Open ports RTP 10000-20000

RouterOS General
1

Boa tarde,

Estou com dificuldade de acertar a regra para abrir as portas 10000-20000 para uma centra telefonica interna 192.168.0.0/24. No teste externo de portas abertas me retorna porta fechada. outras portas funcionam perfeitamente. Ja falei com a operadora de internet é não é bloqueio de portas. A conexão é de fibra otica com IPFIXO na borda, as portas estão abertas. Testei com um roteador comum wifi e funciona, é algo de regra. Se puderem me dar um help serei grato e mais participativo nos foruns.

minhas regras:

/interface bridge
add name=bridge1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 comment=defconf hw=no interface=ether2
add bridge=bridge1 comment=defconf hw=no interface=ether3
add bridge=bridge1 comment=defconf hw=no interface=ether4
add bridge=bridge1 comment=defconf hw=no interface=ether5
/interface l2tp-server server
set enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set enabled=yes
/ip address
add address=177.69.47.201/29 interface=ether1 network=177.69.47.200
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge1
/ip dhcp-server lease
add address=192.168.0.203 comment="IMPRESSORA COLOR" mac-address=\
    00:26:73:98:2C:7E
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input src-address=200.152.33.10
add action=accept chain=input comment="ENTRADAS MEU INSS" src-address=\
    200.152.35.221
add action=accept chain=input comment="ENTRADAS MEU INSS II" src-address=\
    200.152.35.222
add action=accept chain=output dst-address=200.152.33.10
add action=accept chain=output comment="ACEITA SAIDAS MEUINSS" dst-address=\
    200.152.35.221
add action=accept chain=output comment="ACEITA SAIDAS MEUINSS II" \
    dst-address=200.152.35.222
add action=accept chain=forward dst-address=200.152.33.10
add action=accept chain=forward src-address=200.152.33.10
add action=accept chain=forward comment="ACEITA MEUINSS" src-address=\
    200.152.35.221
add action=accept chain=forward comment="ACEITA MEUINSS II" src-address=\
    200.152.35.222
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="ACEITA VPN POR IPSEC" protocol=\
    ipsec-ah
add action=accept chain=input comment="PORTAS VPN 1701 UPP L2TP" port=\
    1701,500,4500 protocol=udp
add action=drop chain=input comment=\
    "pptp brute force drop 1/4 - complete comunication DROP" \
    src-address-list=pptp_blacklist_DROP
add action=add-dst-to-address-list address-list=pptp_blacklist_DROP \
    address-list-timeout=10m chain=output comment="pptp brute force drop 2/4" \
    content="bad username or password" dst-address-list=\
    pptp_blacklist_stage_2 protocol=gre
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_2 \
    address-list-timeout=1m chain=output comment="pptp brute force drop 3/4" \
    content="bad username or password" dst-address-list=\
    pptp_blacklist_stage_1 protocol=gre
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_1 \
    address-list-timeout=1m chain=output comment="pptp brute force drop 4/4" \
    content="bad username or password" protocol=gre
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Liberados dst-address=!192.168.1.0/24 \
    dst-port=3389,3390,3388 protocol=tcp src-address=!192.168.1.0/24 \
    src-address-list=!rdp_whitelist
add action=drop chain=forward comment="drop rdp brute forcers" dst-address=\
    !172.16.0.0/24 dst-port=3387,3388,3389,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=1w3d chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3387,3388,3389,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage4 \
    address-list-timeout=1m chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3387,3388,3389,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage3 \
    address-list-timeout=1m chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3387,3388,3389,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
    address-list-timeout=1m chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3387,3388,3389,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
    address-list-timeout=1m chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3387,3388,3389,8085 protocol=tcp src-address=\
    !172.16.0.0/24
add action=drop chain=input comment="Drop ssh brute forcers" dst-address=\
    !172.16.0.0/24 dst-port=22,23,53,5060,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=ssh_blacklist
add action=drop chain=input comment="Drop ssh brute forcers" dst-address=\
    !172.16.0.0/24 dst-port=10000-20000 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=22,23,53,5060,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=22,23,53,5060,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=\
    10000-20000 protocol=udp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=22,23,53,5060,8085 protocol=tcp src-address=\
    !172.16.0.0/24 src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-address=\
    !192.168.1.0/24 dst-port=10000-20000 protocol=udp src-address=\
    !192.168.1.0/24 src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=22,23,53,5060,8085 protocol=tcp src-address=\
    !172.16.0.0/24
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=\
    10000-20000 protocol=udp
add action=drop chain=forward comment="drop rdp brute forcers" dst-port=\
