hAP ax3 Port forwarding not working

Hey guys Ive recently switched to hAP ax3 from some TP-Link, all is great apart from port forwarding. I have a server which servers a couple of sites + services such as ssh. I was following a couple of guides for port forwarding but after checking with open port checker tool or directly trying the sites Im getting CONNECTION TIMED OUT.
The router is directly connected to Ubi fiber to ethernet box with an IP: 192.168.1.1
The hAP ax3 uses WAN to connect to the Ubi box with an IP - 192.168.1.10
Internal LAN uses 192.168.2.0/24
Server uses .202
I suspect the firewall but thats about it.
Config:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=*6
add bridge=bridge comment=defconf interface=*7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=192.168.2.0
add address=192.168.1.10/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.202 client-id=\
    MAC mac-address=\
    MAC server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
    192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=185.152.196.29,185.152.196.28
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http dst-port=80 in-interface-list=WAN \
    log=yes protocol=tcp to-addresses=192.168.2.202 to-ports=0
add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=\
    WAN log=yes protocol=tcp to-addresses=192.168.2.202 to-ports=0
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name="hAP ax3"
/system leds
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

There’s an error in your DST NAT rules: to-ports=0 … either remove the property entirely (if you’re using GUI, click the up-arrow on the side of the property value so that it folds close) or set correct port numbers. If the property is not set (at all), then NAT rule won’t change port number. If it’s set (and setting it to 0 is setting it none the less), then NAT will replace port number with configured value.

Thanks for the fast reply, removed those zeros, even tried using the correct ports but unfortunately still not working.

OK, next question: how are you testing the NAT?

• If you’re using a device from outside your network, is upstream device (Ubi) confiugred for DST NAT towards your hAP ax3?
• If you’re testing it from within your LAN by trying to connect WAN IP, then you may have to implement Hairpin NAT … it may be a bit trickier in your case than it’s in manual since it seems you’re behind double-NAT (one NAT instance is your hAP ax3, another instance is either Ubi or your ISP).

I’m using https://www.yougetsignal.com/tools/open-ports/
to see if the port is actually open. The Ubi device is configured by my ISP, I have no access into it

Well … when you use the internet port checker, do any of NAT counters increase?

Alas: upstream device has to forward ports to your router. Does it have same WAN IP address as its predecessor?

Nothing increases, yes I have the same WAN IP as before - 1.10

EDIT: Is it possible that I have to route or port forward between my internal LAN and WAN networks?

If your LAN devices can use internet, then routing is very likely fine. And config on hAP ax3 (apart from the detail I pointed out earlier) seem fine to me as well. But then there’s some ISP device that does another layer of NAT. Be it the Ubi device you actually see or some other device in ISP’s back bone is not clear as you can not access the Ubi device to check. So it’s everybody’s guess.

Now you could do some debugging using sniffer tool (set filter on the DST port you want to use and run tool without filtering on address or interface … if everything is working fine, you should see same packet twice: once ingressing through WAN interface, its dst-address set to WAN IP of your router … and second time egressing through LAN interface (likely bridge), dst-address set to IP address of LAN server. If you only see the first one, then firewall rules on router are to blame (either DST NAT rule or firewall filter rule), if you see it twice, then packet is passing through. If you don’t see it at all, then the problem is upstream.

Ive set the Dst. port to 80, Im seeing them all, one is the WAN gateway IP of my router, one is the IP of my webserver.

Are the addresses the way you expect them to be?

Do you see reply packets? You should see them if you set src-port to 80.

Well to be honest, Im kinda lost, it looks like normal http traffic, starts with RX to the webserver, TX to the WAN Gateway.
https://ibb.co/khKXXSX

I think one key question from mkx has been left not answered.

Is the Ubi acting as pure modem or not?
In other words, what interface is receiving the public ip? the wan of the Ubi or the wan of Mikrtotik?

I suppose the wan of Ubi, it’s an Ubiquiti U Fiber LOCO, GPON Optical Network Unit, which only displays the LAN IP - 192.168.1.1 it’s acting like a gateway to my whole network. I’m starting to think that my ISP did something wrong, cause while I was changing my router the Ubi had to be replaced as well since it died. They redid the port forwards on the Ubi device but now it looks like that they did something wrong.

Couple of thinking.

You could be behind a double NAT (ONT is having the public IP and then your hAP WAN interface has a private IP) or even your provider is using CGNAT.
In both case you are dependent on your provider either to set up the ONT as bridge (and then pass the public IP to the WAN interface of the HEX) and in case of CGNAT you will not be able to do port forwardig at all.
In case you cannot sort out the point with your provider, you could think to consider service like cloudflare tunnel or similar .

Read…https://forum.mikrotik.com/viewtopic.php?t=179343

If double nat you will need to port forward the applicable ports on the upstream device to the wanip of the MT ( its lanip on the upstream devices subnet )

I feel like this is already done, IP of the Ubi upstream device is 192.168.1.1, WAN IP of MT is 192.168.1.10, I feel like Im behind a double nat, Ubi and MT. And Im totally lost

So the ubiquiti provides a LAN subnet of 192.168.1.0/24 and its address is 192.168.1.1, this is all good and normal.
However the ubiquiti itself must get a public IP address on the WAN side.

What you need to do simply use whats my IP in a browser to figure out the public IP the ubiquiti is getting currently and we are doing this to confirm the ubiquiti is accessible over the internet via a public IP.
YOu MUST ALSO BE ABLE to access the ubiquiti menus, to enable any useful functionality on the Mikrotik router be it port forwarding or connecting remotely via VPN.

You will also find an IP cloud entry in the mikrotik router winbox menu. You can enable this and if you put that the associated mynetame address in your browser it should also resolve to the public IP address the ubiquiti is getting.

Confirm the above, before progressing.