Forwarding ports

RouterOS Beginner Basics
1

Hello

Im low knowleadge Mikrotik Admin

(That previous topic could be helpful)
http://forum.mikrotik.com/t/polish-netia-internet-fiber-slow-internet-on-mikrotik/160272/3

The mikrotik ver 7.41

Mikrotik got ipsec->Fortigate

Main problem is … forwarding ports dont work
The packets counts when i try for example enter http://wanip:2016
Forwarding ports in firewall are 100% setup correctly (in my priv mikrotik got same technik and work all 10 serwers)
The machine on port 3 also got ssh (on 22)
I forward 226 to 22 to 192.168.220.6 ( this device static ip)
But no response

What could be wrong /what is extra setup.. Routes/ip address/ipsec subnets,mayby somehow transfer or block forwarding -dont know
Mikrotik 5 ports / 1 wan/ 2 camera recorder/5 go to switch with 1 extra vlan
The main Goal … will be setup to ethernet 3 extra ip from pool ( business ISP)
Becaouse to eth3 device will be connect customers who can do some changes "in they shop like air conditioning etc
So (in my opinion) they will be 100% isolated from main network,vlans, and device it self.

If need some of config let me know

Help

2

/ip/firewall export would be very helpful.

Are you testing from outside of the network?
Does the MikroTik have a public IP address?
What is the Fortigate doing exactely?
Can you make a network diagram?

3

Hello
Yes im testing also from outside of the network = at the moment im in home = so for sure its best test.
Mikrotik got public
IP 83.1.221.xxx
sub 255.255.255.252
gate 83.1.221.xx

But in description they also add
Ipv4 lan 217.xx.xxx.128 - 217.xx.xxx.131 =i dont understand .. for what that is

Fortigate is our MAIN firewall/router all 40 devices and 10 country connect to him (all is other fortigate via ipsec) only this situation is mikrotik and exchange data from servers ad etc.
So.. i do that ipsec between that mikrotik and main fortigate. so i can access mikrotik->switch poe = cameras switch itself etc. (switch dont hawe ssh etc.. but anyway i need access to cameras etc)

In 5 min i will share firewall

4 
# aug/30/2022 16:13:21 by RouterOS 7.4.1
# software id = 3762-TKCZ
#
# model = RB750r2
# serial number = <CENSORED>
/ip firewall address-list
add address=192.168.220.6 list=InterOptima
add address=83.1.221.xxx list=WAN
/ip firewall filter
add action=accept chain=forward comment=InterOptima disabled=yes dst-address=\
    83.221.1.xxx dst-port=226 log=yes log-prefix=Tunel1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=443 protocol=tcp
add action=accept chain=forward comment=InterOptima disabled=yes dst-port=2455 \
    protocol=tcp
add action=accept chain=forward comment=InterOptima disabled=yes dst-port=6626 \
    protocol=tcp
add action=accept chain=forward comment=InterOptima disabled=yes dst-port=11740 \
    protocol=tcp
add action=accept chain=forward comment=InterOptima disabled=yes dst-port=2016 \
    protocol=tcp
add action=accept chain=input disabled=yes ipsec-policy=in,none
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="InterOptima WEJSCIOWY" dst-port=226 \
    log=yes log-prefix=TUNEL protocol=tcp to-addresses=192.168.220.6 to-ports=\
    22
add action=dst-nat chain=dstnat comment="InterOptima WEJSCIOWY" dst-port=2016 \
    protocol=tcp to-addresses=192.168.220.6 to-ports=443
add action=dst-nat chain=dstnat comment=InterOptima dst-port=6626 protocol=tcp \
    to-addresses=192.168.220.6 to-ports=6626
add action=dst-nat chain=dstnat comment=InterOptima dst-port=11740 protocol=tcp \
    to-addresses=192.168.220.6 to-ports=11740
add action=dst-nat chain=dstnat comment=InterOptima dst-port=2455 protocol=tcp \
    to-addresses=192.168.220.6 to-ports=2455
add action=accept chain=srcnat comment="Tunel IP SEC" dst-address=\
    192.168.16.0/24 src-address=192.168.220.0/24
add action=masquerade chain=srcnat
5 
83.1.221.xxx != 83.221.1.xxx
6

I hide the last portion of IP.. so i write xxx

this is a WAN IP

7

Mmmmmmmmmmmmmmmmm…

1.221 != 221.1

8

I just talk with second network Admin . who got similar network with same devices
But he never forward ports on mikrotik when he is on ipsec tunnel.

