Forwarding Port Range results in internet issues

Vashan · April 29, 2020, 4:22pm

Hi Mikrotik Forum,

I’m relatively new to Mikrotik and RouterOS, so forgive me if this is something really obvious, but since i have my new RB4011 and fibre connection i’ve been have internet issues.
I discovered that a port forward range is the issue, i’m running a FTP server and was using port 50000-51000 as passive ports. This was working fine on my old DD-WRT firmware TP Link router, but now everytime i turn on my PC, i have to wait about 15 minutes before i have a proper internet connection, some websites work, most don’t, I can ping 1.1.1.1 or any other site for that matter, but can visit the website. When i change the ports from 50000-51000 to 60000-61000 my issue was solved, or so i thought. Now, after about 2-3 hours of computer time, same issue, website stop working.

The way my firewall/nat is configured is as followed:

/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter add action=accept chain=input comment="ACCEPT Established/Related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="ACCEPT LAN connections" in-interface=LAN
/ip firewall filter add action=accept chain=input comment="ACCEPT ICMP requests" protocol=icmp
/ip firewall filter add action=drop chain=input comment="IMPLICIT DENY"
/ip firewall filter add action=fasttrack-connection chain=forward comment=FASTTRACK connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="ACCEPT Established/Related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="DENY invalid packets" connection-state=invalid log=yes log-prefix=invalid
/ip firewall filter add action=drop chain=forward comment="DENY Non Public Destinations" dst-address-list=not_in_internet in-interface=LAN log=yes log-prefix=!public_from_LAN out-interface=!LAN
/ip firewall filter add action=drop chain=forward comment="DENY incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
/ip firewall filter add action=drop chain=forward comment="DENY incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="DENY packets from LAN that do not have LAN IP" in-interface=LAN log=yes log-prefix=LAN_!LAN src-address=!10.255.64.0/20
/ip firewall nat add action=masquerade chain=srcnat src-address=10.255.64.0/20
/ip firewall nat add action=dst-nat chain=dstnat comment="FTP voor Server" port=7179 protocol=tcp to-addresses=10.255.70.10 to-ports=7179
/ip firewall nat add action=dst-nat chain=dstnat comment="FTP Passive Ports" disabled=yes log-prefix=ftp port=60000-61000 protocol=tcp to-addresses=10.255.70.10 to-ports=60000-61000
/ip firewall nat add action=dst-nat chain=dstnat comment=Minecraft port=25565 protocol=tcp to-addresses=10.255.70.10 to-ports=25565
/ip firewall nat add action=dst-nat chain=dstnat comment=PLEX port=32400 protocol=tcp to-addresses=10.255.70.10 to-ports=32400

anav · April 29, 2020, 6:45pm

Your firewall rules are a honking mess.
Reset to defaults then we can add the port forwarding and then add the other fluff you dont need.
Why do you need to open a range of Ports???
Modern games/program should no longer require that as its negotiated through the initial connection…

Sob · April 29, 2020, 7:04pm

Slow down, just because it’s a little longer than default, it doesn’t mean that it’s wrong. The problem here is using “port” in dstnat rules instead of correct “dst-port”, so it matches also on source ports.

anav · April 29, 2020, 7:08pm

Fill your boots… im out peace!