Firewall ports are open but replication wont work. Please help

RouterOS General
1

Hi Guys! hope everybody is well.

So I’ve taken over for a guy that built up a rather complex ( complex for me anyway ) network with a client and i am struggling to actually figure the issue out here.

Company A requires certain traffic to go through 2 ports on the Mik coming from their application that users on the network run.
Now suddenly out of the blue, replication stopped and the isp is insisting that the issue is not on their side.

I can see the ports are open on the firewall however they are only getting traffic through port 3050 and not port 65198.yet the rules are exactly the same.

Im very new to mikrotik firewalls and there is quite a bit of routing happening on this device.

If somebody could help me out id be greatly in your debt.

My firewall looks like this:

add action=accept chain=input comment="Allow acces to the router from Lan  Using an address list" src-address-list=Lan-List
add action=add-src-to-address-list address-list=port:2111 address-list-timeout=1m chain=input comment="1st Port knock" dst-port=2111 protocol=tcp
add action=add-src-to-address-list address-list="Secure Winbox" address-list-timeout=1m chain=input comment="2nd Port Knock" dst-port=1112 protocol=tcp src-address-list=port:2111
add action=accept chain=input comment="WINBOX Remote | With knocking and secure list" dst-port=8291 protocol=tcp src-address-list="Secure Winbox"
add action=accept chain=input comment="WINBOX Remote" disabled=yes dst-port=8291 in-interface-list=internet protocol=tcp
add action=accept chain=input comment="WINBOX from Local Network" dst-port=8291 in-interface=bridge1 protocol=tcp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp
add action=accept chain=forward comment="CompanyA" dst-port=65198,3050 in-interface-list=internet protocol=tcp
add action=accept chain=forward comment="CompanyA" disabled=yes dst-port=65198,3050 in-interface=bridge1 protocol=tcp
add action=accept chain=forward comment="CompanyA" dst-port=80 in-interface-list=internet protocol=tcp
add action=accept chain=forward comment="CompanyA" dst-port=443 in-interface-list=internet protocol=tcp
add action=accept chain=input disabled=yes in-interface-list=internet protocol=ipsec-esp
add action=accept chain=input comment=Ping protocol=icmp
add action=accept chain=forward comment="Allow connections from LAN" connection-state=new in-interface=bridge1
add action=accept chain=forward comment="Allow established Connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=input comment="Allow estblished and related connections to the router" connection-state=established,related
add action=accept chain=forward disabled=yes dst-address=192.168.13.145 in-interface=*11 out-interface=bridge1
add action=drop chain=forward comment="Drop all other traffic through the router"
add action=drop chain=forward comment="Drop all invaild connections" connection-state=invalid
add action=drop chain=input comment="Drop all other traffic to the router"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=8.8.4.4 out-interface=sfp1
add action=masquerade chain=srcnat dst-address=192.168.68.0/24 out-interface=l2tp-DLSHOME
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.1 out-interface=l2tp-CapeTown
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.0/24 out-interface=ether5
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.0/24 out-interface=l2tp-CapeTown
add action=masquerade chain=srcnat dst-address=192.168.69.40 out-interface=l2tp-ims
add action=masquerade chain=srcnat dst-address-list=VPN-Lan out-interface=l2tp-ims
add action=masquerade chain=srcnat dst-address=192.168.12.0/24 out-interface=ether4
add action=masquerade chain=srcnat out-interface=sfp1
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="CompanyA" dst-port=65198 protocol=tcp to-addresses=192.168.13.144
add action=dst-nat chain=dstnat comment="CompanyA" disabled=yes dst-port=65198 in-interface=bridge1 protocol=tcp to-addresses=192.168.13.144
add action=dst-nat chain=dstnat comment="CompanyA" dst-port=80 in-interface-list=internet protocol=tcp to-addresses=192.168.13.144
add action=dst-nat chain=dstnat comment=Zycoo dst-port=8888 in-interface-list=internet protocol=tcp to-addresses=192.168.13.200 to-ports=8888
add action=dst-nat chain=dstnat comment=Zycoo dst-port=8888 protocol=tcp to-addresses=192.168.13.200 to-ports=8888
add action=dst-nat chain=dstnat comment="CompanyA" dst-port=443 in-interface-list=internet protocol=tcp to-addresses=192.168.13.144
add action=dst-nat chain=dstnat comment="CompanyA" dst-port=3050 in-interface-list=internet protocol=tcp to-addresses=192.168.13.144
add action=dst-nat chain=dstnat comment="CompanyA" disabled=yes dst-port=3050 in-interface=bridge1 protocol=tcp to-addresses=192.168.13.144
add action=dst-nat chain=dstnat comment=NVR dst-port=8080 in-interface-list=internet protocol=tcp to-addresses=192.168.13.159 to-ports=80
2

Hmmm. :confused:

This:
add action=accept chain=forward disabled=yes dst-address=192.168.13.145 in-interface=*11 out-interface=bridge1

while might not be related to the issue at hand (it is disabled so, not actually running), is a sign that the router config has been changed/edited the *11 (more generally anything made of asterisk+2 (hex) numbers) is a sort of placeholder Ros had there a reference to something that currently doesn’t exist anymore, so one of the interfaces (or its name) must have been changed or deleted.

More generally the snippet you posted is confusing, it seems that there are multiple firewall filter or nat setting seemingly doing the same thing, some disabled, some enabled without a clear “pattern”.

Let’s take these two as an example (these are both enabled/running):
add action=dst-nat chain=dstnat comment=Zycoo dst-port=8888 in-interface-list=internet protocol=tcp to-addresses=192.168.13.200 to-ports=8888
add action=dst-nat chain=dstnat comment=Zycoo dst-port=8888 protocol=tcp to-addresses=192.168.13.200 to-ports=8888
the first one says
“dst-nat all traffic to port 8888 to 192.168.13.200 IF it comes from interface-list=internet”
the second one says:
“dst-nat all traffic to port 8888 to 192.168.13.200 NO MATTER where it comes from”
so the second encompasses the first.

Same for these two in firewall nat (disabled so not really relevant):
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.1 out-interface=l2tp-CapeTown
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.0/24 out-interface=l2tp-CapeTown
the first masquerades anything with dst address 192.168.1.1, the second masquerades anything with dst address 192.168.1.1-192.168.1.254

The dst-nat active rules are not exactly the same between 3050 and 65198 (the two disabled ones for bridge1 are identical):
add action=dst-nat chain=dstnat comment=“CompanyA” dst-port=3050 in-interface-list=internet protocol=tcp to-addresses=192.168.13.144
add action=dst-nat chain=dstnat comment=“CompanyA” dst-port=65198 protocol=tcp to-addresses=192.168.13.144

It should not be an issue as the one for port 65198 should catch all traffic whilst the 3050 one only that coming from in-interface-list=internet, still if port 3050 works and port 65198 doesn’t, the difference might be relevant because of some other setting in the rest of the configuration.

Try posting your full configuration (anonymizing/masking the sensitive parts), maybe the problem is somewhere else in it and can be spotted by some more experienced forum member.