my port forwarding not working

kyled27 · July 13, 2022, 1:06pm

Good day Mikrotik Community,

Hope you are all doing well,

I am trying to move over from a RB951 to a RB3011, I have replicated the settings manually on the new RB3011 and is an exact match to the RB951.

However the Port forwarding is not working on the RB3011 on RouterOS v7.3.1 but it is working on the RB951 on RouterOS 6.47.1

I feel like there is a crucial change between the RouterOS versions that I am missing.

What is strange is this NAT Rule works on both routers:

add action=dst-nat chain=dstnat dst-address=a.b.c.206 in-interface=ether1 protocol=tcp to-addresses=10.0.0.2 to-ports=55756

But this rule only works on RouterOS version 6

add action=dst-nat chain=dstnat dst-address=a.b.c.206 dst-port=3005 in-interface=ether1 protocol=tcp to-addresses=10.0.0.170 to-ports=80

Please see /export configs of the 2 routers below,

# jan/01/2002 05:47:39 by RouterOS 6.47.1
# software id = L0MN-HDQ6
#
# model = 951G-2HnD
# serial number = <CENSORED>
/interface bridge
add admin-mac=E4:8D:8C:8C:43:C8 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.0.0.20-10.0.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=a.b.c.206/29 interface=ether1 network=a.b.c.200
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=a.b.c.206 dst-port=3005 in-interface=ether1 protocol=tcp to-addresses=10.0.0.170 to-ports=80
/ip route
add distance=1 gateway=a.b.c.201
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

# jul/13/2022 14:45:33 by RouterOS 7.3.1
# software id = KCSW-U7CS
#
# model = RouterBOARD 3011UiAS
# serial number = <CENSORED>
/interface bridge
add admin-mac=6C:3B:6B:EC:B2:C0 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.0.20-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=a.b.c.206/29 interface=ether1 network=a.b.c.200
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state= established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=a.b.c.206 in-interface=ether1 protocol=tcp to-addresses=10.0.0.2 to-ports=55756
add action=dst-nat chain=dstnat dst-address=a.b.c.206 dst-port=3005 in-interface=ether1 protocol=tcp to-addresses=10.0.0.170 to-ports=80
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=a.b.c.201
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

BR

Sob · July 13, 2022, 3:06pm

There was no change in port forwarding between v6 and v7. Double check for typos, in v6 config you have dstnat rule for public address starting with 160, but in v7 config it’s 161. Otherwise you have 161 everywhere else. So whether it’s just mistake while masking real addresses or anything else, make sure you have correct numbers.

Btw, your working rule is weird, how is forwarding :<any port> to 10.0.0.170:80 useful?

anav · July 13, 2022, 4:55pm

Furthermore, assuming you have a fixed public IP address (if its a private IP (behind some other device) dont care) you should not publish the actual numbers here so hoping they are made up!

The correct syntax means you should not have any mention of ether1
Fixed/static public IP standard
add action=dst-nat chain=dstnat dst-address=fixed public IP dst-port=xxxx
protocol=tcp to-addresses=local_server-ip to-ports=yy { to ports only required if different from dst-ports }

By the way are you asking users on the LAN to access the server via the WANIP or the direct LANIP?

rextended · July 13, 2022, 5:47pm

@Sob, you are rigth, the user use a fake IP changing only one number (literally…) but forget to change all inside the exports, now I censore that…

rextended · July 13, 2022, 5:56pm

@kyled27 you do not notice that the rules are different???
On the “old” “working” RouterBOARD the useless rule is not present.

# model = 951G-2HnD
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=a.b.c.206 dst-port=3005 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.170 to-ports=80

# model = RouterBOARD 3011UiAS
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=a.b.c.206 in-interface=ether1 protocol=tcp to-addresses=10.0.0.2 to-ports=55756
add action=dst-nat chain=dstnat dst-address=a.b.c.206 dst-port=3005 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.170 to-ports=80

The extra rule redirect all TCP traffic coming from ether1, destinated to a.b.c.206, regardless the port, to 10.0.0.2 port 55756
Is logic that the subsequent rule do not work…

Sob · July 13, 2022, 6:06pm

Ooops, I got distracted by the nonsense rule and missed that it’s before the other one and blocks it.

anav · July 13, 2022, 6:56pm

Well he drinks better wine that you or I, so its bound to pay off sooner or later.

rextended · July 13, 2022, 7:23pm

Yes, but I love also rum&syrup…

anav · July 13, 2022, 7:25pm

Rum and maple syrup? Odd concoction LOL.
Maybe I will have to try it. With bacon of course!!

kyled27 · July 15, 2022, 6:40am

Thank you all for the assistance,

Specifying the dst port for the first rule fixed the issue for me,

You are all legends, Have a great weekend,

Best Regards