I can’t seem to get port forwarding to work on my RB750. I’m trying to enable access to my CCTV cameras from outside. The cameras are on a local IP with port 55881 and I’ve a static IP (x.x.x.x) from my ISP.
/ip address print detail
0 address=192.168.1.2/24 network=192.168.1.0 interface=ether1
actual-interface=ether1
1 address=192.168.0.1/24 network=192.168.0.0 interface=ether2
actual-interface=ether2
2 D address=x.x.x.x/32 network=118.96.0.1 interface=pppoe-out1
actual-interface=pppoe-out1
/ip route print detail
0 ADS dst-address=0.0.0.0/0 gateway=118.96.0.1
gateway-status=118.96.0.1 reachable pppoe-out1 distance=1 scope=30
target-scope=10
1 ADC dst-address=118.96.0.1/32 pref-src=x.x.x.x gateway=pppoe-out1
gateway-status=pppoe-out1 reachable distance=0 scope=10
2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether2
gateway-status=ether2 reachable distance=0 scope=10
3 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.2 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
/ip firewall export
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook.com).*\$"
add name=Twitter regexp="^.+(twitter.com).*\$"
add name=Youtube regexp="^.+(youtube.com).*\$"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=drop chain=forward comment=Facebook disabled=no dst-port=443 \
layer7-protocol=Facebook protocol=tcp src-address=192.168.0.0/24
add action=drop chain=forward comment=Facebook disabled=no layer7-protocol=\
Facebook src-address=192.168.0.0/24
add action=drop chain=forward comment=Twiitter disabled=no layer7-protocol=\
Twitter src-address=192.168.0.0/24
add action=drop chain=forward comment=Youtube disabled=no layer7-protocol=Youtube \
src-address=192.168.0.0/24
/ip firewall nat
add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=\
auth
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=\
no src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="CCTV 1" disabled=no dst-address=\
x.x.x.x dst-port=55881 in-interface=ether2 protocol=tcp to-addresses=\
192.168.0.200 to-ports=55881
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
In your dst-nat rule you have in interface eth2 which seems to be a LAN interdace. You probably want to forward from outside to inside.
The RB is sitting behind an ADSL modem that’s setup as a bridge. So, the RB is dialing out with pppoe-out interface. I’ve tried replacing the ether2 with pppoe-out, the port is still closed when I check with yougetsignal.com.
Just to be sure you do have your external IP address in the dst-address right? By the way you don’t need to match by both interface and ip address, they are somewhat redundant. Try matching by just the external interface.
/ip firewall nat
add action=dst-nat chain=dstnat comment="CCTV 1" dst-port=55881 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.0.200 to-ports=55881
Generally I just match the in-interface, protocol & port for port forwarding… if the router has multiple public IP’s then I may exchange matching of the in-interface for the public IP.
I do have the public IP in the dst-address, I just hid it with x.x.x.x
What do you mean by matching just the external interface?
The rule:
add action=dst-nat chain=dstnat comment="CCTV 1" disabled=no dst-address=\
x.x.x.x dst-port=55881 in-interface=ether2 protocol=tcp to-addresses=\
192.168.0.200 to-ports=55881
says when the destination address is x.x.x.x AND the destination port is 55881 and the in-interface is ether2 AND the protocol is tcp THEN forward the traffic to 192.168.0.200 on TCP port 55881.
That is probably more AND conditions then you need work more specific you make matches the more likely you are to exclude something you didn’t intend to.
You may be better off taking all traffic that comes in ether2 on tcp port 55881 and forward it to the internal machine… or probably even better taking all traffic going to your public IP on tcp 55881 regardless of the in-interface and forwarding it to the internal machine.
I hope that helps.
I’ve tried all kinds of combination but still not working. I took out the in-interface as you recommended, like below:
add action=dst-nat chain=dstnat comment="CCTV 1" disabled=no dst-address=\
x.x.x.x dst-port=55881 protocol=tcp to-addresses=192.168.0.200 \
to-ports=55881
What else am I missing? Do I need to add a rule in the Filter?
Thanks.
add action=masquerade chain=srcnat comment="> masquerade hotspot network> " disabled=no > src-address=192.168.0.0/24
Is this camera on a hotspot network? If so, you need to bypass the camera through the hotspot.
/ip hotspot ip-binding
add address=192.168.0.200 type=bypassed
Thank you! Bypassing the camera did the trick. The port is open when I checked on yougetsignal.com
However, when i typed in the public IP and the port on the browser (i.e: x.x.x.x:55881), browser said it couldn’t connect. What could be the issue?
I can connect fine if I’m in the network using 192.168.0.200:55881
Do you have the hotspot universal nat disabled? If not, check “/ip hotspot host” and see if there is a translation for that ip. Insure the “to-address” is also 192.168.0.200.
Also make sure to specify the protocol because it cannot be inferred. Meaning http:// or https:// in front of the ip
I’m able to access the camera from the internet now, thanks. Now, I’m trying to open another port 55882 using the same setting, but oddly it doesn’t work. What’s missing?
I have the same issue & cannot figure out what is going on.
RB1100AHx2
RouterOS : 6.33.3
I have a dual wan setup using the steps here : http://wiki.mikrotik.com/wiki/Manual:Load_balancing_multiple_same_subnet_links
I then have ether6 set as master with DHCP server, ether7-ether10 use ether6 as master.
Everything works great except for getting Port forwarding going.
# dec/16/2015 13:38:15 by RouterOS 6.33.3
# software id = BM0F-DF12
#
/ip firewall filter
add action=drop chain=input src-address=222.186.56.97
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=first src-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
I also added the port forwarding rule as recommended :
WAN1=ether1
WAN2=ether2
192.168.0.3 is a server connected to ether 8 getting DHCP IP through master port ether6
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=943 in-interface=WAN1 protocol=tcp to-addresses=192.168.0.3 to-ports=943
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=943 in-interface=WAN1 protocol=udp to-addresses=192.168.0.3 to-ports=943
nothing seems to work.
kryptonite, what is stopping the request from coming in on WAN1 and leaving on WAN2? It may be not be port forwarding that is the problem.
dst-nat aka port forwarding is a rewriting of the destination of the packet header. All it does is say what was once destined for the router ip is now destined for the specified internal ip. I’m not seeing an issue with your dst-nat rule. However the reply traffic will use your routing table to decide how to return to the requester. I am not sure how the requester in your case would handle a request to one IP being returned from another IP assuming this is happening.
I was testing port fwd from inside the network, when I tested from outside it was working. So looks like I am all good. However for the future how can I test from within the network ?
I tried yougetsignal from within the network and that didnt help. I had to get out of the network and it showed the port was indeed open !