    3390,3391,3387 protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=1w3d chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3389 protocol=tcp src-address=!172.16.0.0/24 \
    src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
    address-list-timeout=1m chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3389 protocol=tcp src-address=!172.16.0.0/24 \
    src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
    address-list-timeout=1m chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3389 protocol=tcp src-address=!172.16.0.0/24 \
    src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
    address-list-timeout=1m chain=forward connection-state=new dst-address=\
    !172.16.0.0/24 dst-port=3389 protocol=tcp src-address=!172.16.0.0/24
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=1w3d chain=forward connection-state=new dst-port=\
    3390,3391,3387 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
    address-list-timeout=1m chain=forward connection-state=new dst-port=\
    3390,3391,3387 protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
    address-list-timeout=1m chain=forward connection-state=new dst-port=\
    3390,3391,3387 protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
    address-list-timeout=1m chain=forward connection-state=new dst-port=\
    3390,3391,3387 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "###### Port scanners to list #########" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="IP DA NORUEGA" src-address=\
    185.132.134.27
add action=drop chain=forward comment="TENTATIVA DE INVASAO" src-address=\
    121.122.59.9
add action=drop chain=input comment="TENTATIVA DE INVASAO" src-address=\
    58.69.160.95
add action=drop chain=input comment="TENTATIVA DE INVASAO" src-address=\
    203.177.24.203
add action=drop chain=input comment="TENTATIVA DE INVASAO" src-address=\
    122.55.219.107
add action=drop chain=input comment="TENTATIVA DE INVASAO" src-address=\
    203.82.32.82
add action=drop chain=output comment="TENTATIVA DE INVASAO" src-address=\
    121.122.59.9
add action=drop chain=input comment="TENTATIVA DE INVASAO" src-address=\
    121.122.59.9
add action=drop chain=forward comment="ESTADOS UNIDOS COLEGE PARK" \
    src-address=192.221.253.121
add action=drop chain=forward comment="VERIZON COMUNICATION" src-address=\
    192.16.48.200
add action=drop chain=forward comment="VERIZON COMUNICATION" src-address=\
    192.229.210.142
add action=drop chain=forward comment="RODRIGO DA SILVA LUZ DE OLIVEIRA" \
    src-address=45.226.212.16
add action=drop chain=forward comment="VERIZON COMUNICATION" dst-address=\
    192.229.210.142 protocol=tcp
add action=drop chain=forward comment="NOVO IP DA NORUEGA" dst-address=\
    194.61.26.30 protocol=tcp
add action=drop chain=forward comment="FACEBOOK IRLANDA" dst-address=\
    31.13.67.52 protocol=tcp
add action=drop chain=forward comment="VERIZON COMUNICATION" dst-address=\
    192.229.210.142 protocol=tcp
add action=drop chain=forward comment=spotify protocol=tcp src-address=\
    78.31.8.0/21
add action=drop chain=forward comment="BLOQUEIO 12-04-2022" protocol=tcp \
    src-address=178.79.188.46
add action=drop chain=forward comment=spotify dst-address=78.31.8.0/21 \
    src-address=0.0.0.0
add action=drop chain=forward comment=spotify src-address=193.182.8.0/21
add action=drop chain=forward comment=spotify dst-address=193.182.8.0/21 \
    src-address=0.0.0.0
add action=drop chain=forward comment="RANGE SPOTIFY" src-address=\
    193.235.206.0/24
add action=drop chain=forward comment="RANGE SPOTIFY" dst-address=\
    193.235.206.0/24 src-address=0.0.0.0
add action=drop chain=forward comment=spotify src-address=194.68.28.0/22
add action=drop chain=forward comment=spotify dst-address=194.68.28.0/22 \
    src-address=0.0.0.0
add action=drop chain=forward comment="PORTA SPOTIFY" dst-port=4070-4080 \
    protocol=tcp
add action=drop chain=input comment="PORTA SPOTIFY" dst-port=4070-4080 \
    protocol=tcp
add action=drop chain=forward layer7-protocol=*6 src-address=192.168.254.0/24 \
    src-address-list=!Access-Youtube
add action=drop chain=forward layer7-protocol=*2 src-address=192.168.254.0/24 \
    src-address-list=!Access-Facebook
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=VOIP dst-port=10000-20000 log=yes \
    log-prefix=VOIP10000A20000 protocol=udp to-addresses=192.168.0.103 \
    to-ports=10000-20000
add action=dst-nat chain=dstnat comment="SISTEMA TURIS" dst-port=3308 \
    log-prefix=VOIP1 protocol=tcp to-addresses=192.168.0.250 to-ports=3306
add action=dst-nat chain=dstnat comment=VOIP dst-port=38881 log=yes \
    log-prefix="VOIP 38881" protocol=tcp to-addresses=192.168.0.101 to-ports=\
    38881
add action=dst-nat chain=dstnat comment=VOIP dst-port=1028 log-prefix=VOIP1 \
    protocol=tcp to-addresses=192.168.0.101 to-ports=1028
add action=dst-nat chain=dstnat comment=VOIP dst-port=38880 log-prefix=VOIP1 \
    protocol=udp to-addresses=192.168.0.101 to-ports=38880
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
/ip route
add distance=1 gateway=xxx.xxx.xxx.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8392
set api-ssl disabled=yes
2

