Recently bought a Mikrotik Router and now I have some questions related to port forwarding.
I am using LMT 4g router Huawei E3272 with this router https://www.router.lv/product/172/lv/
I have set up 4g as per instructions I found on internet (dhcp client on lte interface and masquarade).
Now I am trying to forward incoming ports but with no success.
Please look at my configuration and help to resolve the issue:
There is no point in looking into your config without knowing what was your intention.
So, the question is: What would like to do?
Forward what (ip:port) where (ip:port)…
regards
Sorry, forgot to state that.
My goal is to forward port 80 from LTE interface to 192.168.88.254 in local network.
The LTE modem has a dynamic IP address that is changed each time it is restarted.
it’s not clear what you have in forward chain.
add accept rule for connection-nat-state=dstnat, or write rule with right address and ports.
Stop posting images as they don’t show all the detail and take up masses of screen space.
Open a terminal and issue the commands “/ip firewall nat export” and “/ip firewall filter export” and report the output.
Thank You for the hint, sid5632! I was going to ask whether there is an easy way to export and share the configuration.
Here is what I have configured:
[admin@MikroTik] > /ip firewall nat export
apr/13/2017 14:01:52 by RouterOS 6.34.4
software id = 3FPY-TT1R
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
add action=dst-nat chain=dstnat dst-port=80 in-interface=lte1 log=yes
protocol=tcp to-addresses=192.168.88.254 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=lte1 log=yes
protocol=tcp to-addresses=192.168.88.254 to-ports=22
[admin@MikroTik] >
[admin@MikroTik] > /ip firewall filter exportapr/13/2017 14:12:35 by RouterOS 6.34.4
software id = 3FPY-TT1R
/ip firewall filter
add chain=input comment=“defconf: accept ICMP” protocol=icmp
add chain=input comment=“defconf: accept establieshed,related”
connection-state=established,relatedin/out-interface matcher not possible when interface (ether1) is slave - use m
ster instead (bridge-lan)
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=ether1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add chain=forward comment=“defconf: accept established,related”
connection-state=established,related,new
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalidin/out-interface matcher not possible when interface (ether1) is slave - use m
ster instead (bridge-lan)
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add chain=forward connection-nat-state=dstnat log=yes
Thank You for the advise, sash7. I added the rule but it did not help. Please see my configuration one post above!
How are you testing the port forward?
Sure the 192.168.88.254 isn’t your router, but the server running both SSH and Web?
What do you see when you browse to http://192.168.88.254?
Yes, http://192.168.88.254 is a local server running SSH and WEB.
In local network when I enter http://192.168.88.254 the root web page is displayed. I can also access the SSH from local network.
When testing from ‘outside’ e.g. Internet I am using no-ip.com to handle dynamic IP change. Router is sending updates to no-ip.com to keep the ip associated wit the domain updated. To test I go to my no-ip domain and try to reach it via web browser or SSH. I have done this kind of scenario with another router (basic tp-link) and the setup is working on that thus I think this is only a matter of correct configuration to get it working on Mikrotik router.
Please help to resolve!
little mess in forward chain. Try temporary to disable all rules in forward and test again (use safe mode) . nat rules is ok
Thank You for suggestion sash7!
Tried it but unfortunately did not help.
I am getting ERR_CONNECTION_TIMED_OUT when connecting from outside internet.
I wonder how can I debug this further? Maybe there are some issues with interface configuration?
Please help to resolve this issue! At least point to right direction to look at.
Thx in andvance!
Stupid question, do you have public IP address? When you resolve your no-ip hostname, do you see the same IP address in router’s IP->Addresses?
Has this worked with other routers? ISPs in my region block inbound ports 80 and 22 to protect their residential customers from being hacked. Only way to get these ports unblocked by our ISPs is to subscribe to a business internet plan for an extra 20% per month.
Run Tools > Torch
It’ll show if the packets are even making it to your router.
Thank You for the question Sob!
IP->Addresses shows IP that is assigned to router by LTE modem (there is a dhcp client on lte interface). It is always set to 192.168.1.100 . This IP is not equal the public IP.
Yes, this configuration works with a TP-Link router.
Thank You for the hint regarding Torch tool. Actually I do not see incoming connections on lte interface on ports 22 or 80. Does that mean that nothing reaches the router?
If public address is on modem, you must find a way how to tell it to forward ports to router. Without it, all connections end up on modem and have no chance to reach router.
Thank You for the advice, Sob! I am also reading other topics and it seems to be the problem indeed. Unfortunately the configuration interface for this router is very limited and does not offer such option.
The interesting thing is that this works out of the box with a tp-link router and default software (which is shit in any other aspect)
In your dst-nat rules remove the in-interface as lte1
Go to IP>Cloud and enable it, allow it to update and copy the host name.
Go to IP>Firewall>Address-Lists and create a new address list called dynamic-IP and enter the host name into the address field, recent rOS will resolve the host name dynamically and create an entry with a “D” before it
Go to your dst-nat rule and click into “advanced” and use the “destination address list” drop down and set it to the “dynamic-IP” address list you have created.
It sounds as though the IP is not a public facing (and a lot of mobile carriers do carrier level NAT) however this may work for you.