Local Port definition and Port Forwarding

Hi there,

I recently purchased RB2011UiAS-2HnD-IN, updated to current firmware release v6.46.6, added all fixed leases, configured ports, but how I see, it’s not working near like my old Cisco LinkSys with DD-WRT on it.

With MikroTik I have slower RDP connections like (3-5s) more until connection is established.
Can’t use local ports transparently, etc…

If I put back the Cisco LinkSys router it’s all flaying again without any latency or port related issues.
(Note: Used the same settings scheme from my old Linksys to config MikroTik)

I admit that it’s my first time in MikroTik world, but boy, really so hard to setup it?!

Any suggestions would be highly appreciated,

Kind regards,
Viktor

Post output of “/export hide-sensitive” between code brackets, I.e.

/export hide-sensitive file=anynameyouwish

Sorry for post delay, I forgot to subscribe to my own post and I didn’t got notified.

And thank you for your support!

# jun/04/2020 21:17:38 by RouterOS 6.46.6
# software id = JE5F-K09Z
#
# model = 2011UiAS-2HnD
# serial number = B9070A937FC8
/interface bridge
add admin-mac=74:4D:28:86:91:2B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=Cassini \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.0.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.251/24 comment=defconf interface=ether2 network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.7 address-lists="" comment="BEIC-LP LAN" lease-time=10m \
    mac-address=1C:83:41:09:F3:11 server=defconf
add address=192.168.0.2 client-id=1:90:2b:34:3f:6f:76 comment=AGI-PC \
    mac-address=90:2B:34:3F:6F:76 server=defconf
add address=192.168.0.3 comment=ALEX-PC mac-address=90:2B:34:A2:07:8A server=\
    defconf
add address=192.168.0.1 comment=BEIC-PC mac-address=90:2B:34:74:FE:CE server=\
    defconf
add address=192.168.0.5 comment="BEIC-LP WAN" mac-address=18:3D:A2:2A:86:18 \
    server=defconf
add address=192.168.0.6 comment=PETRA-PC mac-address=90:2B:34:B6:14:01 \
    server=defconf
add address=192.168.0.120 comment=ORANGE-PI-ONE mac-address=5E:21:83:A6:95:7A \
    server=defconf
add address=192.168.0.132 comment=BEIC-SERVER mac-address=B4:2E:99:28:D9:71 \
    server=defconf
add address=192.168.0.112 comment=IOT-EXAMPLER mac-address=A0:20:A6:04:09:10 \
    server=defconf
add address=192.168.0.177 comment=INT-DPC-001 mac-address=DE:AD:BE:EF:FE:ED \
    server=defconf
add address=192.168.0.178 comment=ARDUINO-31 mac-address=74:69:69:2D:30:31 \
    server=defconf
add address=192.168.0.179 comment=ARDUINO-32 mac-address=74:69:69:2D:30:32 \
    server=defconf
add address=192.168.0.243 comment=WD-TV-LIVE mac-address=00:90:A9:93:4B:B0 \
    server=defconf
add address=192.168.0.244 comment=WD-TV-LIVE-2 mac-address=00:90:A9:92:8F:68 \
    server=defconf
add address=192.168.0.150 comment=beicNET-Systems-D01 mac-address=\
    5C:CF:7F:AC:FB:8B server=defconf
add address=192.168.0.242 comment=AnyCast-773BCA mac-address=\
    00:F0:00:40:00:04 server=defconf
add address=192.168.0.245 comment=HPLJ1320NW mac-address=00:11:85:D2:2C:93 \
    server=defconf
add address=192.168.0.131 comment=BEIC-NAS mac-address=00:11:32:9D:64:51 \
    server=defconf
add address=192.168.0.247 comment=VivaxTV mac-address=7C:82:74:37:16:34 \
    server=defconf
add address=192.168.0.81 comment=BEIC-NAS-2 mac-address=30:46:9A:B2:B8:6A \
    server=defconf
add address=192.168.0.246 comment=LGwebOSTV mac-address=14:C9:13:3F:CB:D6 \
    server=defconf
add address=192.168.0.4 client-id=1:ac:d5:64:10:46:eb comment=AGI-LP \
    mac-address=AC:D5:64:10:46:EB server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.0.251 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.251 name=router.lan
/ip firewall address-list
add address=XXXXXX comment="DDNS Resolver" list="WAN IP"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Accept DNS - TCP" in-interface-list=\
    LAN port=53 protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" in-interface-list=\
    LAN port=53 protocol=udp
add action=fasttrack-connection chain=forward comment="DNS Fasttrack - TCP" \
    dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="DNS Fasttrack - UDP" \
    dst-port=53 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
    192.168.0.0/24 out-interface-list=LAN src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="BEIC-NAS2 - iSCSI" dst-address-list=\
    "WAN IP" dst-port=3260 protocol=tcp to-addresses=192.168.0.81 to-ports=\
    3260
