DDNS Port Forwarding RouterOS ver 6.48.1 not working

JRJakkals · April 29, 2021, 10:01am

Hi Experts

I need help on port forwarding. I need to access to alarm system on public\website\app on port 10001. I have setup port forwarding\natting on Mikrotik and Mikrotik DDNS. Port forwarding not working, cant access ddns name on port number 10001. Works fine on LAN

WAN cronjehome.sn.mynetname.net:10001 = Not working
LAN 192.168.0.3:10001 = working

Network Diagram

[/url]

Config

apr/29/2021 11:24:39 by RouterOS 6.48.1

software id = KQAL-TRIU

model = RB941-2nD

serial number =

/interface bridge
add admin-mac=C4:AD:34:F4:4F:1A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=
20/40mhz-XX country=“south africa” disabled=no distance=indoors
frequency=auto frequency-mode=manual-txpower installation=indoor mode=
ap-bridge ssid=CronjeWireless station-roaming=enabled wireless-protocol=
802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
password= service-name=Vodacom user=
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=
wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp”
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret= use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
#error exporting /interface ovpn-server server
#interrupted

Firewall\natting

apr/29/2021 11:29:26 by RouterOS 6.48.1

software id = KQAL-TRIU

model = RB941-2nD

serial number =

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500
protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10001
in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10000
in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=
tcp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=
udp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=
udp to-addresses=192.168.0.3 to-ports=10001
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=
tcp to-addresses=192.168.0.3 to-ports=10001
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24

config.cfg.rsc (1.98 KB)
firewall.cfg.rsc (2.61 KB)

erlinden · April 29, 2021, 10:10am

Are you really really really sure you want your alarm directly available through the Internet!?
Can you connect/test on the LAN?
What is the exact problem you are running into?

Instead of using ether1, shouldn’t you be using the pppoe interface for the forward?

JRJakkals · April 29, 2021, 10:12am

Yes I can access alarm on Lan and yes I want to access alarm from external.

JRJakkals · April 29, 2021, 10:27am

Port forwarding not working.

anav · April 29, 2021, 10:41am

Okay, good to know, because many times people try to reach the server from behind the router using the public IP (vice the LANIP) and thats a loopback scenario that requires extra nat rules.
However you are clearly indicating a valid external access attempt.

(1) These rules do not belong in the forward chain as they are NAT type rules, so they should be removed.
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10001
in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10000
in-interface=ether1 protocol=tcp

(2) This default firewall rule in the forward chain is in place which is GOOD because this is the only firewall rule you need to allow destination natted packets to get to the LAN.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

(3) FInally change all your ether1 entries to in-interface-list=WAN (or in-interface=pppoe-out1)
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=
tcp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=
udp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=
udp to-addresses=192.168.0.3 to-ports=10001
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=
tcp to-addresses=192.168.0.3 to-ports=10001

JRJakkals · April 29, 2021, 10:55am

Thank you very much anav

Its working now. I have been watching your post and you are really good. You should start charging a fee and do remote support. Or start creating a youtube channel

Kind Regards

rextended · April 29, 2021, 11:03am

If do that, probably do not help you on this forum…

anav · April 29, 2021, 1:34pm

Kind words, but I am no expert!! All my knowledge has been from picking the brains of the real experts here.
They know who they are LOL.
My goal is to bridge the gap between home owners and the expert advice that assumes way to much knowledge and cannot relate to ordinary people LOL.