basic rule blocking server port forwarding

Hey Guys, my son is hosting a minecraft server and I set up all the port forwarding but it didn’t work. I did some testing and figured out that the following Filter Rule (that I was advised to have in place) was blocking the traffic:

Running 6.18 currently

add action=drop chain=forward comment=“Drop everything else”

I disabled this and it seems to be working now. Do I need this rule?


/ip firewall address-list
add address=10.0.0.0/16 list=admin-access
add address=192.168.1.0/24 list=admin-access
/ip firewall connection tracking
set icmp-timeout=20s tcp-close-timeout=20s tcp-close-wait-timeout=20s
tcp-fin-wait-timeout=20s tcp-last-ack-timeout=20s tcp-syn-received-timeout=
10s tcp-syn-sent-timeout=10s tcp-time-wait-timeout=20s udp-timeout=20s
/ip firewall filter
add action=drop chain=input comment=“Drop invalid connections”
connection-state=invalid
add chain=input comment=“Accept established connections” connection-state=
established
add chain=input comment=“Accept related connections” connection-state=related
add chain=input comment=“Allow access from local network” in-interface=LAN
src-address=192.168.1.0/24
add chain=input comment=“Allow access from local network 3” in-interface=Guest
src-address=192.168.2.0/24
add action=log chain=input comment=“Log everything else” log-prefix=
“IPv4 Drop input RR:”
add action=drop chain=input comment=“Drop everything else” disabled=yes
add action=drop chain=forward comment=“Drop invalid connections”
connection-state=invalid
add chain=forward comment=“Accept established connections” connection-state=
established
add chain=forward comment=“Accept related connections” connection-state=related
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=
192.168.1.0/24
add chain=forward comment=“Allow traffic from Local network to go outside”
in-interface=LAN out-interface=WAN src-address=192.168.1.0/24
add chain=forward comment=“Allow traffic from Local network 3 to go outside”
in-interface=Guest out-interface=WAN src-address=192.168.2.0/24
add action=log chain=forward comment=“Log everything else” log-prefix=
“IPv4 Drop forward RR:”
add action=drop chain=forward comment=“Drop everything else” disabled=yes
add chain=input src-address-list=admin-access
add action=drop chain=input dst-port=21,22,23,80,443 protocol=tcp
add action=drop chain=forward comment=“VLAN rules” dst-address=192.168.1.0/24
src-address=192.168.2.0/24
add action=drop chain=forward comment=“Night disable internet” disabled=yes
in-interface=LAN out-interface=WAN time=1s-17h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes in-interface=LAN2 out-interface=WAN
time=2h1s-6h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes in-interface=LAN3 out-interface=WAN
time=2h1s-6h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes in-interface=Guest out-interface=WAN
time=1s-17h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=“Day disable internet” disabled=yes
in-interface=LAN out-interface=WAN time=
8h-16h30m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes in-interface=LAN2 out-interface=WAN
time=8h-16h30m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes in-interface=LAN3 out-interface=WAN
time=8h-16h30m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes in-interface=Guest out-interface=WAN
time=8h-15h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=“Tyler PC” disabled=yes out-interface=WAN
src-address=192.168.1.54 time=1s-23h59m59s,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=“Downstairs workshop” disabled=yes
out-interface=WAN src-address=192.168.1.57 time=
1h1s-5h59m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes out-interface=WAN src-address=
192.168.1.57 time=22h1s-23h59m59s,mon,tue,wed,thu
add action=drop chain=forward disabled=yes out-interface=WAN src-address=
192.168.1.57 time=1s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=xBOX disabled=yes out-interface=WAN
src-address=192.168.1.114 time=22h1s-23h59m59s,mon,tue,wed,thu
add action=drop chain=forward disabled=yes out-interface=WAN src-address=
192.168.1.114 time=1h1s-5h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes out-interface=WAN src-address=
192.168.1.114 time=1s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=HTPC disabled=yes out-interface=WAN
src-address=192.168.1.85 time=1s-9h59m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=“Perminent Block” out-interface=WAN
src-address=192.168.1.65 time=1s-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward out-interface=WAN src-address=192.168.2.33 time=
1s-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward out-interface=WAN src-address=192.168.1.89 time=
1s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward out-interface=WAN src-address=192.168.1.64 time=
1s-23h59m,sun,mon,tue,wed,thu,fri,sat
/ip firewall nat
add action=masquerade chain=srcnat comment=“NAT rule” out-interface=WAN time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add chain=forward dst-port=25565 protocol=tcp
add chain=forward dst-port=25565 protocol=udp
add action=dst-nat chain=dstnat comment=“Mincraft Game Server” dst-address=
70.81.182.172 dst-port=25565 protocol=tcp src-port=“” to-addresses=
192.168.1.57 to-ports=25565
add action=dst-nat chain=dstnat dst-address=70.81.182.172 dst-port=25565
protocol=udp src-port=“” to-addresses=192.168.1.57 to-ports=25565

A rule that’s labeled “drop everything else” and drops all packets is usually a “Defualt” rule for a policy that specifies what is allowed, and drops the rest. (The opposite kind of policy is to allow everything except for certain things)

The order of the rules is important.
If you have a “drop everything else” rule - that’s going to end it for the chain it’s in. Any rules that come later in the same chain will never be checked because no packet gets past “drop everything.”

In Winbox, when viewing firewall rules, there is a drop-down selector at the top-right of the firewall window. This is a view filter and it helps you to see a specific chain all by itself.

If you want to allow connections to a specific internal device on a specific port (for instance, a mail server) and you have mapped NAT rules to pass TCP ports 25, 993, and 995 through to the mail server, you would also need to make sure there is a rule that allows these ports. (forward chain, in-interface = WAN, protocol = tcp, dst-ports=25,993,995).
This rule would need to come BEFORE the drop-everything rule, or else it never gets checked.

Disabling the rule basically changes your policy from “allow only the following things” into being permissive. (allow everything unless specifically blocked)

This is usually not a good policy to have when dealing with the Internet, so you should keep the drop everything else rule, and create a rule that specifically allows the port(s) needed by the Minecraft server.

Ok, I think I understand now. I made a new rule with your parameters and then re-enabled the drop everything else rule and it seems to be working. Thanks!

Glad you’ve got it working. I pasted your rules into a Mikrotik and looked at them in winbox. You’ve got a lot of policy things going on. You might find it helpful to learn how to use custom-defined chains for performance reasons and for keeping rules easier to follow/understand.

I.e. if you want a certain policy for LAN2 towards internet, make a rule in forward chain, matching in-interface=LAN2, out-interface=WAN, action = jump to chain lan2internet

The beauty of this is that you can make one simple check (which interfaces) and in the new chain, all rules will only apply to LAN2 - you never need to check interfaces again, and you are confident that any rules you put here will not affect the other LANs.

It can be harder to understand at first but once you learn it, it’s quite elegant and useful.