add action=dst-nat chain=dstnat comment="Synology GUI" dst-address-list=\
    "WAN IP" dst-port=4001 protocol=tcp to-addresses=192.168.0.131 to-ports=\
    4001
add action=dst-nat chain=dstnat comment="Synology WebDAV" dst-address-list=\
    "WAN IP" dst-port=4006 protocol=tcp to-addresses=192.168.0.131 to-ports=\
    4006
add action=dst-nat chain=dstnat comment="HTTP Server" dst-address-list=\
    "WAN IP" dst-port=8008 protocol=tcp to-addresses=192.168.0.132 to-ports=\
    8008
add action=dst-nat chain=dstnat comment="FTP Server" dst-address-list=\
    "WAN IP" dst-port=21 protocol=tcp to-addresses=192.168.0.132 to-ports=21
add action=dst-nat chain=dstnat comment="MariaDB Server" dst-address-list=\
    "WAN IP" dst-port=3307 protocol=tcp to-addresses=192.168.0.132 to-ports=\
    3307
add action=dst-nat chain=dstnat comment="RDP Server" dst-address-list=\
    "WAN IP" dst-port=5555 protocol=tcp to-addresses=192.168.0.132 to-ports=\
    5555
add action=dst-nat chain=dstnat comment="Beicnet Systems D1" \
    dst-address-list="WAN IP" dst-port=21000 protocol=tcp to-addresses=\
    192.168.0.150 to-ports=21000
add action=dst-nat chain=dstnat dst-address-list="WAN IP" dst-port=80 \
    protocol=tcp to-addresses=192.168.0.150
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes port=222
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=BEAG enabled=yes
/ip smb shares
add comment="USB Drive External" directory=/disk1 max-sessions=25 name=\
    external
/ip smb users
add name=service read-only=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd interface
set sfp1 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name=Prometheus
/system scheduler
add interval=10m name="Refresh DDNS" on-event="Dynamic DNS" policy=\
    read,write,test start-time=startup
/system script
add dont-require-permissions=no name="Dynamic DNS" owner=admin policy=\
    read,write,test source="# No-IP automatic Dynamic DNS update\r\
    \n\r\
    \n#--------------- Change Values in this section to match your setup -----\
    -------------\r\
    \n\r\
    \n# No-IP User account info\r\
    \n:local noipuser \"XXXXXX\"\r\
    \n:local noippass \"XXXXXX\"\r\
    \n\r\
    \n# Set the hostname or label of network to be updated.\r\
    \n# Hostnames with spaces are unsupported. Replace the value in the quotat\
    ions below with your host names.\r\
    \n# To specify multiple hosts, separate them with commas.\r\
    \n:local noiphost \"XXXXXX\"\r\
    \n\r\
    \n# Change to the name of interface that gets the dynamic IP address\r\
    \n:local inetinterface \"ether1\"\r\
    \n\r\
    \n#-----------------------------------------------------------------------\
    -------------\r\
    \n# No more changes need\r\
    \n\r\
    \n#:global previousIP;\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n# Get the current IP on the interface\r\
    \n   :local currentIP [/ip address get [find interface=\"\$inetinterface\"\
    \_disabled=no] address];\r\
    \n\r\
    \n# Strip the net mask off the IP address\r\
    \n   :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n       :if ( [:pick \$currentIP \$i] = \"/\") do={\r\
    \n           :set currentIP [:pick \$currentIP 0 \$i];\r\
    \n       }\r\
    \n   }\r\
    \n\r\
    \n   :local previousIP [:resolve \"\$noiphost\"];\r\
    \n\r\
    \n   :log info \"DNS IP: \$previousIP, interface IP: \$currentIP\";\r\
    \n\r\
    \n   :if (\$currentIP != \$previousIP) do={\r\
    \n      :log info \"No-IP: Current IP \$currentIP is not equal to previous\
    \_IP \$previousIP, update needed\";\r\
    \n     # :set previousIP \$currentIP;\r\
    \n      :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$curre\
    ntIP\";\r\
    \n      :log info \"No-IP: Sending update for \$noiphost\";\r\
    \n      /tool fetch url=(\$url . \"&hostname=\$noiphost\") user=\$noipuser\
    \_password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host \
    . \".txt\")\r\
    \n      :log info \"No-IP: Host \$noiphost updated on No-IP with IP \$curr\
    entIP\";\r\
    \n      \r\
    \n   } else={\r\
    \n   :log info \"No-IP: Previous IP \$previousIP is equal to current IP, n\
    o update needed\";\r\
    \n   }\r\
    \n} else={\r\
    \n   :log info \"No-IP: \$inetinterface is not currently running, so there\
    fore will not update.\";\r\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/ip address
add address=192.168.0.251/24 comment=defconf interface=ether2 network=
192.168.0.0

