Hi all, this is my first time posting here so I am sorry if I am leaving out any crucial information. Basically, I am trying to port forward to a device connected to my Mikrotik router on port 1433. I am having trouble telnetting from outside of Winbox as it is just timing out, so I am sure that I don’t have this set up correctly. While in Winbox I can Telnet to port 1433 of the target device just fine (192.168.1.15) so I know that the device is allowing connections on that port. I can see packets coming in on the NAT filter but don’t know enough about networking to decipher what’s actually going on. I have left my firewall configuration along with logs from the sniffer tool below. Anyone help would be extremely appreciated, thanks!
Firewall Config
model = RB960PGS-PB
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=1433 log=yes log-prefix=PF protocol=tcp to-addresses=192.168.1.15 to-ports=1433
Log from Sniffer tool
INTERFACE TIME NUM DIR VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
ether1 3.787 1 ← 172.17.17.60:60588 10.174.4.27:1433 (ms-sql-s) ip:tcp 78 0 no
bridge 3.787 2 → 172.17.17.60:60588 192.168.1.15:1433 (ms-sql-s) ip:tcp 78 0 no
ether1 4.778 3 ← 172.17.17.60:60588 10.174.4.27:1433 (ms-sql-s) ip:tcp 78 0 no
bridge 4.778 4 → 172.17.17.60:60588 192.168.1.15:1433 (ms-sql-s) ip:tcp 78 0 no
ether1 5.8 5 ← 172.17.17.60:60588 10.174.4.27:1433 (ms-sql-s) ip:tcp 78 0 no
bridge 5.8 6 → 172.17.17.60:60588 192.168.1.15:1433 (ms-sql-s) ip:tcp 78 0 no
IF this device is connected to the internet ( not an upstream router ) then its not very secure
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp should have at least added in-interface-list=LAN
Format missing…
IF dynamic WANIP
add action=dst-nat chain=dstnat dst-port=1433 log=yes log-prefix=PF in-interface-list=WAN1 protocol=tcp to-addresses=192.168.1.15 to-ports=1433
IF static fixed public IP
add action=dst-nat chain=dstnat dst-port=1433 log=yes log-prefix=PF dst-address=Static-ISP-IP protocol=tcp to-addresses=192.168.1.15 to-ports=1433
Not sure what your are doing with fancy networking stuff but lets stick to what works.
The problem is you have two conflicting networks and non standard nomenclature
SO NOT /ip pool
add name=dhcp ranges**=192.168.88.10-192.168.88.254**
/ip address
add address=192.168.1.150/23 comment=defconf interface=bridge network=
192.168.**0.**0
/ip dhcp-server network
add address=192.168.0.0/23 comment=defconf gateway=192.168.1.150
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
REPLACE WITH /ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1dns-server=192.168.1.1
/ip dns
set allow-remote-requests=yes server=1.1.1.1,9.9.9.9
Okay, I have made the updates that you have suggested, but I am still getting the same thing. I can see it getting through to the device if I listen on port 1433 but the telnet request just always times out. Here is the new configuration. Thanks.
may/19/2024 15:54:48 by RouterOS 6.49.11
software id = C0KA-FF61
model = RB960PGS-PB
/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=bridge name=defconf
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=
192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=1433 in-interface-list=WAN log=yes
log-prefix=PF protocol=tcp to-addresses=192.168.1.151 to-ports=1433
/ip service
set www-ssl port=1443
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both
/system clock
set time-zone-name=America/Toronto
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The device is running on an internal network with the Mikrotik and cannot be pinged from outside of the network. Basically I can ping from Winbox, but if just on the external network I wont be able to ping the internal device.