We have a filtering service our Exchange server connects to over port 25.

I’m brand new to Mikrotik. I plugged in a new RB3011 and accepted the default configuration on the touch screen and then changed the router’s ip to the same as our previous router (192.168.1.1) I went into Winbox and setting up DNS, DHCP for the LAN was straightforward. I created a NAT entry for port 25 as follows:

General Tab -
Chain: dstnat
Protocol: 6(tcp)
Dst. Port: 25
In. Interface List: WAN (default name for ether1 that’s connected to our cable modem)

Action Tab -
Action: dst-nat
To Addresses: 192.168.1.2
To Ports: 25

Our filtering service has a test to see if it can connect - it’s failing

There is a page full of Filter Rules I don’t fully understand yet. I saw a post that indicated I might need a rule before the others that allows port 25.

Thanks in advance for any advice on how to get this port open. In our previous Juniper I had a policy allowing traffic on the port and a NAT from the internet to the lan

The default configuration forward rules are
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

When you add a new rule it is placed after any existing rules, so your rule will not be reached as the traffic will hit the “drop all from WAN not DSTNATed” rule first. Just move your rule to be immediately before this - you can drag rules up and down the list in Winbox.

Edit: I wasn’t thinking straight, your /ip firewall nat rule should have already marked the traffic as dstnat so should pass the default /ip firewall filter rule, so nothing obvious. The output of /export hide-sensitive from a terminal window might show up anything you may have changed unintentionally.

MT is a a bit different in that the NAT rules for each specific port are not handled at the iP firewal filter rules.
In IP filter rules, one only uses one rule in the forward chain to allow the traffic defined in iP Nat rules to go through the firewall.

As was noted above in the default rule set.
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

I personally dont like the use of ! when I can avoid it, and the fact that the default rule is trying to accomplish two functions, blocking WAN input and allowed dstnat, so my rule is different.

add action=allow chain=forward comment=“allow port forwarding” connection-nat-state**=dstnat** connection-state=new in-interface-list=WAN

Followed by a last rule in the forward chain
add action=drop chain=forward (drop all else)

Thanks for the responses - I’m still so new to this I’m not sure how to use the advice

Maybe this will help - here’s my config:

I don’t have a static IP - if it changes I have to go into the filtering service and change the trusted host - only happens perhaps once a year.

[admin@MikroTik] > export

nov/01/2020 12:18:48 by RouterOS 6.46.1

software id = xxxx-xxxx

model = RB3011UiAS

serial number = xxxxxxxxxxxx

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2,8.8.8.8 gateway=192.168.1.1
netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment=“Allow Port Forwarding”
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat connection-type=“” dst-port=25
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 to-ports=25
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=
tcp to-addresses=192.168.1.2 to-ports=443
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN

(1) Its good etiquette and more professional to list the firewall rules in their chain order, so well done, except for that first rule that you claim is a port forwarding rule…

WHY!!!
What do you think add action=accept chain=forward does, especially when its the first rule??

You basically are telling the router that ANY input from ANY source across the router is allowed. So every port on your router is now wide open to anyone on the internet. If this was live, then I suggest you are probably infected somewhere.

/ip firewall filter
add action=accept chain=forward comment=“Allow Port Forwarding”
remove the rule and combine with the comment in (2)
+++++++++++++++++++++++++++++++++++++++++++++++++++

(2) A bit nit picky but you have added the drop rule in the forward chain which is generally a good move but two things.
You have to now add access to internet for your subnets if you wish to allow that.
Such as allow subnets access to WAN…
Also you do not need as I discussed the tortured default rule that tries to do two things

add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat \

Just needs to be
add action=accept chain=forward comment=“Allow Port Forwarding” in-interface-list=WAN
connection-nat-state=dstnat connection-state=new
add action=drop chain=forward

Hi, I had add action=accept chain=forward as the first rule to see if it would let my Port 25 NAT rule work

I’m really lost. I can setup a PIX from the terminal interface and the SSG 5 - it took me years to learn all the commands.

I’ve got time to work on this - I’ve researched online and see lots of good blog posts for point solutions but haven’t found a webpage that gives me an overview.

I finding out it’s apparently not so easy to import a configuration like I would with the PIX.

