Can't open port. Firewall issue?

gesaugen · April 26, 2015, 10:08am

I have NAS iwth nass4free OS. It has bittorrent client. I’ve tryed to enable upnp but it doesn’t want to work, so I tryed to open port but it also doesn’t want to work. The port I would like to open is 51413
Here’s my setup:

under NAT → dst-nat rules for port 51413, under Action tab → To addresses I’ve entered IP of NAS on my LAN and under To ports i’ve entered 51413

I’ve configured my firewall from youtube mikrotik basic setup video so I really don’t know process works in general.

help?

gesaugen · April 28, 2015, 3:48pm

bump
help please?

IntrusDave · April 28, 2015, 4:00pm

you can not have a “default drop” forward rule if you want to use UPnP. Also you need to set the internal and external interfaces for the UPnP. When an application opens ports, the forward rules will be added to the bottom of the list. If you have a “drop all” forward rule, then the UPnP rules will never apply.

gesaugen · April 28, 2015, 5:59pm

could you please write what rules should I remove and which should I write to get same level of protection but with UPnP working?

IntrusDave · April 28, 2015, 7:24pm

This is a basic set of filter rules. You will need to set the lan and wan interfaces for your own naming.

/ip firewall filter
add chain=input comment="Streams that have been authenticated already" \
    connection-state=established,related
add chain=input comment="Traffic from the LAN to the Router" \
    connection-state=new in-interface=lan0
add action=drop chain=input comment="default configuration" in-interface=wan0 \
    log-prefix=Dropped
add chain=forward comment="These come from the \"New\" connections" \
    connection-state=established,related
add chain=forward comment="Allow new Forwards from the LAN - but not the WAN" \
    connection-state=new in-interface=lan0

gesaugen · April 28, 2015, 8:02pm

so I should delete all my rules or just delete “default drop” forward rule? and then add this rules that you wrote?

also for my own naming: my ether1 is WAN and bridge1 is LAN (bridged ether2-5). so in general it should look like this?

/ip firewall filter
add chain=input comment="Streams that have been authenticated already" \
    connection-state=established,related
add chain=input comment="Traffic from the LAN to the Router" \
    connection-state=new in-interface=bridge1
add action=drop chain=input comment="default configuration" in-interface=ether1 \
    log-prefix=Dropped
add chain=forward comment="These come from the \"New\" connections" \
    connection-state=established,related
add chain=forward comment="Allow new Forwards from the LAN - but not the WAN" \
    connection-state=new in-interface=bridge1

suntelSean · April 28, 2015, 10:08pm

OP,

Do you just need the NAS to be able to download, or do you need to make it accessible from the outside? If you don’t need to make it accessible from the outside, then you don’t need to get rid of your forward drop rule.

I have a PC that torrents from time to time, and I also run a Plex server. Here are my filter and nat rules that allow me to do what I do anywhere I need to do it. Is it full proof? No, but it blocks enough for me.

/ip firewall filter
add action=drop chain=input comment="Block invalid input connections" \
    connection-state=invalid
add action=drop chain=forward comment="Block invalid forward connections" \
    connection-state=invalid
add chain=forward comment="Plex Ports - TCP" dst-port=3005,8324,32469 protocol=\
    tcp
add chain=forward comment="Plex Ports - TCP" dst-port=1900,5353,32412-32414 \
    protocol=udp
add chain=forward dst-port=32400 protocol=tcp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="Allow Established and Related Input Connections" \
    connection-state=established,related
add chain=forward comment="Allow Established and Related Forward Connections" \
    connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway src-address-list=!SuntelOffice
add action=drop chain=forward comment=\
    "Disallow Forward Connections from Outside unless listed as an DST Nat." \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.169

gesaugen · April 28, 2015, 10:12pm

i need it to be accessible from outside (to seed downloaded files)

and thanks for your setup!

suntelSean · April 28, 2015, 10:44pm

Then use this and change the port as you need.

add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.169

How I started is first, set up your NAT rules, THEN setup your filter rules. (turn them all off initially) This way you can see things working and then if something breaks, you know what it is.

Once you do this a few times, you’ll have a feeling of how you can set this up in now time.

JeMasLT · November 17, 2017, 11:16am

Thaznk you alot. It helped for me.

add action=drop chain=forward comment=\
    "Disallow Forward Connections from Outside unless listed as an DST Nat." \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway

This part. So basically I just tweaked one part in my “Drop all other traffic” firewall: “connection-nat-state=!dstnat”