Allowing Facetime

Kenyanstig · May 8, 2018, 10:41am

I would like to allow facetime traffic on my Mikrotik router. I have a list of all the ports necessary for facetime connection but I still can’t figure out where I’m going wrong.
Can someone share the syntax for opening the ports kindly?

Kenyanstig · May 9, 2018, 8:05am

Hi Donalds.
Thanks for the reply.
The links you shared are for forwarding a port to a single IP on the network. I, however, am for a solution to allow all my internal users to access say port 5223 which is used for Facetime connections.
Any idea on how to achieve this?

Steveocee · May 9, 2018, 8:57am

I’m really surprised you can’t do this already. Facetime calls are initiated through an Apple login so inbound connection should effectively be either established or related and not need a specific rule setting up. In addition to this I have never needed to add a rule for any of the routers I have set up for family or the 500+ that have used my config script through work.

Can you do a

/export hide-sensitive

And share your set up?

Kenyanstig · May 9, 2018, 11:19am

Hi Steveocee.
The configuration is a below. Thanks for the assistance.

[admin@Homerouter] > /export
compact –
file – File name
hide-sensitive –
verbose –

[admin@Homerouter] > /export hide-sensitive

may/09/2018 14:00:28 by RouterOS 6.28

software id = XV4Z-GYE3

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.5.1.200-10.5.7.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=6h10m20s name=
default
/interface bridge port
add bridge=bridge1 interface=ether2-master-local
/ip address
add address=10.5.1.1/21 comment=“default configuration” interface=
ether2-master-local network=10.5.0.0
add address=x.x.x.x/30 interface=ether1-gateway network=x.x.x.x
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=
ether1-gateway
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=10.5.0.0/21 comment=“default configuration” gateway=10.5.1.1
netmask=21
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.5.1.1 name=router
/ip firewall filter
add chain=forward comment=“default configuration” connection-state=
established,related
add chain=forward comment=“default configuration” connection-state=invalid
add chain=input protocol=icmp
add chain=input dst-port=5223 protocol=tcp
add chain=input connection-state=established
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=“Port 110” dst-port=110 in-interface=
ether1-gateway protocol=tcp to-addresses=10.5.1.31 to-ports=110
add action=dst-nat chain=dstnat comment=“Port 25” dst-port=25 in-interface=
ether1-gateway protocol=tcp to-addresses=10.5.1.31 to-ports=25
add action=dst-nat chain=dstnat comment=“Webmail Mdaemon” dst-port=3000
in-interface=ether1-gateway protocol=tcp to-addresses=10.5.1.31 to-ports=
3000
add action=dst-nat chain=dstnat comment=“Mdeamon Remote Administration”
dst-port=444 in-interface=ether1-gateway protocol=tcp to-addresses=
10.5.1.31 to-ports=444
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-gateway
protocol=tcp to-addresses=10.5.1.31 to-ports=3389
add chain=srcnat
/ip route
add distance=1 gateway=x.x.x.x
/ip service
set telnet disabled=yes
set www-ssl disabled=no
/romon port
add disabled=no
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name=Homerouter
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
[admin@Homerouter] >

Steveocee · May 9, 2018, 12:59pm

Try changing your

/ip firewall filter
add chain=input dst-port=5223 protocol=tcp

Over into the forward chain.

/ip firewall filter
add chain=forward dst-port=5223 protocol=tcp

Kenyanstig · May 28, 2018, 7:45am

Update:

I ended up disabling the firewall.

nescafe2002 · May 28, 2018, 7:54am

# may/09/2018 14:00:28 by RouterOS 6.28
/ip dns
set allow-remote-requests=yes
/ip service
set www-ssl disabled=no

Please update you router to at least 6.40.8 (via System packages), reset configuration and re-run quickset to update dhcp pool and get a decent firewall rule set (with fasttrack).

Your router is currently vulnerable for dns amplification attacks and www-exploit, with or without firewall enabled (your firewall configuration is missing default drop policy).

Facetime should work out-of-the box without any firewall exemptions (except that outbound traffic in forward chain is allowed).