I have a MikroTik hAP lite and has a PPPOE connection. I then have a non-Mikrotik secondary router which I use as an extender. I connect my secondary router via LAN. When I attempt to port forward I come across a problem, I am not sure what to select as my interface? I have options such as PPPoE-out1, bridge1, ether2(which is connected to the second router) and ether1(which is the ethernet/WAN port), and I have tried all of them and none of them work. I am quite new to MikroTik so any help would be appreciated.
If your Mikrotik is configured properly and according to default configuration policy, you should select in-interface-list=WAN as criterion in NAT configuration.
You can verify if the interface list selection is right for you if you check (existing) NAT rule for outgoing traffic … default is chain=srcnat action=masquerade out-interface-list=WAN … your port-forwarding rule should then be something like chain=dstnat action=dst-nat in-interface-list=WAN (and the rest of relevant settings, such as protocol= dst-port=<port you’re exposing to public> to-addresses= to-ports=) …
If you don’t succeed in making port forwarding work, post config of your RB (execute /export hide-sensitive and copy-paste output) so we can see what’s missing.
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=steynvaardh61
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=profile1
supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=
profile1 ssid=“61 Home WI-FI” wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 disabled=yes interface=ether1
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=192.168.0.1/8 interface=ether2 network=192.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.0.0.0/8 gateway=192.168.0.1 netmask=8
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
/ip dns
set servers=8.8.4.4
/ip firewall filter
add action=accept chain=forward connection-state=established,related
disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=60209 protocol=udp to-addresses=
192.168.0.101 to-ports=60209
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=steynvaardh61
The only option for In Interface List is “all”.
I have no idea what this accomplishes.
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=192.168.0.1/8 interface=ether2 network=192.0.0.0
I feel like a pretzel trying to wrap my brain around it.
But in any case your are half and half in two camps. what is in charge here the bridge or ether 2 LOL.
ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
add address=192.168.0.1/24 interface**=ether2 n**etwork=192.168.0.0
But the biggest issue for me is a complete lack of firewall rules.
Pull this router off internet immediately… you have no protection.
You have removed all the default firewall rules that will help your connectivity issues and provide security!!!
I live in an estate and everyone’s routers are managed by the estate and these are the setting they left on it when they installed it. So should I disable bridge1 and try to use wlan1 when setting up my NAT rules?
As @anav noticed … if shown config is full config, then your router is vulnerable like hell. If that’s so, take device off the net and netinstall it. Even if it’s not, reset unit to factory default settings and configure it from defaults. Only change and/or add minimum what’s needed and be sure it’s done. This one is not:
add address=192.168.0.1/8 interface=ether2 network=192.0.0.0
There are legitimate WAN IP addresses in this IP range which you’re shadowing for your clients. The private address range is 192.168.0.0/16 …
If you can’t change configuration or you don’t want to, you still have to fix NAT rules. First one is too generic and you can disable/remove it. Second one takes care of you connecting to internet and should be just fine. The third one is, I presume, your try to do port forwarding. And should actually work. You can add log=yes and check, if it gets triggered at all when somebody (you or your friends) tries to connect to forwarded port. Check logs for that. And, of course, be sure you actually use UDP (and not TCP) … Personally, I would add in-interface=pppoe-out1, as it is now it also affect outgoing connections to that same port (no selection is done on DST IP address).
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=60209 protocol=udp to-addresses=192.168.0.101 to-ports=60209 log=yes
Thanks, but I don’t think I am allowed to really reset the router completely as it is owned by the estate and I have only gotten admin access due to special request.
NO - this would make the router inaccessible for you, wlan1 is a member port of the bridge, so by disabling the bridge you’d lock yourself out from the device.
As you consider port forwarding, I guess you are getting a public address to WAN (PPPoE via ether1), is that true? If so,
Step 1: remove the address with mask /8 attached to the bridge
Step 2: make the owner of the estate fire the IT guy for the mess in this and, more important, in the firewall settings. Effectively, there is no firewall at all - there may be one at some other router between your apartment’s one and the internet, but looking at the configuration you’ve exported, I guess there is not; even if it was, it wouldn’t be sufficient because your neigbours may run infected devices. This is understandable to happen with home users, but unacceptable for a professional.
Step 3: (as you’ve stated, not possible for you but really necessary to have some security): netinstall the device with the current long-term RouterOS release, because without the firewall, it is well possible that some malware has already squatted there, then use QuickSet to define the “home AP” with “PPPoE Internet”. Once done, don’t use QuickSet any more, and come back for further advice regarding the port forwarding setup.
Just out of curiosity, what RouterOS version is currently running on the device?
Thank you, I’ll let you know if I get it working.
Im running v6.38.3 and I have my PPPoE via ether1 yes.
Hmm… that’s WAY outdated, many vulnerabilities have been discovered and patched since then. The IT guy really takes it easy there.
OK, if your own router is secured enough, you may think you are safe yourself (against some types of attacks, other types come through e-mails and visited web pages and the firewall cannot address these), but an infected device (like the Mikrotik in question) can be an active zombie in a botnet so your public IP may get blacklisted somewhere.
If @mkx’s advice eventually seems not to work, chances are that there is some firewall between the Mikrotik and the internet after all, and it is blocking incoming connections to the port you try to forward. Which would kind of indicate that the IT guy did think about security at least a bit, but it would also make your goal harder to reach.
The port forwarding hasn’t worked and I am aware that there is a different Mikrotik “server” or “router” that all of the resident’s router’s pass through and it might first have to be forwarded on the IT guys side before mine can work which is a real bummer. The IT guys Mikrotik is on v3.35.? which is even more outdated.
BTW, since you’ve now got the PPPoE username and password, you should be able to connect your own router instead of the estate’s Mikrotik.
Which doesn’t help much if the central router is filtering incoming connections.
There are two drawbacks of a centralized firewall:
- if done properly, it prevents tenants from communicating to each other (you cannot distinguish “good” from “evil” traffic among tenants, so you have to block the good one along with the evil one)
- all the CPU load is on the central router while the tenants’ ones relax
The plus is that if you ban all traffic among tenants, you can deem the tenants’ routers reasonably safe from attacks and only care about security on the central device.
Unfortunately, it still does not work, I know there is a MikroTik router that everyone on the estate router’s has to pass through so I assume it has to be port forwarded on there before the forwarding will work on mine, I appreciate the help though.
I have actually tried this but my second router has a terrible interface and it is very simplified in the settings. But I have followed tutorials exactly and it does not work, so I believe it might be the estates Mikrotik which is not allowing my forwarding.
What you can do to be really sure is to open a command line window on the 'Tik, make it as wide as your screen allows, run /tool sniffer quick interface=pppoe-out1 port=60209 in it and try to access the port from outside. If you can see incoming traffic, there is an issue with the settings at your end; if you can see nothing, the access to the port is blocked before your 'Tik. Just to make sure, your WAN address on the 'Tik is definitely a public one? No 10.x.x.x, no 172.16-31.x.x, no 192.168.x.x, no 100.64-127.x.x?
Other than that, what kind of service you want to port-forward as you forward a UDP port?
Where do I find my WAN address? Is it the “IP Address” located in the QuickSet? Because the one located there is 10.0.xxx.xx. I’m trying to get Teredo to work.
I think I’m receiving incoming traffic, the arrow indicates it I assume?
/ip address print where interface=pppoe-out1. If it returns a 10.0.x.x, there may be a 1:1 NAT from the public IP to the private one.
The arrow and the source and destination MAC and IP addresses. I don’t know what you can see there so I cannot be more specific.
It has returned with 10.0.x.x, what does it mean for it to have a 1:1 NAT, anything I can do?
Yes, the port is receiving incoming traffic.