General port question

agitri · November 26, 2017, 1:58pm

Hey fellow mikrotik enthusiasts!

I recently discovered this device: RB2011UiAS-2HnD-IN.
It solved alot of problems in my home network but i cant seem to fix 1 thing…

… forward a specific port 64738, this port is used by mumble to connect but it just wont open on my mikrotik

I have tried several youtube videos, posts on the forum internet tutorials, none seem to work.

I have tried to give all information asked in other topics, posted below:

And thanks for helping me out!
###########################################################

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-26 13:52 UTC
Nmap scan report for 39-162-ftth.onsbrabantnet.nl (88.159.162.39)
Host is up (0.00034s latency).
PORT STATE SERVICE
64738/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds

print of firewall nat
###########################################################
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none

1 chain=dstnat action=dst-nat to-addresses=192.168.1.73 to-ports=22
protocol=tcp in-interface=ether1 dst-port=22 log=no log-prefix=“”

2 chain=dstnat action=dst-nat to-addresses=192.168.1.73 protocol=tcp
dst-address=88.159.162.39 in-interface=ether1 dst-port=22 log=no
log-prefix=“”

3 chain=dstnat action=dst-nat to-addresses=192.168.1.73 protocol=tcp
dst-address=88.159.162.39 in-interface=ether1 dst-port=64738 log=no
log-prefix=“”

4 chain=dstnat action=dst-nat to-addresses=192.168.1.73 to-ports=64738
protocol=tcp in-interface=ether1 dst-port=64738 log=no log-prefix=“”

5 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
###########################################################
Print of firewall filter:
###########################################################
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=forward action=accept
connection-state=established,related,untracked log=no log-prefix=“”

2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=“”

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”

4 ;;; defconf: drop all not coming from LAN
chain=input action=accept in-interface-list=!LAN log=no log-prefix=“”

5 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix=“” ipsec-policy=in,ipsec

6 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix=“” ipsec-policy=out,ipsec

7 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=“”

8 ;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked log=no log-prefix=“”

9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=accept connection-state=established,related,new
connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=“”

11 chain=forward action=accept connection-state=established,related,new log=n>
log-prefix=“”

12 chain=forward action=accept protocol=icmp log=no log-prefix=“”

13 chain=forward action=accept connection-state=established log=no
log-prefix=“”

14 chain=forward action=accept connection-state=related log=no log-prefix=“”

15 chain=forward action=accept in-interface=ether1 log=no log-prefix=“”

SPKA16 · November 26, 2017, 5:30pm

From your router, can you telnet to 192.168.1.73 on port 64738?

/system telnet address=192.168.1.73 port=64738

If not it is either a firewall on the endpoint or the port is not used by Mumble.

agitri · November 26, 2017, 7:32pm

system telnet address=192.168.1.73 port=64738
Trying 192.168.1.73…
Connected to 192.168.1.73.
Escape character is ‘^]’.
^CConnection closed by foreign host.

SPKA16 · November 26, 2017, 10:25pm

So that works, then it should be working already!
Hmm..

Your NAT rule doesn’t have any hits at all?
Your FW/filter rules are a bit messy. In a way they should be allowing all forward traffic as it seems.

Number10 is not default - That action should be DROP
This is default forward drop:
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment=“defconf: drop all from WAN not DSTNATed”

11 - 15 are all testing rules? They accept a lot.
The default behavior of filter rules is also accept, so these shouldn’t even be needed. Only your 10 should be changed to action=DROP.

Try to add this rule on top, so we can exclude the filter rules. There might be something off in your interfaces list which we cant see from your export.
add action=accept chain=forward dst-port=64738 in-interface-list=WAN log=yes protocol=tcp

2frogs · November 27, 2017, 12:26am

You also need both UDP & TCP for port 64738 for Mumble to work.

https://wiki.mumble.info/wiki/FAQ/English#What_is_the_default_server_port_for_Murmur.3F

agitri · November 27, 2017, 11:01am

SPKA16:

So that works, then it should be working already!
Hmm..

Your NAT rule doesn’t have any hits at all?
Your FW/filter rules are a bit messy. In a way they should be allowing all forward traffic as it seems.

Number10 is not default - That action should be DROP
This is default forward drop:
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment=“defconf: drop all from WAN not DSTNATed”

11 - 15 are all testing rules? They accept a lot.
The default behavior of filter rules is also accept, so these shouldn’t even be needed. Only your 10 should be changed to action=DROP.

Try to add this rule on top, so we can exclude the filter rules. There might be something off in your interfaces list which we cant see from your export.
add action=accept chain=forward dst-port=64738 in-interface-list=WAN log=yes protocol=tcp

Thank you for the reply, i have disabled rule 11-15 and changed rule 10 to drop. After I added the filter rule.

agitri · November 27, 2017, 11:02am

I have not done this, I will apply the forward right now. And thank you for noticing!

agitri · November 27, 2017, 7:59pm

Hey guys,

update:
udp port now reacts open | filtered.

 Host is up (0.00039s latency).
PORT      STATE         SERVICE
64738/udp open|filtered murmur

tcp port now reacts filtered.

Host is up (0.00031s latency).
PORT      STATE    SERVICE
64738/tcp filtered unknown

firewall nat dump:

  X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no 
      log-prefix="" ipsec-policy=out,none 

 1    chain=dstnat action=dst-nat to-addresses=192.168.1.73 to-ports=22 
      protocol=tcp dst-address=88.159.162.39 in-interface-list=WAN dst-port=22 
      log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.1.73 to-ports=64738 
      protocol=tcp dst-address=88.159.162.39 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.73 to-ports=64738 
      protocol=udp dst-address=88.159.162.39 log=no log-prefix="" 

 4    chain=srcnat action=src-nat to-addresses=88.159.162.39 
      src-address=192.168.1.73 log=no log-prefix="" 
[admin@MikroTik] >

all help is appreciated!

blajah · November 27, 2017, 8:34pm

Is that a windows pc? Try setting network to home if it’s not.

agitri · November 30, 2017, 9:28pm

No its a raspberry pi.

SPKA16 · December 1, 2017, 8:40am

Well both your portfowards are exactly the same, so both should work.
2 chain=dstnat action=dst-nat to-addresses=192.168.1.73 to-ports=64738
protocol=tcp dst-address=88.159.162.39 log=no log-prefix=“”

3 chain=dstnat action=dst-nat to-addresses=192.168.1.73 to-ports=64738
protocol=udp dst-address=88.159.162.39 log=no log-prefix=“”

So if UDP works but TCP does not it something on the Pi/Mumble service.
But it Mumble not working now? Maybe TCP is only used when someone is connected or something