Thanks

Here’s the script (I reset the router - the only change so far is I changed the 2nd port address (LAN) to 192.168.1.1

#| RouterMode:

#| * WAN port is protected by firewall and enabled DHCP client

#| * Ethernet interfaces (except WAN port/s) are part of LAN bridge

#| LAN Configuration:

#| IP address 192.168.88.1/24 is set on bridge (LAN port)

#| DHCP Server: enabled;

#| DNS: enabled;

#| WAN (gateway) Configuration:

#| gateway: ether1 ;

#| ip4 firewall: enabled;

#| NAT: enabled;

#| DHCP Client: enabled;



:global defconfMode;

:log info “Starting defconf script”;

#-------------------------------------------------------------------------------

Apply configuration.

these commands are executed after installation or configuration reset

#-------------------------------------------------------------------------------

:if ($action = “apply”) do={

wait for interfaces

:local count 0;

:while ([/interface ethernet find] = “”) do={

:if ($count = 30) do={

:log warning “DefConf: Unable to find ethernet interfaces”;

/quit;

}

:delay 1s; :set count ($count +1);

};

/interface list add name=WAN comment=“defconf”

/interface list add name=LAN comment=“defconf”

/interface bridge

add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;

:local bMACIsSet 0;

:foreach k in=[/interface find where !(slave=yes || name=“ether1” || name~“brid
ge”)] do={

:local tmpPortName [/interface get $k name];

:if ($bMACIsSet = 0) do={

:if ([/interface get $k type] = “ether”) do={

/interface bridge set “bridge” auto-mac=no admin-mac=[/interface ethernet
get $tmpPortName mac-address];

:set bMACIsSet 1;

}

}

/interface bridge port

add bridge=bridge interface=$tmpPortName comment=defconf;

}

/ip pool add name=“default-dhcp” ranges=192.168.88.10-192.168.88.254;

/ip dhcp-server

add name=defconf address-pool=“default-dhcp” interface=bridge lease-time=10m
disabled=no;

/ip dhcp-server network

add address=192.168.88.0/24 gateway=192.168.88.1 comment=“defconf”;

/ip address add address=192.168.88.1/24 interface=bridge comment=“defconf”;

/ip dns {

set allow-remote-requests=yes

static add name=router.lan address=192.168.88.1 comment=defconf

}



/ip dhcp-client add interface=ether1 disabled=no comment=“defconf”;

/interface list member add list=LAN interface=bridge comment=“defconf”

/interface list member add list=WAN interface=ether1 comment=“defconf”

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none a
ction=masquerade comment=“defconf: masquerade”

/ip firewall {

filter add chain=input action=accept connection-state=established,related,untr
acked comment=“defconf: accept established,related,untracked”

filter add chain=input action=drop connection-state=invalid comment=“defconf:
drop invalid”

filter add chain=input action=accept protocol=icmp comment=“defconf: accept IC
MP”

filter add chain=input action=accept dst-address=127.0.0.1 comment=“defconf: a
ccept to local loopback (for CAPsMAN)”

filter add chain=input action=drop in-interface-list=!LAN comment=“defconf: dr
op all not coming from LAN”

filter add chain=forward action=accept ipsec-policy=in,ipsec comment=“defconf:
accept in ipsec policy”

filter add chain=forward action=accept ipsec-policy=out,ipsec comment=“defconf
: accept out ipsec policy”

filter add chain=forward action=fasttrack-connection connection-state=establis
hed,related comment=“defconf: fasttrack”

filter add chain=forward action=accept connection-state=established,related,un
tracked comment=“defconf: accept established,related, untracked”

filter add chain=forward action=drop connection-state=invalid comment=“defconf
: drop invalid”

filter add chain=forward action=drop connection-state=new connection-nat-state
=!dstnat in-interface-list=WAN comment=“defconf: drop all from WAN not DSTNATed”

}

/ip neighbor discovery-settings set discover-interface-list=LAN

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

}

#-------------------------------------------------------------------------------

Revert configuration.

these commands are executed if user requests to remove default configuration

#-------------------------------------------------------------------------------

:if ($action = “revert”) do={

/user set admin password=“”