(1) FROM: add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
TO:
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0

As for the rest I would conclude with BLOATED DISORGANIZED DISASTER.

a. REMOVE ALL FIREWALL RULES.
b. INSTALL DEFAULT FIREWALL RULES.
c. ADD RULES for IPSEC if using IPSEC
d. ADD RULES FOR INTERNAL USERS
e. ADD RULES FOR PORT FORWARDING.
f. RE-ASSESS and ask for guidance on connecting to the router from external…

Notes; Keep input chain together and keep forward chain together.
At the end of the forward chain put a last rule which is block all else.
Before you do, above this put in allowed traffic, from LAN to WAN for example.

At the end of the input chain put a last rule which is block all else.
Before you do, above this, put in allowed traffic from the admin to the Router.

3

Obrigado, Farei a revisão e retorno com os resultados.

4

NOVAS REGRAS ABAIXO. A PERGUNTA É, O QUE FAÇO PRIMEIRO?? SENDO QUE PRECISO ABRIR E DIRECIONAR AS PORTAS 10000-20000 para o IP 192.168.0.103.

may/31/2022 17:08:43 by RouterOS 6.49.6

software id = WSBR-CIQ7

model = RouterBOARD 3011UiAS

/interface bridge
add admin-mac=6C:3B:6B:53:0D:31 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=
192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=
192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3308 log=yes log-prefix=BD_TURIS
protocol=tcp to-addresses=192.168.0.250 to-ports=3306
add action=dst-nat chain=dstnat dst-port=38881 log=yes log-prefix=
“VOIP 38881” protocol=tcp to-addresses=192.168.0.101 to-ports=38881
add action=dst-nat chain=dstnat dst-port=1028 log=yes log-prefix=“VOIP 1028”
protocol=tcp to-addresses=192.168.0.101 to-ports=1028
add action=dst-nat chain=dstnat dst-port=38880 log=yes log-prefix=
“VOIP 38880” protocol=tcp to-addresses=192.168.0.101 to-ports=38880
/system clock
set time-zone-name=America/Sao_Paulo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

5

Excellent start… very clear and understandable!!
Lets modify the forward chain to be more efficient so we can add rules as necessary.

FROM:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN { to ensure we keep internet access enabled }
add action=accept chain=forward connection-nat-state=dstnat { to ensure we allow port forwarding }
add action=drop chain=forward { stops cold any other WAN to LAN, LAN to LAN, LAN to WAN traffic }

So you can see its secure, clear and if we need to add traffic flow we make additional accept rules prior to the drop rule. Everything else is dropped automatically. :slight_smile:

