7.14.2 Port Forwarding

antricos · April 4, 2024, 6:18pm

Hello all,

I used to have a hAP lite on 6.49.2 and upgraded to hAP ac^2 on 7.14.2.

The simple port forwarding from here used to work just fine → https://help.mikrotik.com/docs/display/RKB/Port+forwarding
but now I cannot make it work on the new router…

I have tried many things and still cannot find what I am missing…
Is there anything on the on 7.14.2 that I am missing?
I have just used the default config and nothing more so far.

Here is the Filter Rules and NAT configuration

Filter Rules

0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 2    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 
 2    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes 
      connection-state=established,related log=no log-prefix="" 

 4    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked log=no log-prefix="" 

 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

 7    chain=input action=accept protocol=icmp log=no log-prefix="" 

 8    chain=input action=accept connection-state=established log=no log-prefix=">

 9    chain=input action=accept connection-state=related log=no log-prefix="" 

10    chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

NAT

 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    ;;; Internal
      chain=dstnat action=dst-nat to-addresses=192.168.0.170 to-ports=9999 
      protocol=tcp in-interface-list=WAN dst-port=9999

Any idea will be appreciated!
Thanks!

llamajaja · April 4, 2024, 6:58pm

/export file=anynameyouwish ( minus router serial number, any public WANIP information,keys )

antricos · April 4, 2024, 7:25pm

# 2024-04-04 22:06:39 by RouterOS 7.14.2
# software id = XXXXXXXX
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXX
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=greece disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=WIFI wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=greece disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=WIFI-5Ghz \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=\
    defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.0.150 client-id=1:0:11:32:f:2e:e7 comment=Device \
    mac-address=00:00:00:00:00:00 server=defconf
add address=192.168.0.251 client-id=1:a8:99:5c:0:29:40 comment=Device \
    mac-address=00:00:00:00:00:00 server=defconf
add address=192.168.0.170 comment=Device mac-address=00:00:00:00:00:00 \
    server=defconf
add address=192.168.0.72 client-id=1:0:12:17:3e:28:49 comment=Device \
    mac-address=00:00:00:00:00:00 server=defconf
add address=192.168.0.66 client-id=1:0:12:17:ab:f0:cf comment=Device \
    mac-address=00:00:00:00:00:00 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Test dst-port=9999 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.170 to-ports=\
    9999
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.254
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

TheCat12 · April 4, 2024, 7:34pm

Based on the fact that you have a static public IP you can use it in the NAT rules instead of in-interface-list=WAN:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Test dst-port=9999 dst-address=192.168.1.1 protocol=tcp to-addresses=192.168.0.170 to-ports=9999

But frankly I don’t see any problem with the simple dst-nat rule

antricos · April 4, 2024, 7:37pm

I do not have a public static ip… I use DDNS.

anav · April 4, 2024, 8:49pm

Sorry both are kind of either wrong or confused LOL…
You have a static Private IP set on IP address for ether1 and you have IP DHCP client turned off.

I think what you mean is that you actually have a private WAN IP address provided by the upstream ISP modem/router (via its LAN subnet) and the dyndns you use gets you the public IP assigned to the upstream router and not the mikrotik.
This is fine, just stated for clarity.

The problem is you will need to port forward the server port on the upstream modem router to your Mikortik on the ISP LAN.
Hence forward port 9999 on the ISP router to IP address: 192.168.1.1/32 ( assuming the subnet address on the ISP is 192.168.1.254/24 )

qatar2022 · April 5, 2024, 7:01am

try this

antricos · April 5, 2024, 4:56pm

I get what you mean!!
I use DMZ to move all traffic to Mikrotik.

antricos · April 5, 2024, 4:58pm

Unfortunately did not work…

antricos · April 5, 2024, 5:34pm

I figured it out! It was my fault all along and had nothing to do with Mikrotik.

I am leaving this here maybe someone can find it helpful.
The problem was on the ISP router.
The Router is a Technicolor TG789vac v2.

While I did the same exact configuration on the new Mikrotik router keeping thew IP the same on both ends, the DMZ on Technicolor associates the the device with the MAC aswell.
Unfortunately it doesnt show that as you can see in the screenshot but when I did a hard reset and set it up from scratch it worked just fine!

Thank you all!
Screenshot 2024-04-05 203303.png