I had port forwarding working at one point but now it’s not..
Network diagram is pretty simple.. Just have ISP Cable Modem plugged into MikroTik and a few unmanaged switches and Eero Mesh system.. Everything is on same subnet/vlan..
I have BlueIris and SabNZB that I like to connect to externally.. My BlueIris port forward is 8999.. What’s weird is https://canyouseeme.org/ shows the port is open..
Not sure what I’m doing wrong..
Thanks
# jul/20/2022 15:43:59 by RouterOS 6.49
# software id = 0D08-KEW9
#
# model = RB760iGS
# serial number = XXXX
/interface bridge
add admin-mac=XXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ISPLINK
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.200-192.168.1.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!all
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ISPLINK list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ISPLINK
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Sab dst-address=!254.255.255.255 dst-port=8085 in-interface=ISPLINK log=yes protocol=tcp to-addresses=192.168.1.132 to-ports=8085
add action=netmap chain=dstnat comment=BlueIris dst-port=8999 in-interface=ISPLINK log=yes protocol=tcp src-port="" to-addresses=192.168.1.26 to-ports=8999
add action=dst-nat chain=dstnat dst-port=8999 in-interface=ISPLINK protocol=tcp to-addresses=192.168.1.26 to-ports=81
/ip kid-control device
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.1.26 port=9996
/snmp
set enabled=yes
/system clock
set time-zone-name=America/New_York
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
(1) If you are trying to connect FROM LAN USERS, via the external WAN IP address, be it static or dynamic, to the server on the same subnet, then you are running to hairpin nat.
If so need this
/ip firewall nat add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.0/24
and you need to adjust your firewall rule allowing dst-nat
FROM add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=
comment=“allow port forwarding”
add action=drop chain=forward comment=“drop all else”
Now we more securely drop not only all WAN traffic not dst-natted, but we drop all other traffic not explicity allowed.
This is accomplished by adding the last DROP ALL rule.
Because we add this drop all rule, what was allowed by the default rule base that you may have not known is internet traffic, so we have to put that back in.
(2) Change this to
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=NONE
To understand better about hairpin nat and the nuances involved depending upon if you have a dynamic or static WANIP (may influence dst-nat rule structure!).
Read this please - https://forum.mikrotik.com/viewtopic.php?t=179343
Well the basic problem is the failure to either read or understand the post and link…
You didn’t make any of the suggested adjustments to the firewall rules or dst-nat rules.
Oh geez dude.. I’m sorry.. I looked at your last post and thought those were changes I needed to make.. Turns out those were my existing rules.. Here I thought I had changed them to match what you put, but they were exactly the same.. Apologies…