Chateau LTE12 - Port forwarding 80 not working

RouterOS Beginner Basics
1

Hello everybody,
I’m currently using the new Chateau LTE 12 with RouterOS V7.0 on board. The Chateau LTE 12 is connected via LTE to a local operator network and the Internet connection is shared in the LAN with a switch.

Right now I have to activate the Port forwarding on my Chateau LTE 12 for using some containers on my NAS. The port I have to activate is 80.

I have tried different scripts found also in this forum, but none of them worked properly. Even if I change the port number, the port forwarding is not working.

For example, I tried to create a NAT rule with the following parameters:

I have created the NAT rule using the following fields:

  • Chain: dstnat
  • protocol: tcp
  • dst port: 80
  • action: dst-nat
  • to addresses: 192.168.10.25 (NAS IP address)
  • port: 80

Have you some suggestions for solving this problem? Thanks!

2

Did you try to change the external port ? For example use dst port: 8080 and port: 80
Is the counter on the specific rule zero or it counts packets ?
In any case, Low ports ( <1024 ) might be blocked from your ISP for security reasons… Thats why i suggested changing your external port…

3

Problems are rarely isolated to one thing.
Please post your config
/export hide-sensitive file=anynameyouwish

4

Thank you so much for your answer.

Here is my config:

# sep/01/2021 23:21:31 by RouterOS 7.0
# software id = 7HX9-QTM1
#
# model = RBD53G-5HacD2HnD
# serial number = D7B00C7*****
/interface bridge
add admin-mac=48:8F:5A:B5:E3:63 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-B5E368 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-B5E369 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=internet.wind use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=internet.wind name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip vrf
add list=all name=main
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether1 network=\
    192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=d7b00c7ed5a4.sn.mynetname.net list=MyDDNS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.10.1 \
    dst-address-list="" dst-address-type="" dst-port=80 protocol=tcp \
    to-addresses=192.168.10.27 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.10.1 \
    dst-address-type=local dst-port=80 protocol=tcp to-addresses=\
    192.168.10.27 to-ports=80
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=5m name=Duckdns-Dynamic-IP-Updater on-event=\
    "/system script run Duckdns-Dynamic-IP-Updater;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/29/2021 start-time=00:00:00
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
5

I tried even with ports like 12311 or upper numbers and it didn’t work at all.

Anyway, thanks for your suggestion.

6

First of all, Local address, is an address configured–assigned to one of the Routers interfaces…
So, if for example you are in the subnet 10.10.10.0/24, and your Router has the address 10.10.10.1/24 and a host, the address 10.10.10.254/24, only 10.10.10.1/24 is a Local address…

Also, from a quick look, i saw you have a drop all on the forward chain in your Firewall filter, last rule…

7

(1) The bridge is the interface, not ether1
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether1 network=
192.168.10.0
should be
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=
192.168.10.0

(2) The default firewall rules are fine!!!

(3) The dstnat rules need work!! First they are both disabled! and good thing because they are horribly configured, best to delete them!
Port Forwarding…

FORMAT for fixed WANIP addresses (static)
add action=dst-nat chain=dstnat dst-address=ACTUAL WANIP protocol=XXX dst-port=yy
to-addresses=LANIP of Server to-ports (not required if same as dst-port - used only when port translation is required)

FORMAT for dynamic WANIP
add action=dst-nat chain=dstnat in-interface-list=WAN protocol=XXX dst-port=yy
to-addresses=LANIP of Server etc…

In your case it seems you want to use the public IP of the IP Cloud provided by the router as the argument/parameter for the address which is fine as well.
FORMAT
add action=dst-nat chain=dstnat dst-address-list=MyDDNS protocol=xxx dst-port=yy
to-addresses=LANIP of server etc…

8

oops, i was looking at the ipv6 firewall…

9

Hi anav,
thanks for your support. I applied your command lines and now my configuration file changed to the following:

# sep/03/2021 00:37:38 by RouterOS 7.0
# software id = 7HX9-QTM1
#
# model = RBD53G-5HacD2HnD
# serial number = D7B0*******
/interface bridge
add admin-mac=48:8F:5A:B5:E3:63 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-B5E368 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-B5E369 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=internet.wind use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=internet.wind name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip vrf
add list=all name=main
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether1 network=\
    192.168.10.0
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.10.27
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=5m name=Duckdns-Dynamic-IP-Updater on-event=\
    "/system script run Duckdns-Dynamic-IP-Updater;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/29/2021 start-time=00:00:00
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

As far I can see, the port 80 is still closed.

Thanks!

10

How are you determining the port appears closed?

11

I’m checking it with the YouGetSignal-Open Ports service.

12

Its working fine LOL.

  1. Normal dst nat rule -----> from the internet port is visible but appears closed
  2. Normal dsn nat rule with added LIMITATION of source address or source address list --------> from the internet port is not even visible.

Suggest you get a friend to test your server you should see that tis working fine.

13

Normal dst nat rule -----> from the internet port is visible but appears closed

Generally speaking, if a port is in listening state you can check if it is Open through the internet or not…
So thats not really true…

Actually a closed port is a port that is reachable but no application is listening on it…

So if a ( TCP ) port is reachable and an application is listening to that port, if that port is not blocked by any firewall then it will appear as Open even through the Internet …

14

I have a docker image listening on port 80.

By typing, on web browser NAS-IP:80, I can access and use the application when I am inside my local network. From outside, it is not possible.

15

Like I said, ask a friend to access the server externally.
Then let us know the results.

On the offchance your ISP or service does something funky for port 80 try a port translation (bypass) and tell your friend to come in on 8181

add action=dst-nat chain=dstnat dst-port=8181 in-interface-list=WAN protocol=
tcp to-addresses=192.168.10.27 to-ports=80

16

Okay looking at your config again…
This is still not fixed ?? Remove the line in red!!! You have the address covered in the second line with the correct bridge setting.
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether1 network=
192.168.10.0
add address=192.168.10.1/24 comment=defconf interface=bridge network=
192.168.10.0