HLDS Counter Strike client can't connect to my server

RouterOS General
1

Hi, I have public internet IP over NAT.

Provider forwarded IP to wireless radio (Mikrotik) device on roof (IP internal 192.168.100.197) and then to my router HAP ac2 (192.168.88.1).
I forwarded external IP to my computer (192.168.88.100)

There is no problem when I stream games over public IP with Nvidia GameStream. I can connect and play games on device outside my network.
I can’t connect to my HLDS server from computer outside network.
Open Protocol Test site say that port 27015 is closed, but when I set this port in app like qbitorrent then port is open.
What am I doing wrong?

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    ;;; WANtoLAN
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 dst-address=XXX.XXX.XXX.XXX log=no log-prefix="" 

 2    ;;; LANtoWAN
      chain=srcnat action=src-nat to-addresses=XXX.XXX.XXX.XXX src-address=192.168.88.100 log=no log-prefix="" 

 3    ;;; Transmission
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=51413 protocol=tcp dst-port=51413 log=no log-prefix="" 

 4    ;;; Transmission
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=51413 protocol=udp src-port="" dst-port=51413 log=no 
      log-prefix="" 

 5    ;;; HLDS:27015
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=27015 protocol=udp dst-port=27015 log=no log-prefix="" 

 6    ;;; HLDS:27015
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=27015 protocol=tcp dst-port=27015 log=no log-prefix="" 

 7  D ;;; upnp 192.168.88.100: Moonlight - DESKTOP-J9LQUO9
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=47984 protocol=tcp dst-address=192.168.100.197 
      in-interface=ether1 dst-port=47984 

 8  D ;;; upnp 192.168.88.100: Moonlight - DESKTOP-J9LQUO9
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=47989 protocol=tcp dst-address=192.168.100.197 
      in-interface=ether1 dst-port=47989 

 9  D ;;; upnp 192.168.88.100: Moonlight - DESKTOP-J9LQUO9
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=48010 protocol=tcp dst-address=192.168.100.197 
      in-interface=ether1 dst-port=48010
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5 X  ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

12    ;;; OpenVPN port
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix=""
2

Please post complete config…
Not sure why people think that a poor explanation and no diagram can be solved by snippets of the config.
Maybe I am just picky…

/export hide-sensitive file=anyfilename

3

Sorry, here is exported file:

# mar/23/2020 12:17:56 by RouterOS 6.46.4
# software id = JDS9-ZLIT
#
# model = RBD52G-5HacD2HnD
# serial number = A6470AF99EB9
/interface bridge
add admin-mac=74:4D:28:85:45:D3 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX \
    country=poland disabled=no distance=indoors frequency=2452 installation=\
    indoor mode=ap-bridge ssid=MikroTik-2.4GHz wds-default-bridge=bridge \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=poland disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-5GHz \
    wds-default-bridge=bridge wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
add name=openvpn ranges=10.0.0.2-10.0.0.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=karnas
/ppp profile
add dns-server=192.168.88.1 local-address=10.0.0.1 name=openvpn \
    remote-address=openvpn use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Sever-Cert cipher=aes256 default-profile=openvpn \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.100 client-id=1:d0:50:99:2e:3c:c1 mac-address=\
    D0:50:99:2E:3C:C1 server=karnas
add address=192.168.88.102 client-id=1:14:c9:13:71:6c:95 mac-address=\
    14:C9:13:71:6C:95 server=karnas
add address=192.168.88.104 client-id=1:e0:94:67:91:bb:7b mac-address=\
    E0:94:67:91:BB:7B server=karnas
add address=192.168.88.103 client-id=1:50:7b:9d:8e:90:f5 mac-address=\
    50:7B:9D:8E:90:F5 server=karnas
add address=192.168.88.2 mac-address=10:FE:ED:E5:AE:4F server=karnas
add address=192.168.88.10 client-id=1:dc:a6:32:60:97:86 mac-address=\
    DC:A6:32:60:97:86 server=karnas
add address=192.168.88.110 client-id=1:8c:16:45:52:92:33 mac-address=\
    8C:16:45:52:92:33 server=karnas
add address=192.168.88.108 client-id=1:d4:6d:6d:38:53:1f mac-address=\
    D4:6D:6D:38:53:1F server=karnas
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="OpenVPN port" dst-port=1194 protocol=\
    tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=WANtoLAN dst-address=xxx.xxx.xxx.xxx \
    to-addresses=192.168.88.100
add action=src-nat chain=srcnat comment=LANtoWAN src-address=192.168.88.100 \
    to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 protocol=\
    tcp to-addresses=192.168.88.10 to-ports=51413
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 protocol=\
    udp src-port="" to-addresses=192.168.88.10 to-ports=51413
add action=dst-nat chain=dstnat comment=HLDS:27015 dst-port=27015 protocol=\
    udp to-addresses=192.168.88.100 to-ports=27015
add action=dst-nat chain=dstnat comment=HLDS:27015 dst-port=27015 protocol=\
    tcp to-addresses=192.168.88.100 to-ports=27015
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ppp secret
add name=user profile=openvpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system script
add dont-require-permissions=yes name=WOL_DESKTOP-KARNAS owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=bridge mac=D0:50:99:2E:3C:C1"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

config_wk.rsc (6.13 KB)

4

There you’ve to open the ports and link them to your PC’s IP address, which should be a static one to avoid that your PC get another ip on the next restart UPSers.

