Opening ports

RouterOS Beginner Basics
1

Hello.

I have recently set up our new Rb4011 instead of our old Cisco with the same setting as the old one.

So in this network we have 12 Unifi Acces Points and now i cant see them in the AP Controller, but they are online and working.

I can also not remote with Google desktop remote.

So i checked wich ports unifi and Google desktop remote uses and tried to open these with no succes.

Is there something in the default firewall rules I must add?

I opened the ports in ip-firewall-nat and dstnat and put the local gateway ip.

Checked several guides and did the same.

2

Post your config and draw a network diagram

/export hide-sensitive file=anynameyouwish

3

mar/01/2021 22:52:00 by RouterOS 6.47.9

software id = V50M-CHT9

model = RB4011iGS+

serial number = D4480DA9DB22

/interface bridge
add admin-mac=08:55:31:6D:1B:27 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether2 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether3 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether4 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether5 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether6 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether7 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether8 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether9 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether10 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x0104iphex
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.1.239
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.1.254/23 comment=defconf interface=ether1 network=
192.168.0.0
add address=wanip interface=sfp-sfpplus1 network=wanip
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.0.0/23 comment=defconf dhcp-option=unifi dns-server=
192.168.1.254,8.8.8.8 gateway=192.168.1.254 netmask=23
/ip dns
set allow-remote-requests=yes servers=wandns,wandns
/ip dns static
add address=192.168.1.254 comment=defconf name=router.lan
/ip firewall address-list
add address=wan list=admin
add address=192.168.1.239 list=internet
/ip firewall filter
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid disabled=yes
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=wanip dst-port=3478
protocol=udp to-addresses=192.168.1.254 to-ports=3478
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5514
protocol=udp to-addresses=192.168.1.254 to-ports=5514
add action=dst-nat chain=dstnat connection-type=“” dst-address=wanip
dst-port=8080 protocol=tcp to-addresses=192.168.1.254 to-ports=8080
add action=dst-nat chain=dstnat dst-address=wanip dst-port=8443
protocol=tcp to-addresses=192.168.1.254 to-ports=8443
add action=dst-nat chain=dstnat dst-address=wanip dst-port=8880
protocol=tcp to-addresses=192.168.1.254 to-ports=8880
add action=dst-nat chain=dstnat dst-address=wanip dst-port=8843
protocol=tcp to-addresses=192.168.1.254 to-ports=8843
add action=dst-nat chain=dstnat dst-address=wanip dst-port=6789
protocol=tcp to-addresses=192.168.1.254 to-ports=6789
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5656-5699
protocol=udp to-addresses=192.168.1.254 to-ports=5656-5699
add action=dst-nat chain=dstnat dst-address=wanip dst-port=27117
protocol=tcp to-addresses=192.168.1.254 to-ports=27117
add action=dst-nat chain=dstnat dst-address=wanip dst-port=1001
protocol=udp to-addresses=192.168.1.254 to-ports=1001
add action=dst-nat chain=dstnat dst-address=wanip dst-port=1900
protocol=udp to-addresses=192.168.1.254 to-ports=1900
add action=dst-nat chain=dstnat dst-address=wanip dst-port=443
protocol=tcp to-addresses=192.168.1.254 to-ports=443
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5222
protocol=tcp to-addresses=192.168.1.254 to-ports=5222
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5223
protocol=tcp to-addresses=192.168.1.254 to-ports=5223
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5269
protocol=tcp to-addresses=192.168.1.254 to-ports=5269
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5280
protocol=tcp to-addresses=192.168.1.254 to-ports=5280
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5281
protocol=tcp to-addresses=192.168.1.254 to-ports=5281
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5298
protocol=tcp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5298
protocol=udp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat dst-address=wanip dst-port=3478
protocol=tcp to-addresses=192.168.1.254 to-ports=3478
add action=dst-nat chain=dstnat dst-address=wanip dst-port=19302
protocol=udp to-addresses=192.168.1.254 to-ports=19302
add action=dst-nat chain=dstnat dst-address=wanip dst-port=19305
protocol=udp to-addresses=192.168.1.254 to-ports=19305
add action=dst-nat chain=dstnat dst-address=wanip dst-port=10001
protocol=udp to-addresses=192.168.1.254 to-ports=10001
add action=dst-nat chain=dstnat dst-address=wanip dst-port=80
protocol=tcp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat dst-address=wanip dst-port=80
protocol=udp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat dst-address=wanip dst-port=22
protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=dst-nat chain=dstnat dst-address=wanip dst-port=22
protocol=udp to-addresses=192.168.1.254 to-ports=22
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=3478
protocol=udp to-addresses=wanip to-ports=3478
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=5514
protocol=udp to-addresses=wanip to-ports=5514
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8080
protocol=tcp to-addresses=wanip to-ports=8080
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8443
protocol=tcp to-addresses=wanip to-ports=8443
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8880
protocol=tcp to-addresses=wanip to-ports=8880
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8843
protocol=tcp to-addresses=wanip to-ports=8843
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=6789
protocol=tcp to-addresses=wanip to-ports=6789
add action=dst-nat chain=dstnat dst-port=8291 protocol=tcp to-addresses=
192.168.1.254 to-ports=8291
add action=dst-nat chain=dstnat dst-port=10001 protocol=udp to-addresses=
wanip to-ports=10001
/ip route
add distance=1 gateway=wanip
/ip service
set www-ssl certificate=root-cert disabled=no
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