After almost 1h talking.. no clue why its not working

9

Isn’t (almost) universal language enough?

Didn’t you understand that within the firewall rules you wrote the IP wrong???

10

They are disable anyway

But yes.. sorry now i see :slight_smile:
i will try enable them and set correctly

after fix. and enable that policy firewall

PS C:\Users\Unitron> ssh 83.1.221.xxx -p 226
ssh: connect to host 83.1.221.xxx port 226: Connection timed out

I also use Zenmap
and he show that

Scanning 83.1.221.xxx [1000 ports]

Discovered open port 53/tcp on 83.1.221.xxx

Discovered open port 22/tcp on 83.1.221.xxx

Discovered open port 2000/tcp on 83.1.221.xxx

Discovered open port 8291/tcp on 83.1.221.xxx

Its for sure not the ports i forward.. none if it .. show
ports up.. its winbox etc.


NEXT TEST
if i disable Peer policy (for ipsec tunel)
i cant no longer ping 192.168.220.6 even directly from mikrotik

11

For me ispec is like capsman, waste of time unless you have a very special case.
Use wireguard instead. Its fast, secure, works and even a moron like me with assistance can set it up.

12

Yea i dont like capsman too. .. for now :stuck_out_tongue:

Wireguard ? i dont hear about that before i think.

Keep in mind that i need access subnet 192.168.220.0/24 from my place to other .. and devices in 220.0 .
We got powerfull mikrotik in our server (localy) if we will need it..


ok .. i see wireguard… but i dont see.. that mikrotik support it..
And for sure in my opinion will not “talk” with Fortigate
So.. i will need configure our local powerfull one mikrotik for such a task.. ( at the moment he work like a “secondary” VPN connection) primiary is via fortigate VPN

OR…
In my opinion… more easy and better..
Will be leave that as it is.. with just tunnel… mikrotik<->Fortigate
And in AD add user.. set policy and groups in AD and fortigate .. so “users” (in that mikrotik zone /shops) can just VPN fortigate.. and easy to give access.. create new users.. etc..
What you think?

13

I have no experience with ipsec so cannot comment. Wireguard between MT devices and from iphone to MT device, or MT device to third party VPN works great. [Linux can run servers or clients and seen windows used as client.]
Caveat: One has to use version 7.4.1 firmware to access WG on mikrotik.

Fortigate … ???
Easy work around is to stick any Mikrotik device behind the fortinet.
Its what I do right now, hex (with 7.4.1) behind my ccr1009 (still on ver6 firwmare) and simply port forward my chosen wireguard listening port to the hex IP.
Works great.

14

Wireguard sound quite good from your words.
The problem with him.. will be..
A lot users from many countrys(fortigate tunels) will want get access to the cameras (for example) of that zone

going that way… every “zone” will start to hawe diffrent VPN etc..
They will kill me :smiley:
and i as a Admin .. will lose a lot time all the time.. to configure that vpn for them.. etc.
Thats why ipsec Tunels works great
We got arround 18 (~50 if include second admin .. his dude map) ipSec Tunels.
All work perfect.. Cant change the “schematic” of all that…

Or.. mayby.. Mikrotik can somehow VPN to fortigate…
But fortigate use use they own software forticlient VPN
Never saw .. or dont know do its even possible to make connection mikrotik ->VPN->fortigate
That will be great too.
if.. the forwarding ports .. will work

15

After couple of answer and questions.. i found the main problem of that situation

Why mikrotik dont forward ports
-websites or zenmap who check that also.. dont see any of my port open

Where i should look of problem
Firewall (in forwarding) are set correctly
226->22
2016->443
6626->6626
11740->11740
2455->2455
All set to 192.168.220.6 (device who host service/website) (with open ssh on 22)

16

adding this policy . solve all

17

Glad you got it resolved!!!

18

Sadly i dont solve it
I pay to one “Master of mikrotik” to solve for me
Becaouse the problem was got ultra priority in company.

I was quite sure.. that somethink wrong was in firewall… but cant figureout by myself
But anyway im suprise how “not many” was need to make it work :slight_smile: