Issue with port-forwarding

Megakoresh · August 13, 2014, 9:36pm

I am trying to set up port forwarding for Killing floor.
I followed this guide to set up ports, but when I attempt to check them using http://ping.eu/port-chk/, it says port closed for either of them.

The rule for one of the port ranges looks like this:

Ping checker returns closed regardless of whether I put my public DHCP IP address into the destination field or not. What am I doing wrong?

rextended · August 14, 2014, 6:01am

In dst address you must put 192.168.88.1
In to addres you can not put the router IP 192.168.88.1, but the IP of the PC.

Megakoresh · August 14, 2014, 6:56am

What do you mean? How do I find the IP of the PC? On my previous router, it allowed me to set the number for each PC, for example PC with #10 would have internal IP 192.168.0.10 and so on. But this MikroTik, I can’t figure out how to set to do the same. And the “IP” I have for my PC right now is 192.168.88.1/21 which is not something I can enter, it says “Expected IP address”.

Edit:
Ok I went into neighbours setting and the only LAN one was with the number 254 at the end, I assumed that was the PC I have connected to the router on which I am trying to host Killing Floor, so I put that into forward address and 192.168.88.1 into the Dst. Address like you said, and it still reports as being closed.

Another edit:
Also what I noticed is while all ports report closed, those configured under TCP protocol do recieve the packet. The service still reports them as closed, but the Bytes and Packet counters go up every check. The UDP don’t even seem to recieve the packets, although it might be because of the actual port checking service.

Insanityflea · August 14, 2014, 7:40am

Try this:

/ip firewall nat add chain=dstnat protocol=udp dst-port=7707-7717 in-interface=(interface of internet) action=dst-nat to-addresses=(IP address of server) to-ports=7707-7717

Then check the log to see if the firewall is not dropping the traffic.

Megakoresh · August 14, 2014, 8:40am

You are telling me to do the exact same thing through the terminal that I just spent the whole day doing via GUI and which didn’t work, which is why I made this thread.
As far as log goes, no there is nothing about NAT in there, it does not even log when it receives a packet, like what happens on TCP ports.

CyberTod · August 14, 2014, 9:20am

You can check what ip the router has given to your pc by going to DHCP Server → Leases
And then adjust the rule accordingly :

to-addresses=(IP address of server)

This should be the ip of the pc, for example 192.168.88.254, and not 192.168.88.1.

To make sure that the dhcp server will always give the same ip to that pc you can click on the lease and press “Make Static”, that way the ip will be reserved for this pc.

Megakoresh · August 14, 2014, 9:57am

Yes I did just that. My PC address is 254 and I made it static so it doesn’t change at some point. Still doesn’t work. The port checkers report the ports as closed.
My settings for NAT look like this:

And the forward address is now for my PC: 192.168.88.254. I tried putting the LAN IP (192.168.88.1) into the Dst. Address like rextended advised, but if I did that even the TCP packet counts stopped going up so switched it back to the public IP. Oh and: no, my Windows Firewall is turned off, and Avast does not block any ports.

rextended · August 14, 2014, 10:04am

Put that port checker…

UDP do not estabilish connection between two devices.
You can not see any port open, only using UDP.

You must put one CLIENT of the game, for see packet reply.

The software reply only on packets containing “game” data, the others are discarded.

/ip firewall nat
add chain=dstnat protocol=udp dst-address=91.156.57.138 dst-port=7707-7717 action=dst-nat to-addresses=192.168.88.254 to-ports=7707-7717

Now I see other ports on your rules.

CyberTod · August 14, 2014, 10:08am

Are you sure that the online port scanner you are using can check udp ports ?

rextended · August 14, 2014, 10:10am

I’m just writed that, only expected traffic get a “reply”.
Can’t exist one generic UDP port scanner…

Megakoresh · August 14, 2014, 10:18am

Fair enough, I suspected that it was something to do with the UDP and the port checkers, but the problem is still there, I can not get ANY port checkers to show that the ports are open for any of those rules I have tried
http://www.portcheckers.com/
http://ping.eu/port-chk/
http://www.canyouseeme.org/

Neither of them show any ports are open, both UDP AND TCP.
The settings are exactly like rextended posted. dst-nat on my public IP, forwarded to my PC. I checked all Avast Firewall logs, and it doesn’t block anything.

BTW the last one, if I check port 8075 which is TCP it will say “Connection refused” for some reason.

Edit:
I went to the UDP port scanner and checked 7707-7717 range there and it told me that the host at my public IP (I assume this is the router?) is down. WTF…

Edit (again, just trying to help understand what’s happening):
I added a log rule to one of the ports (8075, just copied the forwarding rule and changed action to log), and it posted this in log:

Nothing else logged about this. Dunno if it will help, but there you go. It’s from the http://www.canyouseeme.org/ port checker. The one that says “Connection refused”.

Megakoresh · August 15, 2014, 4:22pm

So um noone knows what’s wrong? I still have no idea how to forward with this router…

Taylor · August 17, 2014, 11:36pm

In your very first post you had it right.

Just make the 192.168.88.1 to 192.168.88.254 (you said thats the ip of the server hosting killing floor)

Megakoresh · August 18, 2014, 3:33pm

But that is local network IP, how could I create rule by that if whatever services I am trying to forward for don’t even see this address?

agehall · August 18, 2014, 3:38pm

DNAT will do that for you. The dst-address is the address to which you want to forward incoming traffic to.

toewsb · August 18, 2014, 3:44pm

Disable all DROP rules under the firewall “Filter Rules” and test again. Don’t forget to re-enable afterwards.

Megakoresh · August 18, 2014, 3:47pm

Well I did that and it doesn’t work again. Also I tried entering my local PC IP with this port in the browser and it said Connection refused. That with Windows Firewall off and Avast Firewall not logging any blocked traffic. What might be going on?

Sob · August 18, 2014, 4:47pm

I’d say that at some point you had it correct, at least part of it.

For example, one of the rules:

Chain: dstnat
Dst. Address: 91.156.57.138
Protocol: tcp
Dst. Port: 8075
Action: dst-nat
To Addresses: 192.168.88.254
To Ports: 8075 (or nothing, you can leave it out if you just want to keep Dst.Port)

The packet counter for this rule should increase, when you try the port testers. It still doesn’t mean that it must work, because the packets can be stopped later by some filter rule (check Filter Rules tab). Make sure that you accept packets matching the following:

Dst. Address: 192.168.88.254
Protocol: tcp
Dst. Port: 8075

Use of logging rules is always a good idea if you want to be sure what’s going on. And of course you must have the server software running, if you want the port to show as open.

Megakoresh · August 18, 2014, 7:27pm

The connection is definitely getting rejected somewhere, I have these settings set correctly as I understand now, it just gets refused for some reason anyway. And no logs say anything. I havent changed any filter rules or anything like that. I had the default configuration and went to forward ports straight away. Avast Firewall also doesnt show anything blocked. It does say that Windows Firewall “Domain Profile” is on, despite the firewall being off. I have no idea what this Domain profile is and how to turn it off, could it be blocking the connection?

Also could it have anything to do with the fact that I am using DHCP instead of a static IP? The IP is not changing for now, so I assumed it should not make a difference, but maybe there’s something else there. I don’t know much about network configuration, I am oblivious to many of the places where the packet could be refused. But the NAT is configured correctly, KF is running when I am checking and Windows Firewall is off, with Avast being configured to let the packets on those ports through.

Sob · August 18, 2014, 10:42pm

You must go step by step and make sure that something is correct, before moving on to next thing. I’d start at the router.

As a minimal config, you have outgoing NAT:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=InternetThen you need port forwarding rule. This one will work even with WAN IP from DHCP (assuming it’s public and not filtered by ISP in any way). Server’s LAN IP (192.168.88.254) should be either set in router’s DHCP server as static lease or it can be set static on server.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8075
protocol=tcp to-addresses=192.168.88.254If there are no other rules (especially filter ones), this will forward the port. To help with debugging, add following rules:
/ip firewall filter
add action=log chain=forward connection-state=new dst-port=8075 log-prefix=
“step2, forwarding” protocol=tcp
/ip firewall mangle
add action=log chain=prerouting connection-state=new dst-port=8075
log-prefix=“step1, incoming” protocol=tcp
add action=log chain=postrouting connection-state=new dst-port=8075
log-prefix=“step3, forwarded” protocol=tcpIf you connect from outside to :8075, you must see all three steps logged. If you do, connection was successfully forwarded and your problem is not on the router.