Hi, i need help for port forwarding configuration.
I have a router (RB750Gr3) with these connections:
Ethernet 1: INTERNET from an external antenna LHG LTE18 with sim card (public ip).
Ethernet 2: Dekstop Pc (static ip)
Ethernet 3: Alarm Hub
LHG LTE = eth1 192.168.188.1/24
Router = bridge lan—>192.168.13.1/24
i want to open ports for Ethernet 2 (desktop pc) for gaming.
and i tried these settings for lte
and these are the firewall rules for lte
thanks 
Just to make sure I am clear on the concept, you have two routers involved. First is your microwave radio LHG and then that is feeding the RB750. That means your NAT needs to be NATTed in both routers. Instead of screen captures (which only give partial information, please export your configuration for BOTH routers.
To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=internet ip-type=ipv4 name=Providername
add apn=vpn-internet ip-type=ipv4 name=Providername
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=Providername band=\
"" network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool3 ranges=192.168.188.2-192.168.188.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface=ether1 name=dhcp1
/port
set 0 name=serial0
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.188.1/24 interface=ether1 network=192.168.188.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.188.0/24 comment=defconf dns-server=192.168.188.1 \
gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.188.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface=lte1 \
passthrough=yes protocol=!icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=27014-27050 in-interface=lte1 \
protocol=tcp to-addresses=192.168.188.250 to-ports=27014-27050
add action=dst-nat chain=dstnat dst-port=3074 in-interface=lte1 protocol=tcp \
to-addresses=192.168.188.250 to-ports=3074
add action=dst-nat chain=dstnat dst-port=3478 in-interface=lte1 protocol=udp \
to-addresses=192.168.188.250 to-ports=3478
add action=dst-nat chain=dstnat dst-port=27036 in-interface=lte1 protocol=udp \
to-addresses=192.168.188.250 to-ports=27036
add action=dst-nat chain=dstnat dst-port=4379-4380 in-interface=lte1 \
protocol=udp to-addresses=192.168.188.250 to-ports=4379-4380
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=lte1 \
protocol=udp to-addresses=192.168.188.250 to-ports=27000-27031
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/interface bridge
add name="bridge lan"
/interface ethernet
set [ find default-name=ether1 ] name="1 - WAN/ISP"
set [ find default-name=ether2 ] name="2 - LAN 1"
set [ find default-name=ether3 ] name="3 - LAN 2"
set [ find default-name=ether4 ] name="4 - LAN 3"
set [ find default-name=ether5 ] name="5 - LAN 4"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.13.2-192.168.13.254
add name=dhcp_pool1 ranges=192.168.188.2-192.168.188.254
add name=dhcp_pool2 ranges=192.168.188.2-192.168.188.254
add name=dhcp_pool3 ranges=192.168.188.2-192.168.188.254
add name=dhcp_pool4 ranges=192.168.13.2-192.168.13.254
add name=dhcp_pool5 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool6 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp_pool6 disabled=no interface="bridge lan" name=dhcp1
/interface bridge port
add bridge="bridge lan" interface="2 - LAN 1"
add bridge="bridge lan" interface="3 - LAN 2"
add bridge="bridge lan" interface="4 - LAN 3"
add bridge="bridge lan" interface="5 - LAN 4"
/interface list member
add interface="1 - WAN/ISP" list=WAN
add interface="bridge lan" list=LAN
/ip address
add address=192.168.13.1/24 interface="bridge lan" network=192.168.13.0
/ip dhcp-client
add disabled=no interface="1 - WAN/ISP"
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.13.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.13.1
add address=192.168.188.0/24 gateway=192.168.188.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=3074 in-interface="1 - WAN/ISP" \
protocol=tcp to-addresses=192.168.13.243 to-ports=3074
add action=dst-nat chain=dstnat dst-port=27014-27050 in-interface=\
"1 - WAN/ISP" protocol=tcp to-addresses=192.168.13.243 to-ports=\
27014-27050
add action=dst-nat chain=dstnat dst-port=3478 in-interface="1 - WAN/ISP" \
protocol=udp to-addresses=192.168.13.243 to-ports=3478
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=\
"1 - WAN/ISP" protocol=udp to-addresses=192.168.13.243 to-ports=\
27000-27031
add action=dst-nat chain=dstnat dst-port=4379-4380 in-interface="1 - WAN/ISP" \
protocol=udp to-addresses=192.168.13.243 to-ports=4379-4380
add action=dst-nat chain=dstnat dst-port=27036 in-interface="1 - WAN/ISP" \
protocol=udp to-addresses=192.168.13.243 to-ports=27036
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=Mikrotik
I hope i did it right!!!
Hi
If your mobile provider give you a public IP and is not using CGNAT, then instead of setting up your system to have a private IP between the LHG and the HEX, you can consider to use the passthrough so that the LHG is used only as modem and the public IP is assigned directly to the WAN interface of the HEX.
In this way you avoid double NAT.
https://help.mikrotik.com/docs/display/ROS/LTE#LTE-PassthroughExample
Otherwise you ahve to make sure that in the FW of the LHG you are allowing the traffic to be forwarded back to the HEX.
As reference here the config in passthrough of my SXT. I removed my data buy yu need to replace apn= with the fqdn of your APN.
In my case I’m using a vlan to do passthrough to keep eth1 for management but this is not mandatory and you can use RoMON to connect to LHG.
