need help on opening ports

RouterOS General
1

Hi Guys
can anybody help me open ports because my mail server is behind rb 450 and its under nat I need to open port 25.

I also need to open ports or something for security.ubuntu.com so I can update my mail server that is using ubuntu.

2

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping

Assuming your outside (WAN) interface is called ‘WAN’ and the inside mail server IP address is 192.168.0.2, you’d use the following:

/ip firewall nat add chain=dstnat protocol=25 dst-port=25 in-interface=WAN action=dst-nat to-address=192.168.0.2

There is no need to open ports for security.ubuntu.com. That’s a repository on the Internet that the inside server will initiate a connection to. The repository NEVER needs to initiate the connection to you.

3

well I cant even get to the mail server to update it just sets there saying connecting…

I also get this:
[admin@MikroTik] > /ip firewall nat add chain=dstnat protocol=25 dst-port=25 in-
interface=port action=dst-nat to-address=10.10.10.6
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] > /ip firewall nat add chain=dstnat protocol=25 dst-port=25 in-
interface=port3 action=dst-nat to-address=10.10.10.6
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] >

4

Whoops, typo, sorry.

/ip firewall nat add chain=dstnat protocol=tcp dst-port=25 in-interface=WAN action=dst-nat to-address=192.168.0.2

Also, post the output of “/ip firewall export” to troubleshoot the security.ubuntu.com issue. Again, there is no need to open ports for that to work.

5

where do I go to do “/ip firewall export”?

6

Open up a command line terminal.

While you’re at it, include “/ip route print” and “/ip address print”.

7

this is what I get when im on routerboard

same thing


here what you also wanted:

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE IN..

0 ADS 0.0.0.0/0 r 206.51.163.1 0 et..
1 ADC 10.10.10.0/24 10.10.10.1 0 po..
2 ADC 192.168.88.0/24 192.168.88.1 0 et..
3 ADC 206.51.163.0/24 206.51.163.27

\

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 ether2-local-master
1 10.10.10.1/24 10.10.10.0 10.10.10.255 port3
2 D 206.51.163.27/24 206.51.163.0 206.51.163.255 ether1-gateway

8

The most important one was the “/ip firewall export” one.

9

here you go:

[admin@MikroTik] > /ip firewall export

dec/31/2001 21:10:53 by RouterOS 3.30

software id = 8WBL-TC4J

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
206.51.163.238 to-addresses=10.10.10.5
add action=src-nat chain=srcnat comment=“” disabled=no src-address=10.10.10.5
to-addresses=206.51.163.237
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
206.51.163.237 to-addresses=10.10.10.6
add action=src-nat chain=srcnat comment=“” disabled=no src-address=10.10.10.6
to-addresses=206.51.163.238
add action=dst-nat chain=dstnat comment=“” disabled=yes dst-port=25
in-interface=port3 protocol=tcp to-addresses=10.10.10.6
add action=dst-nat chain=dstnat comment=“” disabled=yes dst-port=110
in-interface=port3 protocol=tcp to-addresses=10.10.10.6
add action=masquerade chain=srcnat comment=“Added by webbox” disabled=no
out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

10

In the source and destination NAT rules you made for 10.10.0.5 and .6 you have to make them match per server. One server gets to be .237, the other gets to be .238. You also need to add those public IP addresses to the ether1-gateway interface.

11

im doing natting on that is the reason why its like that.

12

Yes, and you are doing it wrong.

A) the IP addresses you are NATting those two servers to must be put on the ether1-gateway interface in order to function
B) you should source NAT and destination NAT each server to the same IP. Right now you’re source NATing server A to the address you are destination NATing server B to, and vice versa
C) at that point you will not need to port forward tcp/25 anymore, the public IP address you’re NATing to that server will include that traffic

13

i have 2 different servers with 2 different machines so it cant be on the same IP and I have 2 static IP addresses. So whats the correct code to do this correctly.

14 
/ip firewall nat
# remove old configuration
remove [find]
# add new config
add action=dst-nat chain=dstnat dst-address=206.51.163.237 to-addresses=10.10.10.5
add action=src-nat chain=srcnat src-address=10.10.10.5 to-addresses=206.51.163.237
add action=dst-nat chain=dstnat dst-address=206.51.163.238 to-addresses=10.10.10.6
add action=src-nat chain=srcnat src-address=10.10.10.6 to-addresses=206.51.163.238
add action=masquerade chain=srcnat out-interface=ether1-gateway

# add IP addresses
/ip address
add address=206.51.163.238/24 interface=ether1-gateway
add address=206.51.163.237/24 interface=ether1-gateway

At that point 206.51.163.238 will be available as a mail server and will also be able to reach security.ubuntu.com

You probably also want to set up firewall filters. You don’t have any yet.

15

thank you so much fewi your help it finally works.