5

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0

/ip address
add address=192.168.88.1/24 comment=defconf interface**=bridge** network=
192.168.88.0

6

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN (if you only have one wan could be out-interface=WAN)

The rest of your rules are weird!!
Why do you have another source nat rule??
The format for dsn nat rules are incorrect

The basic format for dst nat rules is
add chain=dstnat action=dst-nat in-interface-list=WAN protocol=?? dst-port=xxx to-addresses= SERVER_IP to-ports=(only needed if different from dest port ie doing port translation).

add action=dst-nat chain=dstnat comment=WANtoLAN dst-address=xxx.xxx.xxx.xxx
to-addresses=192.168.88.100
add action=src-nat chain=srcnat comment=LANtoWAN src-address=192.168.88.100
to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 protocol=
tcp to-addresses=192.168.88.10 to-ports=51413
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 protocol=
udp src-port=“” to-addresses=192.168.88.10 to-ports=51413
add action=dst-nat chain=dstnat comment=HLDS:27015 dst-port=27015 protocol=
udp to-addresses=192.168.88.100 to-ports=27015
add action=dst-nat chain=dstnat comment=HLDS:27015 dst-port=27015 protocol=
tcp to-addresses=192.168.88.100 to-ports=27015

7

I’ve made changes. But still can’t connect to my server outside network. (can connect to my Moonlight streaming).

# mar/23/2020 18:06:57 by RouterOS 6.46.4
# software id = JDS9-ZLIT
#
# model = RBD52G-5HacD2HnD
# serial number = A6470AF99EB9
/interface bridge
add admin-mac=74:4D:28:85:45:D3 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX \
    country=poland disabled=no distance=indoors frequency=2452 installation=\
    indoor mode=ap-bridge ssid=MikroTik-2.4GHz wds-default-bridge=bridge \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=poland disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-5GHz \
    wds-default-bridge=bridge wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
add name=openvpn ranges=10.0.0.2-10.0.0.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=karnas
/ppp profile
add dns-server=192.168.88.1 local-address=10.0.0.1 name=openvpn \
    remote-address=openvpn use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Sever-Cert cipher=aes256 default-profile=openvpn \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.100 client-id=1:d0:50:99:2e:3c:c1 mac-address=\
    D0:50:99:2E:3C:C1 server=karnas
add address=192.168.88.102 client-id=1:14:c9:13:71:6c:95 mac-address=\
    14:C9:13:71:6C:95 server=karnas
add address=192.168.88.104 client-id=1:e0:94:67:91:bb:7b mac-address=\
    E0:94:67:91:BB:7B server=karnas
add address=192.168.88.103 client-id=1:50:7b:9d:8e:90:f5 mac-address=\
    50:7B:9D:8E:90:F5 server=karnas
add address=192.168.88.2 mac-address=10:FE:ED:E5:AE:4F server=karnas
add address=192.168.88.10 client-id=1:dc:a6:32:60:97:86 mac-address=\
    DC:A6:32:60:97:86 server=karnas
add address=192.168.88.110 client-id=1:8c:16:45:52:92:33 mac-address=\
    8C:16:45:52:92:33 server=karnas
add address=192.168.88.108 client-id=1:d4:6d:6d:38:53:1f mac-address=\
    D4:6D:6D:38:53:1F server=karnas
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="OpenVPN port" dst-port=1194 protocol=\
    tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 \
    in-interface-list=WAN protocol=udp src-port="" to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment=HLDS:27015 dst-port=27015 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.88.100
add action=dst-nat chain=dstnat comment=HLDS:27015 dst-port=27015 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.100
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ppp secret
add name=user profile=openvpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system script
add dont-require-permissions=yes name=WOL_DESKTOP-KARNAS owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=bridge mac=D0:50:99:2E:3C:C1"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
8

(1) But still can’t connect to my server outside network
Hmm are you trying to connect to your server but from within LAN via the WANIP?
Are you trying to connect to a server on the internet from the lan??
Are you trying to connect to a server from the lan using the LANIP of the server??

See how a vaguely worded statement begs more questions. :wink:


(2) /ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=ether1
Try using WAN vice ether1.

(3)add action=dst-nat chain=dstnat comment=Transmission dst-port=51413
in-interface-list=WAN protocol=udp src-port=“” to-addresses=192.168.88.10
What are you doing there? Get rid of source port!

9
  1. I have Dedicated Server (attachment) set to internet on my PC (I want to share that server wth my public IP, PC have local IP 192.168.88.100), on my notebook I’m connected to mobile internet (different network, different provider). In Counter-Strike after “connect public_ip” server not responding.
  2. ether 1 is my WAN (input does not match any value of interface when set WAN instead of ether1)
  3. miss click in WinBox

I tried port TCP 27015 in TightVNC and it also works perfect, I can connect to my PC without problem from my mobile phone (not connected to local WLAN).
Maybe HLDS needs some additional configuration.
HLDS.png

10
  1. I have Dedicated Server (attachment) set to internet on my PC (I want to share that server wth my public IP, PC have local IP 192.168.88.100), on my notebook I’m connected to mobile internet (different network, different provider). In Counter-Strike after “connect public_ip” server not responding.
  2. ether 1 is my WAN (input does not match any value of interface when set WAN instead of ether1)
  3. miss click in WinBox

If you can create a diagram to explain what you are saying in (1), I may be able to help
I have never heard dedicated server on my PC set to internet ? what does set to internet mean?

It sounds like
I have a server on my PC, that I want others to be able to connect to over the internet??
I have a separate PC, a notebook where you connect to mobile internet??

SO I am confused, do you have a router, what is the router connected to?

Are you trying to connect to your PC server via the router by using the notebook connecting to a different provider?