LTE E3372 Static IP + Mikrotik Hap Ac2 (Need help, cannot open nat)

Fopwoc · August 24, 2020, 12:56pm

THE PROBLEM IS SOLVED! SEE THIS ANSWER -LTE E3372 Static IP + Mikrotik Hap Ac2 (Need help, cannot open nat) - Beginner Basics - MikroTik community forum

Hello!
I have E3372h lte modem with static(fixed) ipv4: 31.173.xx.xxx

E3372h settings:

DHCP off,
DMZ on 192.168.8.100
Firmware: Hilink

When I connect the modem directly to the PC, then all the ports are open for me. And so in the game I get OPEN NAT.
Windows connection settings when direct connected to E3372:
IPv4: 192.168.8.100
Gateway: 192.168.8.1

BUT! I cannot get Open Nat when connected PC -> Mikrotik -> LTE MODEM

My mikrotik settings:
my PC ip: 10.0.0.200 (leases from dhcp mikrotik server)
Mikrotik settings:

aug/24/2020 15:51:14 by RouterOS 7.1beta2

software id = L3R8-8803

model = RBD52G-5HacD2HnD

serial number = XXXXXXXXXX

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface lte
set [ find ] name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ip vrf
add list=all name=main
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
add address=192.168.8.100/24 interface=lte1 network=192.168.8.0
/ip dhcp-server lease
add address=10.0.0.200 client-id=1:9a:da:8e:a2:fa:2e mac-address=
9A:DA:8E:A2:FA:2E server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=192.168.8.1
/ip firewall mangle
add action=log chain=prerouting dst-port=3478,4379,4380 protocol=udp
add action=log chain=postrouting dst-port=3478,4379,4380 protocol=udp
add action=log chain=postrouting dst-port=3074 protocol=udp
add action=log chain=prerouting dst-port=3074 protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3074 protocol=tcp src-port=""
to-addresses=10.0.0.200 to-ports=3074
add action=netmap chain=dstnat dst-port=27014-27050 protocol=tcp
to-addresses=10.0.0.200 to-ports=27014-27050
add action=dst-nat chain=dstnat dst-port=3074 protocol=udp to-addresses=
10.0.0.200 to-ports=3074
add action=netmap chain=dstnat dst-port=3478 protocol=udp to-addresses=
10.0.0.200 to-ports=3478
add action=netmap chain=dstnat dst-port=4379-4380 protocol=udp to-addresses=
10.0.0.200 to-ports=4379-4380
add action=netmap chain=dstnat dst-port=27000-27031 protocol=udp
to-addresses=10.0.0.200 to-ports=27000-27031
add action=netmap chain=dstnat dst-port=27036 protocol=udp to-addresses=
10.0.0.200 to-ports=27036
add action=masquerade chain=srcnat out-interface=lte1
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.8.1 pref-src="" scope=30
target-scope=10 type=unicast
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system routerboard settings
set cpu-frequency=auto

Results:
Game cannot connect to servers
And for example I got ERR_CONNECTION_TIMED_OUT when trying open http://portquiz.net:3074/ or http://portquiz.net:27014/

Game Ports:
TCP -> 3074, 27014-27050
UDP -> 3074, 3478, 4379-4380, 27000-27031, 27036

P.s.
Why I use DMZ on E3372? I want to control my port forwarding only on Mikrotik without double nat

Sob · August 25, 2020, 1:12am

You have double NAT now, if RB’s lte1 interface has 192.168.8.100 and not 31.173.xx.xxx. But it’s not necessarily big problem if modem forwards everything to 192.168.8.100.

What is problem are your dstnat rules. Take the first one for example:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3074 protocol=tcp src-port="" \
to-addresses=10.0.0.200 to-ports=3074

It tells router to forward connections that are going to tcp port 3074 to 10.0.0.200:3074. It doesn’t say anything about original destination, so it will take all, incoming, outgoing, everything. Easiest way to fix it is to add dst-address-type=local.

Fopwoc · August 25, 2020, 3:29pm

You have double NAT now, if RB’s lte1 interface has 192.168.8.100 and not 31.173.xx.xxx. But it’s not necessarily big problem if modem forwards everything to 192.168.8.100.

What is problem are your dstnat rules. Take the first one for example:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3074 protocol=tcp src-port="" \
to-addresses=10.0.0.200 to-ports=3074
It tells router to forward connections that are going to tcp port 3074 to 10.0.0.200:3074. It doesn’t say anything about original destination, so it will take all, incoming, outgoing, everything. Easiest way to fix it is to add dst-address-type=local.

I did it like this, it seems to work. Is this the right decision?

/ip firewall nat
add action=dst-nat chain=dstnat comment=COD dst-port=3074 in-interface=\
    lte1 protocol=tcp to-addresses=10.0.0.200 to-ports=3074

Sob · August 25, 2020, 3:51pm

It’s ok, as long as you don’t need to connect to your own public address (and forwarded ports) from LAN.

neutronlaser · August 25, 2020, 4:30pm

My LTE just says down up down up down up

Fopwoc · August 25, 2020, 7:20pm

Hi, I have same problem before Updating the firmware to 7.1beta2 solved the problem, BUT if this does not help, you will need additional power to the modem.

https://mikrotik.com/product/5VUSB

neutronlaser · August 25, 2020, 8:18pm

Ah ok thank you, beta needed. People are saying beta fixed the loop that’s good.

neutronlaser · August 25, 2020, 8:52pm

Boo I guess I need that special cable. I am using this:

https://www.amazon.co.uk/gp/product/B07M83762Y