Can't get port forward to work.

RouterOS Beginner Basics
1

Hi there,

I think there’s something fundementally wrong with me or my router.

My setup is with My Republic Broadband (Fibre) in NZ.

The setup goes ONT (Fibre box) > LAN 1 MicroTik > LAN 2 MicroTik > My Home Switch/WLAN.

I am using the quicket mode for HomeAP.
Outbound surfing is fine and My NAS Is on the Switch and i can access it from the MicroTiks Wifi.

Trying to port forward via GUI/Command line. I’d be happy just to get one port going to be honest but can’t seem to have any joy.

ISP assigns an IP to me.
Microtik is 192.168.0.1
NAS is 192.168.0.20

Interface list is below

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  R  ether1                              ether            1500  1598       4074
 1  RS ether2-master                       ether            1500  1598       4074
 2   S ether3                              ether            1500  1598       4074
 3   S ether4                              ether            1500  1598       4074
 4   S ether5                              ether            1500  1598       4074
 5  RS wlan1                               wlan             1500  1600
 6  R  ;;; defconf
       WAN                                 bridge           1500  1598

Yes i renamed interface 6 to be WAN from whatever it was - and then tried using that in the NAT rule but that didn’t work either. I see no hits on the counter for that nat rule when I try from openportchecktool.com

Export below - it’s fairly vanilla apart from having added the rule at the bottom. I beleive ethern1 is my WAN interface?



/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
    ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    ether1
add action=dst-nat chain=dstnat dst-port=5001 in-interface=ether1 log=yes \
    protocol=tcp to-addresses=192.168.1.20 to-ports=5001
[admin@MikroTik] /interface>

I’m sure it’s something simple I’m missing.
Many thanks
S

2 
add action=dst-nat chain=dstnat dst-port=5001 in-interface=ether1 log=yes \
    protocol=tcp to-addresses=192.168.1.20 to-ports=5001

Change the to-addresses=192.168.0.20 :laughing:

3

Your forward filter logic is kind of doing a head stand…

Allow connection-nat-state=dstnat
Then add a separate rule below that drops all packets
EDIT: drops all packets in-interface=ether1 (wan interface)

I know this sounds like a potato/potatta type of thing, but if you ever need to accept any other packets in the forward chain, your current logic won’t let you do it.

And yes, having the right internal IP in the dst-nat rule does tend to help make things work better. :wink:

Oh - and don’t bother with the connection-state=new criteria either - because by that point in the chain, new connection state is the only thing left, why make the CPU spend extra cycles checking something that’s guaranteed to be true?
(earlier rules already catch 100% of established, related, and invalid states)

4

Thanks guys - sorry after trying it many times i guess the last time i loaded the rule in and posted the config I typod the 192.168.0.20 address, but i’ve used the same config with the correct IP and it didn’t work.

I’ll double check tonight and revert.

In terms of the logic you mention it makes sense but it’s not something I specifically wrote - it was there from the built in setup when I selected “HomeAP” in the quickset menu. Maybe that’s something the devs could fix up to avoid wasting CPU cycles as you said?
Once I get this Nat business working i’ll look to sort out the headstand logic and post back to verify. I’m very new to this so I appreciate your patience.
Then the next challenge is LT2P setup, i’d rather have my Microtik doing it than using PPTP on my NAS.

5

The policy on the forward chain is a “default-allow” type of policy, where switching to the mode where you allow specific things, and then drop by default changes the tone a bit.

Do note that I made a boo-boo in my earlier advice - the “drop everything else” part needs to specify in-interface=ether1 (your WAN interface) - if you don’t put that criteria on the rule, then your Internet’s going to stop working. I hope you read this post before you follow my earlier post and break things. :laughing:

6

Is your ONT just a modem? If it is, just set the mikrotik as a router or else there will be no routing.

7

I don’t believe it’s a modem as it gives my Microtik it’s WAN IP and can host a phone line (SIP) etc (i don’t have one enabled)

8

No worries many thanks for noting that. I didn’t get a chance to work on it.. but will have a look tonight.

9

If your mikrotik WAN port has a public IP then the ONT is a modem. It is possible for the modem to have a digital voice line and still act as a modem.

10

I don’t see an option to change it to be a router in the quick set menu? I can surf the web so I’m assuming it is doing some kind of routing?

11

What is your ONT make and model? If it is indeed a router, you should do the port forwarding from there rather than the AP.

12

Still no joy - definetly checked 192.168.0.20 as end point IP.
NAS can ping the 192.168.0.1 interface on the Microtik no problems.

I unselected the “new” critera on the rule that had it and ended up wtih this. I moved all the drops down to the bottom and still no go.


add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface=ether1
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
    ether1
13

Not meaning to be flippant…I doubt thats the case as it’s provided by the telco and nobody has access to these.

Link here shows the device.
http://www.geekzone.co.nz/forums.asp?forumid=49&topicid=127540

14

So after calling my ISP they advised they did a double Nat.

I got sniff of a rat after i checked that their namesake in Singapore did double nats, and unless you had a static IP port forwarding was a duff.

Well there’s 5 hours i’ll never get back.

Thank you all!

15

As soon as I started reading this I thought hang on, don’t My Republic use CGNAT…

The ONT is just a GPON fibre interface. It doesn’t do any routing