Hi everybody,

First off I have been trying to use this equipment for almost two years but sadly I am pretty bad in networking. Hope some gurus can help me out here. Originally I wanted this to serve as a wireless access bridge (gave up on that) but now I am trying to do the most simple plain vanilla of setups. That is the CRS125 is to act as a Wireless Router similar to those off the shelf Netgear types.

Currently I have the ISP ----> ISP provided modem ----> Mikrotik which serves as the DHCP server & has two wlans (one for internal and the other for guests, but currently unused)

I have followed this guide mainly:- http://www.icafemenu.com/how-to-port-forward-in-mikrotik-router.htm
I have also looked thru the forums and other links.

The main problems I have is that within the network I cannot ping or access the other devices (but I understand this is prob a hairpin NAT issue) but even when I am on another network (I have two fixed IPs and internet subscriptions) I am unable to SSH into the server attached to the Mikrotik even with Port Forwarding.

My guess is that perhaps because the modem has the Public IP and whereas the Mikrotik does not have the Public IP.
So where my Public IP is say 138.199.181.222
My ether1-gateway is 138.199.180.1
This is because I set the Address Acquisiton under QuickSet as automatic. Should I be using Static or PPOE?

Within the network all my devices are 192.168.88.X and I have set them to static IPs to prevent them from changing.

Appreciate any insights on how to troubleshoot this.

Thanks!

You can do port forwarding only with public address, because that’s what you can connect to from internet. If it’s on your modem and not on router, you need to do something with modem first. Either switch modem to some transparent (bridge) mode that would allow your router to get public address. If it’s not possible, then you need to configure modem to forward ports to your router, either just selected ones, or everything (usually called DMZ). And then you can forward what you need further in LAN.

Hi appreciate the help.

Checked with my ISP and they say my Fiber modem does not have an interface, it does not have any DHCP server as well and there is no way to set it into bridge mode. Everything should be controlled by the router.

If this is the case, what is the best way to troubleshoot the port forwarding? I believe the IP is on the router but perhaps not the right interface/port?

Don’t believe, be sure. If you check some online service like whatismyip.com, is the same IP address on your router? If so, it should work (only the linked guide is not compatible with hairpin NAT, but you can solve it later).

Add your dstnat rule, ask Google for “online port scan”, choose some you like and use it to test your rule (enter your public address and used port). Ideally it should tell you that the port is open. But even if it doesn’t, check packet counter of your rule if it increases when you do the test, at least that should happen (it could mean that either packets are not passing through router, or the internal device doesn’t accept them).

In that case you should not have any issue. Export config from yout router, post it here. We will help.

Is there any private details I need to hide after I export details from the router? Thanks!

