Minecraft server not accessible from WAN

RouterOS Beginner Basics
1

Good day.

I am trying to port forward port 25565 to my internal IP address in order to be able to host a minecraft server for my friends via WAN. I have set up the nat rule /ip firewall nat add chain=dstnat protocol=tcp dst-address= dst-port=25565 action=dst-nat to-address= to-ports=25565.

The server works locally but not via WAN. Interestingly the error message my friends receive is “Connection refused: no further information” as opposed to “Connection timed out”.

When checking ports online via https://www.yougetsignal.com/tools/open-ports/, port 25565 displays as closed. But after reading some of the other forum posts pertaining to port forwarding for minecraft, some users suggested that dst-nat rules will show their ports as closed. In any case, so far I have been unsuccessful in solving this problem myself.

Any help would be appreciated!

Edit: Added my config file
mikrotikconfig.rsc (4.5 KB)

2

FIRST ISSUE… where are your firewall rules
Your router is not safe connected to the internet.
Please install these…

ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input in-interface-list=lan
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked”
connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“Allow internet traffic outbound” in-interface-list=lan out-interface-list=WAN
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward


(1) From current interface list members to…
/interface list member
add interface=PrivateBR list=lan
add interface=ether1 list=WAN
add interface=PPPOE-InternetConnection list=WAN

(2) This is garbage remove!!
add action=accept chain=forward dst-address=1xx.1xx.xx.1xx dst-port=25565
protocol=tcp

(3) Get rid of all RAW RULES, not required.
or at least DISABLE until we get the config working…

(4) DISABLE IP Service telnet its not a safe protocol to use to access the router (plain text).

(5) Source nat rule incomplete modify to.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

(6) Required Destination NAT rule (which is now supported by the new firewall rules)
add action=dst-nat chain=dstnat dst-port=25565 protocol=tcp in-interface-list=WAN
to-addresses=192.168.1.150

I note that you have put in what look like public IPs on your config which you should not if indeed public!! (the bad forward rule in (2) and your dstnat rule ??)

Is the WANIP you get actually fixed static, or dynamic (will change)??
If dynamic then you can use the rule I have above, if its static your dst nat rule is okay (just put in fake numbers if they are not already).

3

Hi, thanks for the quick response!

I’ve taken your suggested actions, the WANIP is not static.

After doing so, however my friends still cannot join, same error.

4

What is the logging saying?
If necessary, add logging to find out if your friend hits the firewall rule.

Have you tested if the port is open?
Are you 100% sure that there is something listening on port 25565?
Have you checked if the port is open from the Internet (with an online tool)?

5

Using a port checking tool shows the port still remains closed.

As far as listening on port 25565 goes, I assume the minecraft server fulfills that criterion?

I wouldn’t know the first step towards logging the firewall rule.

6

No worries, this may take several iterations please post your latest export.

/export hide-sensitive file=anynameyouwish

7

Thanks so much, here is the latest config.
latestcfg.rsc (5.64 KB)

8

That public address of yours, does the router itself have exactly this address, or is it just what some online “show me my address” service showed you?

9

The latter, it’s what shows up when I google “my ip”.

10

And did ISP in any way indicate that you should have public address? Because if they didn’t, it’s very possible that you don’t have any. And if you don’t, there won’t be any incoming connections for you. There will always be some public address involved, but if it’s somewhere on their remote router, with no ports forwarded to you, you can’t do anything with it.

If the router doesn’t have it, it can still be NAT 1:1. If you look at your dstnat rule, does packet counter show anything? If yes, there are some incoming connections. If it’s zero, you’re probably out of luck. One more chance would be if the public address in on some modem you’re connected to. Either you may have access to it, of ISP could enable NAT 1:1 if you ask for it.

11

There are packets showing, albeit only 5.

12

Besides Sobs befuddlement let me add my own.

Very confusing from my vantage point.
I dont understand what PPTP is doing either and why had configured it as the destination address for the minecraft server originally??
What is the purpose of PPTP here??

Why is this still an entry its meaningless
/interface list member
add list=WAN

Assuming ether1 is your wan connection through which the pppoe client comes in on.
what is the purpose of this …
add exclude=dynamic name=list1
add interface=ether1 list=list1

13

I’ve just arrived at my parent’s place after graduating, so I have no idea how this thing was set up.

14

No worries, best bet is to contact the service provider technical support and get them to walk you throught how their internet works and how their internet MODEM device interacts with the Mikrotik etc… They wont know the MT specifics but will know what information they have to give you to put on the mikrotik.

15

If the current dstnat rule (with in-interface-list=WAN) sees any packets, it’s good sign. The counter should increase every time you use the online port tester. You can also enable logging for the rule to see more details. If this is ok, then check target server, make sure its firewall doesn’t block it, i.e. that it allows connections to the port from anywhere, not just from LAN.

@anav: Thank you for expanding my vocabulary, but I’m not sure if I’m entirely happy. :wink:

16

One small correction, if it’s actually PPTP used to access internet, then pptp-out1 would need to be in WAN interface list too. Or you can replace in-interface-list=WAN in dstnat rule with dst-address-type=local.

17

Ahh well thats interesting in which case the proper thing to do would be too simply add
add interface=pptp-out1 list=WAN

It did not occur to that an ISP would require one to be both a PPPOE client and a PPTP client at the same time.

18

My ISP technically isn’t supposed to have given me the password for the router, but I knew the guy who came out to check (small town) and he gave it to me. All I knew was that the ISP couldn’t figure out how to accomplish anything when I logged tickets, so I thought I could sort it out. But I’m not too savvy with mikrotik devices, I’m way out of my depth. I tried
add interface=pptp-out1 list=WAN
But it doesn’t seem to have changed the server or the port tester.

It seems as if the packets for the dst-nat rule do increase when I test the ports.

19

Add this and test it again:

/ip firewall mangle
add chain=forward dst-address=192.168.1.150 protocol=tcp dst-port=25565 action=log log-prefix="to-server"
add chain=forward src-address=192.168.1.150 protocol=tcp src-port=25565 action=log log-prefix="from-server"

If you see packets with prefix to-server logged, it means that dstnat works. Then you should see responses with from-server prefix going back to client’s address.

20

How do I see where the packets are from?