New L009UiGS-2HaxD - Need help port forwarding past default config

RouterOS Beginner Basics
1

Hey all

I’m the proud new owner of a L009UiGS-2HaxD. I’ve gotten my bearings in routerOs… I think. I’m running the default config with a few small alterations, but I can’t seem to get the ports forwarded. I tried adding a NAT rule that forwards port 42069 but that doesn’t seem to be enough:

add action=dst-nat chain=dstnat dst-port=42069 in-interface="ether1[WAN]" \
    log=yes log-prefix=Firewall::Accept::SSH protocol=tcp to-addresses=\
    192.168.88.3 to-ports=42069

I thought the firewall rule below might be causing it to drop but I don’t see it log when I try and test the port forwarding. It must be something else?

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=Firewall::Drop::WAN

I also tried adding a rule in the firewall early on that would just accept traffic on that port but that didn’t seem to help. Any ideas?

Full Configuration:

# 2023-11-10 20:44:17 by RouterOS 7.11.2
# software id = Q6JG-Q80C
#
# model = L009UiGS-2HaxD
# serial number = HF3095E6YNJ
/interface bridge
add admin-mac=78:9A:18:60:1C:5A auto-mac=no comment=defconf name=\
    "bridge[LAN]"
/interface ethernet
set [ find default-name=ether1 ] name="ether1[WAN]"
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country="United States" .mode=ap \
    .ssid="FBI Stakeout" disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface="bridge[LAN]" lease-time=8h name=\
    defconf
/port
set 0 name=serial0
/interface bridge port
add bridge="bridge[LAN]" comment=defconf interface=ether2
add bridge="bridge[LAN]" comment=defconf interface=ether3
add bridge="bridge[LAN]" comment=defconf interface=ether4
add bridge="bridge[LAN]" comment=defconf interface=ether5
add bridge="bridge[LAN]" comment=defconf interface=ether6
add bridge="bridge[LAN]" comment=defconf interface=ether7
add bridge="bridge[LAN]" comment=defconf interface=ether8
add bridge="bridge[LAN]" comment=defconf interface=sfp1
add bridge="bridge[LAN]" comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface="bridge[LAN]" list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface="bridge[LAN]" network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface="ether1[WAN]"
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:7c:10:c9:3c:b7:c6 mac-address=\
    7C:10:C9:3C:B7:C6
add address=192.168.88.3 client-id=1:7c:10:c9:45:a2:7f mac-address=\
    7C:10:C9:45:A2:7F
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=Firewall::Drop::WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=42069 in-interface="ether1[WAN]" \
    log=yes log-prefix=Firewall::Accept::SSH protocol=tcp to-addresses=\
    192.168.88.3 to-ports=42069
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Once you want to get past the default config its best to change the Forward Chain concept from allow everything except WAN not destinanted.
TO
Block everything unless its allowed.

SO take this rule and remove it and replace with three rules.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=“internet traffic” in-interfac-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”


If you are trying to reach your servers locally from users on the same subnet as the server via the dyndns address (not direct LANIP) then you will run into loopback or hairpin nat.
https://forum.mikrotik.com/viewtopic.php?t=179343

3

Thanks for your reply :slight_smile:

You are correct I was trying to test the dest-nat rule from within the same network by trying to connect via ssh to my public IP. This did let me figure out that the dst-nat rule port forwarding did work from outside the network however. Thanks for that.

I have added the below src-nat masqurade rule:

add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24

This doesn’t fix doing the below from within network:

ssh myPublicIP -p 42069

Is that something I should even want to do really?

As for your other suggestions:

I agree those do sound like sound changes I would want to make in the future, I will make small, reversible changes, forward testing along the way.

4

My advice is a package deal, no cherry picking allowed as design always takes in context of the whole, any other approach will lead to unhappiness configing the MT router.