I prefer VLAN because in this way I can manage to have SXT using my HEX-S to have internet that simplify the upgradate of ROS instead of having to copy the file manually (I know I’m lazy
/interface lte apn
set [ find default=yes ] apn=apn.com default-route-distance=1 name=\
myapn passthrough-interface=vlan254-lte-passthrough passthrough-mac=\
auto use-network-apn=no
If you use passthrough than you will also have the advantage that the LHG will become a “dumb” device and you don’t need to manage the firewall on it.
http://forum.mikrotik.com/t/firewall-considerations-with-lte-passthrough-interface/159691/1
Great idea. I don’t use Mikrotik RF devices at all, so did not know they could do that. Learn something new every day.
Yeah the real concern is if the OP ever actually gets a public IP. If so, as stated forwarding port from LTE to hex WANIP ( lanip of hex on LTE subnet) and then forwarding from hex to device will work just fine, but concur, the sweeter solution is using the hex to terminate the public IP.
First of all, thanks for your help.
Because i want to manage the Lhg, if its possible to help me, because im a beginner, how to set up firewall in LHG to allow traffic to the HEX.
Thanks!
True, but this is what the OP said in the opening post,
LHG LTE18 with sim card (public ip).
so I’m assuming he knows what he subscribed…of course in case of CGNAT then is different.
But is always good to challenge , so geolab87 can you confirm you reall have a real public IP assigned to the WAN interface of the LHG?
https://datatracker.ietf.org/doc/html/rfc1918#section-3
And withouth sarcarsm, what is the expected value of managing the LHG as stand alone?
I see your current config is the out of the box, if we exclude that you changed the ip of the default subnet from 192.168.88.0/24 to 192.168.188.0/24 and you added the dstnat rules.
If you really want to keep it as your gateway, then you could consider to remove the masquerade on the HEX and just keep the NATting to the IP of your provider only on the LHG.
Or do you have specific reason to leave the double NAT in place?
But is always good to challenge >
https://datatracker.ietf.org/doc/html/rfc1918#section-3
Thanks for your answer,
I made a request to my provider, to activate this apn profile for me.
And withouth sarcarsm, what is the expected value of managing the LHG as stand alone?
Because i m sharing the antenna with my friend in another apartment and the antenna is to the top of the building, sometimes because the provider’s antenna is in a central point, during peak hours, i m changing bands so we can achieve better speed results, so it would be better for me to have access with the easy way.
I understand, but I think I confused you, my bad.
When I said that with pass through you get a “dumb device” I meant that don’t have to worry about firewall and routing as these are delegated to your main router, but the device remain accessible and you can still manage and modify manually whatever parameter of the LTE interface.
Just make sure to enable romon or setup a vlan for management before enabling the passthrough.
Thanks Darrio for your help,
First I tried to enable romon and then setup a vlan for management. I enabled passthrough but i have problem with the ports. I cant open them 
When i hit the ports on CanYouSeeMe, although it says close i get packets in winbox, but only in tcp ports, not in udp.
And in cmd, i take this result only in one port,
C:\WINDOWS\system32>netstat -an | find “3074”
TCP 192.168.13.243:50404 xxx.xx.xxx.xx:3074 ESTABLISHED
UDP 0.0.0.0:3074 :
Its the port for call of duty, and it opens when i run the game.
Settings for LTE
/interface vlan
add interface=ether1 name=management vlan-id=2
add interface=ether1 name=network vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=internet name=provider name-Passthrough passthrough-interface=ether1 \
passthrough-mac=auto
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=passthrough-vpn \
band=1,3,7 network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=ether1 lease-time=10m \
name=defconf
/port
set 0 name=serial0
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=management list=LAN
/ip address
add address=192.168.188.1/24 comment=defconf disabled=yes interface=ether1 \
network=192.168.188.0
/ip dhcp-client
add interface=management
/ip dhcp-server network
add address=192.168.188.0/24 comment=defconf dns-server=192.168.188.1 \
gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=MikroTik-LTE
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
Settings for HEX
/interface vlan
add interface="1 - WAN/ISP" name=management vlan-id=2
add interface="1 - WAN/ISP" name=network vlan-id=3
/interface list
add name=WAN
add name=LAN
/ip dhcp-server
add address-pool=dhcp_pool6 disabled=no interface="bridge lan" name=dhcp1
/interface bridge port
add bridge="bridge lan" interface=management
/interface list member
add interface="1 - WAN/ISP" list=WAN
add interface="bridge lan" list=LAN
add interface=network list=WAN
/ip address
add address=192.168.13.1/24 interface="bridge lan" network=192.168.13.0
/ip dhcp-client
add disabled=no interface=network
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.13.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.13.1
add address=192.168.188.0/24 gateway=192.168.188.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=3074 in-interface=network protocol=\
tcp to-addresses=192.168.13.243 to-ports=3074
add action=dst-nat chain=dstnat dst-port=3074 in-interface=network protocol=\
udp to-addresses=192.168.13.243 to-ports=3074
add action=dst-nat chain=dstnat dst-port=3478 in-interface=network protocol=\
udp to-addresses=192.168.13.243 to-ports=3478
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=network \
protocol=udp to-addresses=192.168.13.243 to-ports=27000-27031
add action=dst-nat chain=dstnat dst-port=4379-4380 in-interface=network \
protocol=udp to-addresses=192.168.13.243 to-ports=4379-4380
add action=dst-nat chain=dstnat dst-port=27014-27050 in-interface=network \
protocol=tcp to-addresses=192.168.13.243 to-ports=27014-27050
add action=dst-nat chain=dstnat dst-port=27036 in-interface=network protocol=\
udp to-addresses=192.168.13.243 to-ports=27036