Make an
export hide-sensitive

apr/09/2018 19:09:17 by RouterOS 6.41.3

software id = BL3I-YX6P

model = CRS125-24G-1S-2HnD

serial number = 523B051454A9

/interface bridge
add admin-mac=E4:8D:8C:42:C3:4C auto-mac=no fast-forward=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=wirelesswifi wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-slave-local
set [ find default-name=ether7 ] name=ether7-slave-local
set [ find default-name=ether8 ] name=ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] name=ether10-slave-local
set [ find default-name=ether11 ] name=ether11-slave-local
set [ find default-name=ether12 ] name=ether12-slave-local
set [ find default-name=ether13 ] name=ether13-slave-local
set [ find default-name=ether14 ] name=ether14-slave-local
set [ find default-name=ether15 ] name=ether15-slave-local
set [ find default-name=ether16 ] name=ether16-slave-local
set [ find default-name=ether17 ] name=ether17-slave-local
set [ find default-name=ether18 ] name=ether18-slave-local
set [ find default-name=ether19 ] name=ether19-slave-local
set [ find default-name=ether20 ] name=ether20-slave-local
set [ find default-name=ether21 ] name=ether21-slave-local
set [ find default-name=ether22 ] name=ether22-slave-local
set [ find default-name=ether23 ] name=ether23-slave-local
set [ find default-name=ether24 ] name=ether24-slave-local
set [ find default-name=sfp1 ] name=sfp1-slave-local
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:42:C3:64 master-interface=wlan1 name=wlan2 security-profile=profile ssid=wirelesswifi_Guests
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local hw=no interface=wlan1
add bridge=bridge-local hw=no interface=wlan2
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether6-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge-local interface=ether11-slave-local
add bridge=bridge-local interface=ether12-slave-local
add bridge=bridge-local interface=ether13-slave-local
add bridge=bridge-local interface=ether14-slave-local
add bridge=bridge-local interface=ether15-slave-local
add bridge=bridge-local interface=ether16-slave-local
add bridge=bridge-local interface=ether17-slave-local
add bridge=bridge-local interface=ether18-slave-local
add bridge=bridge-local interface=ether19-slave-local
add bridge=bridge-local interface=ether20-slave-local
add bridge=bridge-local interface=ether21-slave-local
add bridge=bridge-local interface=ether22-slave-local
add bridge=bridge-local interface=ether23-slave-local
add bridge=bridge-local interface=ether24-slave-local
add bridge=bridge-local interface=sfp1-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-slave-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=ether11-slave-local list=discover
add interface=ether12-slave-local list=discover
add interface=ether13-slave-local list=discover
add interface=ether14-slave-local list=discover
add interface=ether15-slave-local list=discover
add interface=ether16-slave-local list=discover
add interface=ether17-slave-local list=discover
add interface=ether18-slave-local list=discover
add interface=ether19-slave-local list=discover
add interface=ether20-slave-local list=discover
add interface=ether21-slave-local list=discover
add interface=ether22-slave-local list=discover
add interface=ether23-slave-local list=discover
add interface=ether24-slave-local list=discover
add interface=sfp1-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=wlan2 list=discover
add interface=ether2-master-local list=mactel
add interface=wlan1 list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=wlan2 list=mactel
add interface=wlan1 list=mac-winbox
add interface=wlan2 list=mac-winbox
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2-master-local network=192.168.88.0
/ip arp
add address=192.168.88.89 comment="Computer Wireless" interface=bridge-local mac-address=00:28:F8:4E:03:81
add address=192.168.88.88 comment="Computer Ethernet" interface=bridge-local mac-address=1C:1B:0D:9B:19:B7
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=5809
add action=dst-nat chain=dstnat dst-port=1157 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=23
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.88.88 dst-port=23 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.88 to-ports=23
/system clock
set time-zone-name=[Hidden]
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Hi,
just rearrange rules:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=5809
add action=dst-nat chain=dstnat dst-port=1157 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=23
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.88.88 dst-port=23 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.88 to-ports=23
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

so your masquerade is below NAT rules.

Do I do the rearrangement in the Terminal or is there a GUI method?

In Webfig, used in proper browser (not something on some hemeroid gadget), it is possible to drag&drop rules.

Hmm,

I have moved the masquerade below and it still doesn’t work.

I have tried using http://www.t1shopper.com/tools/port-scan/#

To test for the port and there is no response.

Any other ideas?

First off, I dont think the rules order matters, my srcnat rule is before my dstnat rules… Hopefully someone can confirm.
The only question is what is the purpose of the FW rule below??

/ip firewall filter
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment=“default configuration” connection-state=established,related
add action=accept chain=forward comment=“default configuration” connection-state=established,related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
add action=drop chain=forward comment=“default configuration” connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway

@anav, it is the default drop rule in input chain, i.e. The last rule for packets that dit not match previous rules ends there and get dropped

@anav: Order matters within same chain. But when you see multiple chains in same window (dstnat and srcnat in NAT, input and forward in Filter, etc..) you can have one before the other, other way around, interleaved, anything. Only same chain matters.

And regarding the current problem, I’d like to direct attention to my previous message. In all modesty, I think there were some good suggestions. So step one, check the IP address. Step two, test it from outside and check counters on dstnat rules.

I figured as much but it doesnt look like what is standard…
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

(got it, order in chain matters)

I don’t think the bold above is standard but can be wrong, for me personally though, my default drop rule drops all, irrelevant if from WAN, LAN, VPN, etc as with security, majority of incidents is from inside

Haha okay, point well taken, not sure where I got that, now that I think about it.
But do please, if you are brave enough, to show us your … input drop rule!!