/system routerboard mode-button set enabled=no

/system routerboard mode-button set on-event=“”

/system script remove [find comment~“defconf”]

/ip firewall filter remove [find comment~“defconf”]

/ip firewall nat remove [find comment~“defconf”]

/interface list member remove [find comment~“defconf”]

/interface detect-internet set detect-interface-list=none

/interface detect-internet set lan-interface-list=none

/interface detect-internet set wan-interface-list=none

/interface detect-internet set internet-interface-list=none

/interface list remove [find comment~“defconf”]

/tool mac-server set allowed-interface-list=all

/tool mac-server mac-winbox set allowed-interface-list=all

/ip neighbor discovery-settings set discover-interface-list=!dynamic

:local o [/ip dhcp-server network find comment=“defconf”]

:if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }

:local o [/ip dhcp-server find name=“defconf” !disabled]

:if ([:len $o] != 0) do={ /ip dhcp-server remove $o }

/ip pool {

:local o [find name=“default-dhcp” ranges=192.168.88.10-192.168.88.254]

:if ([:len $o] != 0) do={ remove $o }

}

:local o [/ip dhcp-client find comment=“defconf”]
:if ([:len $o] != 0) do={ /ip dhcp-client remove $o }

/ip dns {

set allow-remote-requests=no

:local o [static find comment=“defconf”]

:if ([:len $o] != 0) do={ static remove $o }
}

/ip address {

:local o [find comment=“defconf”]

:if ([:len $o] != 0) do={ remove $o }

}

:foreach iface in=[/interface ethernet find] do={

/interface ethernet set $iface name=[get $iface default-name]

}

/interface bridge port remove [find comment=“defconf”]

/interface bridge remove [find comment=“defconf”]

/interface wireless cap set enabled=no interfaces=“” caps-man-addresses=“”

/caps-man manager set enabled=no

/caps-man manager interface remove [find comment=“defconf”]

/caps-man manager interface set [ find default=yes ] forbid=no

/caps-man provisioning remove [find comment=“defconf”]

/caps-man configuration remove [find comment=“defconf”]
}

:log info Defconf_script_finished;

:set defconfMode;

I have no idea what you’re trying to do with that script, but return to the beginning and just fix the dstnat rule, it shouln’t have connection-type=“”. It should be like your rule for port 443, only with different number.

Then, optionally, you can follow @anav’s incomplete advice, i.e. that:

/ip firewall filter
...
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
<end>

can be changed to:

/ip firewall filter
...
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="allow access from LAN to internet"
add chain=forward action=accept connection-nat-state=dstnat comment="allow forwarded ports"
add action=drop comment="block everything else"
<end>

The difference is that default config by default allows access from anywhere except from WAN, and the other one by default doesn’t allow access from anywhere, only what you explicitly allow. So for example if you connect some VPN, default config will allow access from other side to everywhere, but the other one won’t. In short, it’s not so easy to allow something by mistake. You can judge yourself what you want.

And @anav should know better that default config does not block forwarded ports, so that’s clearly not where the problem is. Suggesting improvents is fine, but in this case it’s only confusing.

Hi Sob,

Thanks, I guess I just had that misconfiguration - your advice that I make sure my Port 25 rule was setup like the Port 443 rule solved my issue.

I’m reading my way through wiki.mikrotik.com

No confusion Sob,
(1) I dont ASSume that subnet users are allowed to the internet ;-PP
(2) I figured the OP was a bright chap and could figure out what he needed to add if applicable.

But correct in that I didnt give my usual concept approach
a. default rules
b. user defined rules (input chain-access to router by admin, and forward chain access to internet for lan users).
c. last rule block all

Happy?

Oh yes confusion, and on both sides, OP got you too, you didn’t even notice your favourite, address on bridge port. :-p

Very astute, and I wondered how did I miss that… but now I know.
I often skim read… which means fast, in this case too fast.
I saw the interface as the bridge on the first line and moved on…
I didnt realize the glaring error in the second line!!! (or the second line at all, or the wrong subnet in the first line).
Egads, I need refresher training (bottle of rye whiskey and everything you needed to know about ROS and were afraid to ask)

FROM
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0

TO
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0