I am trying to do a port forward for plex.tv on port 32400. I see that the rule i made is being hit but plex.tv is unable to connect to my home server. My setup: I have bell fibe. My mikrotik router is plugged in one of my lan port on the bellrouter. i made an pppoe connection on mikrotik to have a dedicated public ip.

I then setup a nat rule for port 32400 that redirect the traffic to my server. I add a rule to log the traffic :

dstnat dstnat: in:Bell Fibe out:(none), proto TCP (SYN), 54.176.67.158:17792->public bell ip:32400, len 60

Do i have to do an other rule to make this work ?

Are you accepting the port in forward chain too?

No i dont

how can i do that ?

Hi i have add this rule in mangle:

See attached file.

Is it ok like this ?

Do i have to add a rule in filter rule with output chain too ?

thank you

If you want to allow all NAT port forwards, then you can put just one rule in the forward chain of the filter table:
action=accept connection-nat-state=dstnat

This way, if you add more port forwards to your NAT, then you won’t need to remember to go allow them in the filter rules.

I don’t know what revision of ROS added this matcher, but it sure is nice.

i have webfig 5.9. What do you mean with ROS revision ?

i have try to add this command in a terminal but i did not have the option to add connection-nat-state=dst-nat ??

here is the command i did: firewall filter add chain=forward connection → the only options here are connection-limit connection-rate and connection-type…

Sorry but i am very new with this router…

thank You

I have RouterOS version 5.9

Is there any particular reason that you’re running such an old version of ROS (RouterOS) ?

The connection nat state matcher didn’t exist in 5.9

You should probably upgrade to something current - the only thing I can remember that makes upgrading 5>6 troublesome is the simple queues because they made some big changes in how simple queues work when they released ROS v6. (which was back in 2012 by the way)

I didn't know my version was outdated. I updated it to 6.35 now. But the rules are not working althought i see traffic hitting the rules.

In Filter Rules here is what i did:

chain=forward action=accept connection-nat-state=dstnat log=yes log-prefix="filter"

In nat:

chain=dstnat action=dst-nat to-addresses=192.68.88.252 to-ports=32400 protocol=tcp
in-interface=Bell Fibe dst-port=32400 log=yes log-prefix="nat"

in mangle : chain=dstnat action=dst-nat to-addresses=192.68.88.252 to-ports=32400 protocol=tcp
in-interface=Bell Fibe dst-port=32400 log=yes log-prefix="nat"

Ip adresses:

ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 ether2-master-local
1 D 192.168.2.51/24 192.168.2.0 ether1-gateway
2 D 69.156.166.241/32 10.11.16.217 Bell Fibe

Route print from mikrotik :

MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 10.11.16.217 0
1 DS 0.0.0.0/0 192.168.2.1 1
2 ADC 10.11.16.217/32 69.156.166.241 Bell Fibe 0
3 ADC 192.168.2.0/24 192.168.2.51 ether1-gateway 0
4 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l... 0


My Bell fibe interface is a PPPOE connection to Bell fibe service. I got a public ip directly attached to my mikrotik router.

My hardware setup is : mikrotik router is connected to a lan port on the sagecom router and i established a dedicated pppoe from mikrotik router to get a public ip. My plex server is directly connected to the mikrotik lan port.


Tracert to plex.tv from my plex server:


tracert plex.tv

Détermination de l’itinéraire vers plex.tv [184.72.53.6]
avec un maximum de 30 sauts :

1 <1 ms <1 ms <1 ms 192.168.88.1 --> mikrotik router
2 3 ms 2 ms 2 ms 10.11.16.217 --> pppoe connection
3 * 4 ms 4 ms 10.178.206.152


Can anyone help me to figure out what's going on ?? I have activated log on my rules but the only traffic i see is SYN

Any other rules higher up in the filter section that would block it?

Do an “/ip firewall export” and post it.

Here:

admin@MikroTik] > ip firewall export

jan/23/2016 15:00:33 by RouterOS 6.33.5

software id = YCLB-7B9P

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=forward connection-nat-state=dstnat log=yes log-prefix=filter
add chain=input comment="default configuration" connection-state=related
add chain=input dst-port=32400 log=yes log-prefix=filter protocol=tcp
add action=log chain=output disabled=yes src-address=192.168.88.252
add chain=output disabled=yes dst-port=32400 protocol=tcp src-address=192.168.88.252
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall mangle
add chain=forward dst-port=32400 in-interface="Bell Fibe" log=yes log-prefix=mangle
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" log-prefix=nat-masq
src-address=192.168.88.0/24 to-addresses=0.0.0.0
add action=log chain=dstnat disabled=yes dst-port=32400 log-prefix=dstnat protocol=tcp
add action=dst-nat chain=dstnat dst-port=32400 in-interface="Bell Fibe" log=yes
log-prefix=nat protocol=tcp to-addresses=192.68.88.252 to-ports=32400

You might want to check your to-addresses=192.68.88.252.

It is working ! Thank you

Let me guess - changing the chain to FORWARD fixed the problem?

Future reference:
INPUT - packets only go in the INPUT chain if they’re for the Mikrotik itself
OUTPUT - packets from the Mikrotik itself go through this chain on their way to the internet or LAN or wherever they’re going
FORWARD - packets going through the Mikrotik (including dstnat)