Mikrotik 5.23 Firewall problem

aitow3r · January 31, 2013, 10:29am

Hi all:

I have a serious problem with my mikrotik rb750. When I create a new Firewall filter, i test the port via web and the port is closed. I can´t open port for the mikrotik.

The rules:

add chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp
add chain=input dst-port=1723 in-interface=pppoe-out1 protocol=tcp

Work fine, and the port test result is open ports, but if i add:

add chain=input dst-port=8292 in-interface=pppoe-out1 protocol=tcp
add chain=input dst-port=1724 in-interface=pppoe-out1 protocol=tcp

don´t work and the test result is closed ports.

Can anyone help me?
Thanks in advance,
Aitor.

tomaskir · January 31, 2013, 10:33am

The RB responds on 8291 and 1723 becuase services run on those ports. (8291 = winbox, 1723=PPTP)
Ports 8292 and 1724 are closed because the RB doesnt run any services there.

aitow3r · January 31, 2013, 10:42am

Thanks TomasKir,

If i add service in 8292 and 1724 RB responds in those ports?

Thanks in advance.

tomaskir · January 31, 2013, 10:44am

You can change the ports for basic management services in winbox in IP > Services.

But services like PPTP server or L2TP server or IPSec etc, all have fixed ports, because that is how the standards define those services.
(You will need to use NAT if you want to switch those to non-default ports)

aitow3r · January 31, 2013, 11:32am

It´s Ok for me, works fine.
But, if i need open sip ports, i have to change the SIP service ports and after create a NAT rule for 5060-5061?

tomaskir · January 31, 2013, 11:43am

Input chain is only or the traffic that terminates on the router itself.

If you NAT the connection to some device inside of your LAN, you need to use the forward chain in firewall to block/allow it.

aitow3r · January 31, 2013, 3:51pm

The SIP ports are forwarded to a device in my lan. i added this:

add action=dst-nat chain=dstnat disabled=no dst-port=5060-5061 in-interface=
pppoe-out1 protocol=tcp to-addresses=192.168.1.250 to-ports=5060-5061

But not work. testing ports from internet not work.

this same rule with port 21 works fine.

Any idea?
Thanks!

tomaskir · January 31, 2013, 4:01pm

Post your “/ip firewall export compact”

aitow3r · January 31, 2013, 4:04pm

/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add chain=input disabled=yes dst-port=23,80 in-interface=pppoe-out1 protocol=tcp
add chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp
add chain=input dst-port=1723 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=pppoe-out1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“default configuration” out-interface=vlan3 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=21 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.97 to-ports=21
add action=dst-nat chain=dstnat dst-port=5060-5061 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.250 to-ports=5060-5061
/ip firewall service-port
set ftp ports=221
set sip disabled=yes ports=55060,55061

cupis · January 31, 2013, 10:00pm

If your SIP server listening on TCP? Can you connect to 192.168.1.250:5060 via TCP locally? Maybe you need UDP to be forwarded?