should be
/ip address
add address=192.168.0.251/24 comment=defconf interface=bridge network=
192.168.0.0

Dont think you need these at all (remove)
add action=fasttrack-connection chain=forward comment=“DNS Fasttrack - TCP”
dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment=“DNS Fasttrack - UDP”
dst-port=53 protocol=udp

A bit of extra stuff in your hairpin nat rule… to remove
/ip firewall nat
add action=masquerade chain=srcnat comment=“HAIRPIN NAT” dst-address=
192.168.0.0/24 out-interface-list=LAN src-address=192.168.0.0/24

Fix above, and answer questions below…

Now for hairpin nat to work,
one needs to know if your WAN IP is static or dynamic?:?
also one needs to know which SERVER(s) are you specifically looking to be able to use this functionality??

This will determine the structure of your rules.
If you have a clould ddns place from MT, also could be helpful or if you have one from a different provider AND you can set a C name to point the MT cloud ddns.

Fixed - Merged

Removed - (on some YouTube tutorial it stated that the connections would be highly faster)

Removed LAN - out iterface

I have Dynamic WAN IP address, it’s getting resolved fine using script, and Address Lists (I’m using NO-IP service) rather than using MT’s (if it’s not an issue).

p.s. After changes made and reboot, all issues stayed the same…

Hi Beic, nice work!
You have two options for DYNAMIC WANIP and dstnat rules when working with hairpin nat otherwise the following rule would be used.
{no hairpin nat - standard dstnat rule for dynamic wanip}
add chain=dstnat action=dst-nat in-interface-list=WAN
protocol=tcp dst-port=9000 to-address=192.168.88.50

With hairpin nat one has to add the sourcenat rule for both dynamic and static wanips (already done) and special dstnat rules for dynamic wanips.

1. Use the cloud DDNS service and have more regular looking dstnat rules
2. Use modified dstnat rules.

To compare here is the format for a fixed WANIP which requires no special changes (they work with or without hairpin nat just fine).
add chain=dstnat action=dst-nat dst-address=FIXED WANIP
protocol=tcp dst-port=9000 to-address=192.168.88.50

However we have to deal with dynamic WANIP.