6

Let us look at the port forwarding rules…
add action=dst-nat chain=dstnat dst-port=3308 log=yes log-prefix=BD_TURIS
protocol=tcp to-addresses=192.168.0.250 to-ports=3306
add action=dst-nat chain=dstnat dst-port=38881 log=yes log-prefix=
“VOIP 38881” protocol=tcp to-addresses=192.168.0.101 to-ports=38881
add action=dst-nat chain=dstnat dst-port=1028 log=yes log-prefix=“VOIP 1028”
protocol=tcp to-addresses=192.168.0.101 to-ports=1028
add action=dst-nat chain=dstnat dst-port=38880 log=yes log-prefix=
“VOIP 38880” protocol=tcp to-addresses=192.168.0.101 to-ports=38880

What is missing is one of two choices…
either
in-interface-list=WAN {for dynamic WANIPs}
or
dst-address=WANIP {for fixed/static WANIPs}

Next questions.
Are all the users of the servers EXTERNAL? or do you require the INTERNAL users to access the servers?
If yes, how are they doing this, by direct LANIP, or by using a dyndns name for example or direct WANIP?

7

os Acessos externos não possuem endereço FIXO, somente dinamico, pois estão em constante movimento, viagens, home office etc.
o acesso interno é direto, AD, File Server, System Server, LAN TO LAN para todos.

ps.: ISSO ME FORÇA DESATIVAR A REGRA NUMERO 5 defconf: drop all not coming from LAN

8

I mean the WANIP from your ISP provider is it a static/fixed WANIP or dynamic (it changes from time to time)
To confirm, the internal users access your LAN servers directly via LANIP.

If the WANIP of your router is dynamic the correct format is:
add action=dst-nat chain=dstnat dst-port=3308 protocol=tcp in-interface-list=WAN
log=yes log-prefix=BD_TURIS to-addresses=192.168.0.250 to-ports=3306

If static the correct format is:
add action=dst-nat chain=dstnat dst-address=YOURWANIP dst-port=3308 protocol=tcp
log=yes log-prefix=BD_TURIS to-addresses=192.168.0.250 to-ports=3306

9

Entendi.
O endereço é ESTATICO (IP FIXO e ja ajustei para o formato correto que voce mencionou).

E agora como faço com as portas 10000-20000 para o endereço 192.168.0.103 ?

10

add action=dst-nat chain=dstnat dst-address=YOURWANIP dst-port=10,000-20,000 protocol=tcp
to-addresses=192.168.0.103

Although its weird you want open up so many ports to your router…

11

You might want to restrict the access to all the open ports all but for the telecom provider by adding the source address range using their server ip addresses.

12

Fiz exatamente como sugerido mas não consigo fazer o NAT da 10000-20000 UDP mas pelos testes externos, não funciona.

13

I am not sure what you mean. If you want UDP protocol change it on the rule (from tcp to udp).

14

Quanto a isso eu entendo bem, eu digo que não consigo fazer o NAT para este intervalo portas no ip interno 192.168.0.103. Ja tentei de varias formas mas não funciona, as demais regras estão funcionando perfeitamente.

eu preciso liberar a porta RTP 10000-20000 para o IP 192.168.0.103

15

English please.

16

About this I understand well, I say that I can’t do the NAT for this port range on the internal ip 192.168.0.103. I’ve tried in several ways but it doesn’t work, the other rules are working perfectly.

I need to release RTP port 10000-20000 to IP 192.168.0.103

17

Then its not a problem with the config but with the device at 192.168.0.13 or the firewall on the PC hosting the device etc…

18



  1. there is a difference between opening ports and forwarding ports.
  2. the fact that you set up a dst-nat rule for port forwarding (dst-nat) for a given port on the public address does not automatically make that port reserved for connections initated from the LAN side. So if, theoretically, something else than your Asterisk at 192.168.0.3 would send a packet from port 10000 to some remote address and port, and then the Asterisk would send a packet from port 10000 to the same remote address and port, the packet sent by Asterisk would get another port at the public address. In real life this is unlikely to happen, but if you wanted to be 100% safe, you’d have to place a rule
    chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=!192.168.0.103 src-port=10000-20000 protocol=udp action=masquerade to-ports=20002-65535
    before the existing action=masquerade one.
  3. most important, elaborating what @anav wrote to match your particular case - did you inform your Asterisk that it is connected to the internet via NAT and what is the public IP of the NAT? If not, it sends its real (private) IP in the SDP, so the remote phones send the RTP to this private address, so these packets never reach your Mikrotik.