I seem to have trouble opening ports for outside access. I need to open up port xxxx to access a webgui and port yyyy to access another webui.
Internally evertything is working, externally both port xxxx and yyyy is closed.
This is my setup, directly from mikrotik wiki:
IP, Firewall, NAT,
Chain: DSTNAT
Protocol: TCP
DST port: xxxx
Action: DST-NAT
To adress: Internal IP of sever
To ports: xxxx
Second one is the same but with yyyy instead. The funny thing is that this did work untill I upgraded to firmware 3.30, I saw that the other day it was removed and 3.24 was the latest again. So I downgraded and it is still not working…
You list rules configured as dst-port=xxxx / to-ports=xxxx (external / internal port numbers)
Are the servers themselves listening on port xxxx or just on port 80 if you’re behind the firewall?
If just regular old port 80, then change “to-ports” from xxxx and yyyy to be 80 instead.
Related means a connection which is related to another existing connection - examples would be the data transfer connection that FTP uses, or the audio stream (RTP) of a VoIP call set up using SIP - ICMP responses from remote sites would also count - for instance sending a DNS query to a host that isn’t running a nameserver would result in the remote host sending an ICMP port unreachable message - this is strictly a new connection from a tracking point of view, but it’s related to the previous UDP packet. In any case, you generally want to allow established and related connections from the WAN.
And the last rule is actually two rules. The first allows packets which are being forwarded as the result of a dst-nat mapping (which is what you started this thread about) and the second is the default catch-all drop rule. If no other rule has applied (i.e. if I haven’t explicitly permitted it yet) then discard the packet. This is security 101 - specifically allow what’s wanted/needed, and discard everything else.
In NAT I have the following:
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp
to-addresses=192.168.1.11 to-ports=51413
This still does not work…
Btw thank you for your help, it is really appreciated
Yeah, I am having problems too, confusing what actions to use, as some say it is this, and others say it is that.
If you check youtube videos they help, but from what I can tell some of them are doing things the wrong way. Anyway, what works for me but not to 100% is that the action should be “netmap”.
The strange thing is that sometimes (at least on 5.26 that I was using a few days ago) it would say the ports are not open. Wonder if it problems is gone with 6.34.4 or am I using the wrong action ?