Hello, I have been trying for days to get port 45990 open to the outside. In the process, I now cannot access port 35000 from the outside in which I had that port open for years. I’ve had this router set up for a long time and admit I do not know much of what I’m doing and have forgotten many of the changes that I made over the years and the past two days. Any help is appreciated.
John
11.24.2023.rsc (13.2 KB)
Hello,
Why does the same interface have different IPs?
/ip address
add address=192.168.88.1/24 comment=“default configuration” disabled=yes
interface=ether2 network=192.168.88.0
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=10.10.10.1/24 interface=bridge_guest network=10.10.10.0
/ip dhcp-client
for the correct operation of the router, the firewall rules must be correctly defined, because an incorrect order of rules affects not only the correct operation of traffic, but also security.
In your case, you should modify the existing firewall configuration. Never start the firewall configuration with “fasttrack”…drop, etc. The default rules are used as the basis for everything, which you then add with the entries you need. If interested, you can read this article - https://forum.mikrotik.com/viewtopic.php?t=180838
You can use this example for yourself and add the necessary ports/forwards…etc..
/ip firewall address-list
add address=192.168.88.1/24 list=Admin-Net
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=Admin-Net comment="Config Access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="My-port" disabled=yes dst-port=35000 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.207 to-ports=35000
add action=dst-nat chain=dstnat comment="My-port" disabled=yes dst-port=45990 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.50 to-ports=45990
I made the changes only now I cannot access the internet through the browser. I have remote access through Anydesk, Syncthing is working, just nothing in the browser and I cannot ping google.com.
And of course I need to stream tomorrow morning for church.
11.25.2023.rsc (14.7 KB)
I found the error. For some reason line 27 in /ip filter rules had only forward and action drop.
I asked you before, Why does the same interface have different IPs?
Try to nicely separate the rules - ‘‘Input’’ chain those rules that refer to the input section.
“Input” section - all incoming traffic.
“Forward” section - traffic passing through the router.
If you need to open a specific port on, for example, a server, then you need to create a rule for that in the NAT section (it can be seen in my example).
In the Forward section, you do not need to specify this port any more. The penultimate rule in my example is responsible for this -
“”= add action=accept chain=forward comment=“allow dst-nat from both WAN and LAN (port forwarding)” connection-nat-state=dstnat “”
You have too many entries in the firewall section.
I have no reason or nothing related to 192.168.88.1/24 nor do I know how it got there (though I’m the only one with access to the router). Since it shows disabled, I can delete it correct?
I am very paranoid in deleting things as you can see in my filter mess, for fear of knocking out the internet as I did twice already.
Those two ports are still not open but I will clean up and remove the specified filter ports. I was also starting to look over the link you sent me which is very informative.
Question, with the Filter and Nat rules that you sent me, could I delete all of those rules and add what you sent or would that lock me out from accessing the router in between deleting and adding?
Or, should I just go through and disable anything that wasn’t on your list to be sure first. Working on the router remotely does have its advantages until I click/change the wrong thing and lock myself out. Then it’s a 10 minute ride to undo what I did.
Thank you for your help.
If you work remotely then you should be very careful because you can accidentally disconnect the connection and everything else. I would recommend first for yourself - put together everything you need, for example in notepad. So that it is correct, start the firewall with Input etc. (as was described in the link or in my example, which is essentially the same)
If we look at your firewall config, we see that you have 2 udp ports specified in the “Input” section.
add action=accept chain=input dst-port=161 protocol=udp
add action=accept chain=input dst-port=1234 protocol=udp
Then we do not add anything else in the input section and copy these 2 udp rules above INPUT=Drop All
…
Next, in the Forward section, if you don’t need anything specific, you can use the rules that are in my example.
In the “NAT” section, we indicate what needs to be opened to the outside.
…
If you have specified the interface LAN…Wan correctly, then everything should work.
For example, I use the following for myself: ether1=Wan etc…
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip firewall address-list
add address=192.168.88.0/24 list=Admin-Net
The following information may be useful for port forward : https://www.youtube.com/watch?v=U6hJ8HoDhLs
I usually try to do such configurations locally and not remotely, because it seems safer to me, everything can be checked nicely, etc. Of course, you can also configure it remotely through “teamviewer” or some other program by connecting to a computer located in that network, but in any case, you have to watch carefully so as not to be left without connections.