So I have been working on a server, which is working fine when doing tests over LAN. When I tried to port forward my server, I failed. I tried following a lot of tutorials on the internet, but nothing helps. Is it because I am using this site? https://www.yougetsignal.com/tools/open-ports/ It says my port is not forwarded.
Here is what I did so far:
I swear I followed every tutorial on the internet, it didn’t help.
I am new to this router, please help. Thanks in advance
Lots of garbage tutorials on the net.
Best bet is to post you config to have a look at. Manyconfig items are interelated so hunt and peck wastes everybodys time.
/export hide-sensitive file=anyname.
In winbox go to the windows terminal menu choice and type the above
In winbox go to the files menu choice find the file and right click download to PC
On pc use notepadd++ to open the file copy and paste it in here.
Use the code brackets (above black square with white square brackets)
Before submitting ensure you remove your actual wanip with x.x.x.x.x
Here is my setup:
(Sorry if I did something wrong)
# mar/24/2020 12:32:42 by RouterOS 6.46.2
# software id = 43JG-2Y1F
#
# model = RB760iGS
# serial number = A36A0AC106FF
/interface bridge
add admin-mac=74:4D:28:AF:9F:1E auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=bridgeLocal list=LAN
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=54000 \
protocol=tcp to-addresses=192.168.88.254
add action=masquerade chain=srcnat out-interface-list=WAN
Thanks for trying to help me, I appreciate it a lot 
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
Assign the Address on your Bridge interface and not in the Slave ether 2 Interface…
Also your Mikrotik Router is Behind NAT… Your Public IP Address is at your ISP’s Router…
You have to either use DMZ on the ISPs router or portforward the port to your Mikrotik as well…
So basically my ISP’s IP address is my router’s IP address? So my ISP is like a big router for other routers in my area? I guess using DMZ on the ISP’s router and portforwarding my Mikrotik both involve contacting my ISP, right? Correct me if I understood something wrong. One more question: which tab should I use to find out the Address on my Bridge interface? Thanks in advance
This is not the complete config… need all rules.
(1) As noted…
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip address
add address=192.168.88.1/24 interface=bridgeLocal network=192.168.88.0
(2)
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN (OKAY)
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=54000 \ (NOT OKAY)
protocol=tcp to-addresses=192.168.88.254
Format
add action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=54000
to-addresses=192.168.88.254
(2)
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN (OKAY)
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=54000 \ (NOT OKAY)
protocol=tcp to-addresses=192.168.88.254Format
add action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=54000
to-addresses=192.168.88.254
So I have to change
this
And type this:
in the terminal?
This is not the complete config… need all rules.
I followed your instructions, is the config file not complete because I used the hide sensitive info flag? Anyway, I tried what you suggested and checked if it helped on this site: https://www.yougetsignal.com/tools/open-ports/. It didn’t help. Is it even safe to use this for checking?
I am sure that port checker is fine, I use grc.com and Shields UP function for my testing.
https://www.grc.com/x/ne.dll?bh0bkyd2
For example there were no firewall filter rules in the previous config.
For example in your config they should show up BEFORE the firewall NAT rules.
Try this again…
/export hide-sensitive file=anyname.
In winbox go to the windows terminal menu choice and type the above
In winbox go to the files menu choice find the file and right click download to PC
On pc use notepadd++ to open the file copy and paste it in here.
Use the code brackets (above black square with white square brackets)
Before submitting ensure you remove your actual wanip with x.x.x.x.x
Unless you use PPPoE on your Mikrotik or you have statically assigned a public IP Address on your Mikrotik Device, eg on ether1 then the Public IP adress is on your ISPs Router not on Mikrotik…
So if for example the public IP is x.y.z.w and the port you use for the port forward rule is 54000, if you hit that from outside your lan x.y.z.w:54000, this will go directly to your ISPs router that does know anything about it or what should do with it. So simply it will not work… if you check that with a port scanner it will appear as closed or filtered…
If you use DMZ on your ISPs router then everything is portforwarded on your Mikrotik.
Or you should portforward manually like this:
If you Mikrotik has the IP 192.168.1.2/24 though DHCP or statically on ether1, then from your ISPs router you should port forward the port 54000 to 192.168.1.2, meaning your Mikrotik.
Then on your Mikrotik you portforward again the port 54000 to the actual device inside your LAN, lets say 192.168.2.20…
ISP → Mikrotik → Lan Device
OK, I see. Here is the one WITH the firewall rules:
# mar/24/2020 19:54:29 by RouterOS 6.46.2
# software id = 43JG-2Y1F
#
# model = RB760iGS
# serial number = A36A0AC106FF
/interface bridge
add admin-mac=74:4D:28:AF:9F:1E auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface detect-internet
set wan-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=bridgeLocal list=LAN
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.88.1/24 interface=bridgeLocal network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=54000 in-interface=bridgeLocal \
protocol=tcp to-addresses=192.168.88.254
add action=masquerade chain=srcnat out-interface-list=WAN
Please delete this line
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
And take a look at my previous post… it is really easy…
I think you are assuming that I have another router, that was brought to me by the ISP, and my MikroTik is connected to it, but actually, the external internet cable is plugged into my MikroTik and then I have my computer, which is connected to my MikroTik, directly. So I don’t have an ISP router, I replaced it with my MikroTik. Or are you talking about something else? I really don’t know, I might be wrong
It is my second router, which is connected to my MikroTik, which gives my portable devices to connect to the internet via Wi-Fi. Just tried removing that address, my WI-FI stopped working but I fixed that (added that address again)
ok i see…
So, the IP address assigned to you at ether1, is it a Public IP address or a private one ?
Since you might not know how to recognise that, if you are using the default firewall, ICMP (ping) is allowed, check if you can ping your ether1 IP adress through another Device outside your LANm lets say from your phone using 3G/4G…
If not then you are assigned a private IP Adress and i guess you should contact your ISP… your Mikrotik will not be reachable through the Internet…
It is my second router, which is connected to my MikroTik, which gives my portable devices to connect to the internet via Wi-Fi. Just tried removing that address, my WI-FI stopped working but I fixed that (added that address again)
Understood, but this is wrong… i will not explain why but that proves you obviously have wrong configuration on your second router too…
If the config you posted a few posts up is really complete, then your router is currently highly vulnerable as it has nothing in IP → firewall → filter . If that’s really so, I highly recommend you to perform reset to factory defaults.
A question related to your discussion with @zacharias: if you go to IP > addresss, what kind of address does it show at ether1? Kindly type it here, the first two dotted numbers will suffice (e.g. 46.81.x.y).
I think my MikroTik is already factory reset, at least I did it three or four months ago.
I mean, it’s definitely not a private IP address, as far as I can tell, but the address shown on ether1 doesn’t match the IP address that https://whatismyipaddress.com/ is showing. Why?
I am so sorry I don’t understand everything, but I am trying. Thanks for trying to help me out, guys
The IP address on your ether1 is a private IP adress, meaning not Public… not reachable through the Internet…
The second address, from the photo is a public one and is the address of your ISPs equipment wherever that is…
And ofcorse, i havent checked, if you do not use any firewall as @mkx stated, fix it as soon as possible…
As @zacharias noted: your USP is definitely performing NAT and yiu can’t get any port forwarded from internet to your LAN without talking to your ISP.
Re firewall: doesn’t matter if you did factory reset a few weeks ago, currently you don’t have any firewall … and IMHO there should be one, hence my recomendation. And don’t remove it, default firewall rules automatically take NAT rules into account hence default firewall filter rules are not reason for port forwarding to not work.
So, basically I have to contact my ISP for them to forward a port to my router?