Method 1:
Use the MT cloud service*** and very slightly alter dstnat rules (works for internal and external users as well).
add action=dst-nat chain=dstnat dst-address-list=cloudDNS
protocol=tcp dst-port=9000 to-addresses=192.168.88.50

Note: To use method 1 -
a. Turn on mikrotik cloud service
b.Go to IP-> Firewall-> Address lists, create an entry with whatever name you wish e.g “cloudDDNS” and at the address type the cloud DDNS name of your Mikrotik…
This will automatically resolve the name to your Public IP address…

Method 2:
Modify Existing DST nat rules for a dynamic WANIP.
add chain=dstnat action=dst-nat dst-address=**!**192.168.88.1
dst-address-type=local protocol=tcp dst-port=9000 to-address=192.168.88.50

Note: where 192.168.88.1 is the lanip of the subnet, your server AND users are located on..

So, in my case would be?:

192.168.88.1 = 192.168.0.251
192.168.88.50 = External/Public IP Address (WAN IP - Resolved by DDNS?)
also what is represent the 9000 port?

Thank you for your support!

No, LOL, those were just examples, the numbers not to be taken literally.
192.168.88.50 is the IP address of the server on the LAN in the example (not a legitimate public IP number anyway)
The 9000 port is the port that your server provides to access the server…

Take one of your rules. Its wrong for any setup regardless with dst-address list (or at least never seen it setup like that).
add action=dst-nat chain=dstnat comment=“BEIC-NAS2 - iSCSI” dst-address-list=
“WAN IP” dst-port=3260 protocol=tcp to-addresses=192.168.0.81 to-ports=
3260

In any case the PORT 9000 is equivalent to your port 3260, note that the to port is NOT required if same as dst-port!
Also the ..88.50 is equivalent to your server IP 192.168.0.81

You meant to be like this?!

add action=dst-nat chain=dstnat comment="BEIC-NAS2 - iSCSI" dst-port=3260 \
    protocol=tcp to-addresses=192.168.0.81 to-ports=3260

This can be reachable from the outside too? (that would be my main goal).

yes since you don’t specify an in-interface or dst-address or some other specifier it should kick from outside networks also

Thanks, but it still does not solved my big connection latency issue.
e.g. waiting on local network to connect over RDP for like 3-5sec, also can’t use OTA programming for IoT devices anymore, etc…

If you rdp with the local address rather than the domain name do you experience latency?

Yes, I’m talking about local address direct connection (between two computers on a same network range).

So latency in the INITIAL RDP setup right ? Not a CONTINUOUS SLOW/DELAYED operation during a session ?
Smells like something with nameresolving causing some initial delay ? Would be interesting to look at a packet-capture to see the interaction between RDP-client <> RDP-server

Disagree with my esteemed colleague…
The below is not correct.

add action=dst-nat chain=dstnat comment=“BEIC-NAS2 - iSCSI” dst-port=3260
protocol=tcp to-addresses=192.168.0.81 to-ports=3260


ASSUMING NO HAIRPIN NAT - (hairpin nat only required if you have users on the same lan as the server that need access the server and you want them to use the WANIP address of the router to get them there instead of the direct LANIP)

Correct NORMAL dstnat rules…

DYNAMIC WANIP
add action=dst-nat chain=dstnat comment=“BEIC-NAS2 - iSCSI” in-interface-list=WAN dst-port=3260
protocol=tcp to-addresses=192.168.0.81

FIXED WANIP (static)
add action=dst-nat chain=dstnat comment=“BEIC-NAS2 - iSCSI” dst-address=fixedwanip dst-port=3260
protocol=tcp to-addresses=192.168.0.81

If you try to reach the rdp server by local ip and still experience latency it is not something related to the above configuration. Since the client and server pc are on the same broadcast domain /24 their ip are directly connected and the router is not involved in the communication. I notice that you have disabled all ethernet interfaces except ethernet 2 for LAN. Are computers connected to another switch behind ethernet 2? Are you trying to access from wireless interface?

Yes, there are like 4-5 Gigabit Unmanaged Switches, I’m using wired connection.

Apart from the initial dhcp negotiation the router will not involve in the internal communication of the hosts that are directly connected with each other if you use local ip address. If you use domain name that is translated to some ip address public or local then there may be something related to the name resolving delay or to nat if resolving to the public ip rather than the local ip

Ok, then explain this, if I put back the old Linksys WRT54GL router everything is flying like a rocket (used same settings to configure this MikroTik device).