4

Another issue is that I used to use Google remote desktop to acces server pc from home, but now it works very very slow and very laggy with the mikrotik router.

5

I would say your config is non-standard or you dont know what you are doing.

(1) Is there any reason why your DHCP client is part of the bridge??
(2) This is compounded because now sfpplus is both a member of the LAN 9(via the bridge) and the WAN (Interface list members).
(3) Why would you set all the ethernet ports to belong to the bridge, and correctly assign the bridge as the interface for ip dhcp-server AND THEN
go and put ether1 as the interface for the IP address of the subnet ???
(4) These rules make no sense to me and I would get rid of them.
The central problem is dst-address=192.168.1.254 and to-addresses=wanip

add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=3478 \
protocol=udp to-addresses=wanip to-ports=3478
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=5514 \
protocol=udp to-addresses=wanip to-ports=5514
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8080 \
protocol=tcp to-addresses=wanip to-ports=8080
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8443 \
protocol=tcp to-addresses=wanip to-ports=8443
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8880 \
protocol=tcp to-addresses=wanip to-ports=8880
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8843 \
protocol=tcp to-addresses=wanip to-ports=8843
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=6789 \
protocol=tcp to-addresses=wanip to-ports=6789
add action=dst-nat chain=dstnat dst-port=8291 protocol=tcp to-addresses=\ (NO DEST ADDRES??)
192.168.1.254 to-ports=8291
add action=dst-nat chain=dstnat dst-port=10001 protocol=udp to-addresses=\ (NO DEST ADDRES???)
wanip to-ports=10001

(5) The dst nat rules prior to that can be simplified.

add action=dst-nat chain=dstnat dst-address=wanip dst-port=22,80,1001,1900,3478,5298,5514,5556-5699,10001,19302,19305
protocol=udp to-addresses=192.168.1.254

add action=dst-nat chain=dstnat dst-address=wanip dst-port=22,80,443,3478,5222,5269,5280,5281,5298,6789,8080,8443,8843,8880,27117,
protocol=tcp to-addresses=192.168.1.254

6

Hello, these were defaults, but they were not enabled, I removed them anyway.

7

Finally!

DHCP client and WAN on bridge were disabled but somehow after i removed them now it works fine! Thank you very much.

8

Glad its working but nothing about your setup was defaults, so you must have got the router from someone else or made many changes.