWED MSTUDY TRAFFIC" src-address-list=AccessToPrinters
add action=accept chain=forward comment=\
    "Allow Port Forwarding -  DSTNAT" connection-nat-state=dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic" log-prefix="FORWARD DROP ALL"

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN - FibreOP" \
    ipsec-policy=out,none out-interface=vlanbell
add action=masquerade chain=srcnat comment="SCR_NAT for LAN - Cable" \
    ipsec-policy=out,none out-interface=Eastlink_eth7

…

Searching around,…
Things to try…
(1) I just tested with my son’s XboxOne, tested NAT and it said moderate, then only enabled DST NAT to the XboxOne IP for both protocols TCP and UDP destination port 3074, now NAT says Open.

(2) Is this solved? I myself got a headache with this, being a certified MK consultant with years of experience I was starting to doubt my abilities. What solved for me was a simple rule. The big problem with this thing is that Microsoft doesn’t show on it’s support page the correct ports to be redirected. All it needed was port 56102 UDP, and that can be customized on the Xbox itself by going to network advanced settings.

Here is the rule that I created on my RB and it’s working. If your case isn’t solved yet I hope this comes in a good way for you.
Code: Select all

/ip firewall nat
chain=dstnat action=dst-nat to-addresses=‘IP-XBOX’ to-ports=56102
protocol=udp dst-address=‘IP-WAN’ dst-port=56102 log=no log-prefix=“”

+++++++++++++++++++++++++++

(3) Another thing was that for UPNP to work, a service on the router you need to create an input rule
you need to create an input rule for port 1900 udp
add chain=input action=accept in-interface=LAN dst-port=1900 protocol=udp

upnp settings: external interface = your WANIP , internal interface = 192.168.1.2

Thanks for the reply. I’ll get on this tomorrow morning after I get up and let you know what happens. Its bed time for me for the evening. Thank you again.

I don’t have time to go through all the thread this morning, but you seem to be fixing issues you don’t have. Opening ports doesn’t speed up anything for games - it lets you host matches on your client and it isn’t required to play (listen servers). That’s what the NAT type says. Adding any unnecessary rule actually slows the router, because rules equal CPU time and CPU time equals latency on any computer. And bad configs also cause other major headaches.

For COD, time sensitive game state packets use 3074. That’s it. All those other connections are there for other features (chat, stats, validating the client, etc.). Streaming uses another port. For security reasons, you shouldn’t open ports unless you’re hosting a server. Please note that listen servers were the worst idea in online gaming ever: They are bad for performance and security. The default settings will give you a moderate NAT type unless your ISP forces you to use a firewall on their end.

Follow anav’s advice and simplify your config as much as possible. If you have specific issues with a default config, posts them and someone will help you fix them.

I won’t have time to really get into this until later in the afternoon (only have a few minutes to post this), but have you ever played a game like COD on a moderate nat type? Its horrendous. Its nothing compared to the open nat type, which is achieved through the port forwarding. So you are saying that this is useless, but yet the gaming community/industry has been recommending it for a while now. You’re saying its useless, but myself, and every person I know that has played on a moderate vs open NAT type, can claim the better experience?

Activision’s own words-

If you are experiencing connectivity issues, it may have been suggested that you forward or open ports, set port forwarding, or change your NAT type. This guide explains the basics of port forwarding first party ports and information on NAT types and provides troubleshooting to help improve your connection.

What are ports, and what is port forwarding?

Ports are simply virtual pipelines that allow computers and devices to communicate and send information back and forth on the Internet. See more about ports used for Call of Duty games.

Port forwarding – or creating a port forward – is a common process in gaming that makes your gaming console or PC more accessible to other gaming consoles or PCs on the Internet. Port forwarding can improve connection speed, lobby wait times, and overall gameplay, particularly for a host.

What about NAT?

NAT (Network Address Translation) is a networking concept that allows your router to share a single IP (Internet Protocol) address across multiple devices on your network. Instead of your ISP (Internet Service Provider) assigning an IP address to every device that connects to the Internet, NAT allows your ISP to assign a single IP address to your router. The router then manages a set of IP addresses for all devices on your home network.

There are three main NAT types depending on your platform: Open, Moderate, and Strict on Microsoft or PC, and Type 1, Type 2, and Type 3 on Sony. Moderate/Type 2 and Strict/Type 3 NAT types limit the connections your gaming console or PC can make to other gaming consoles or PCs. For example, Moderate/Type 2 NATs can only connect with gaming consoles or PCs using Moderate/Type 2 or Open/Type 1 NAT, and Strict/Type 3 NATs can only connect with gaming consoles or PCs using Open/Type 1 NAT. Ultimately, an Open/Type 1 NAT will provide the best connection quality.

I appreciate you guys helping me out, but you’re also telling me things that don’t line up with what most competitive gamers have dealt with. Its one thing to play a game online, its another to play a competitive fast-paced game, where every microsecond counts…

I’m not stating these things to argue with you, but because you are giving me information that is contrary to everything I have been shown so far. This doesn’t mean I am saying you are wrong, it means that I need you to help me understand why what I have been shown is incorrect. I’m very willing to learn, but I have to make sure that you guys have a concept of gaming to compliment your knowledge in security and other networking issues, because they don’t always go hand in hand.