Hello everyone,
I have a problem, when i forward the port 8080 to a Unifi controller i host, the Mikrotik router becomes unstable i loose connectivity to the router and i miss a lot of connection from the devices to the controller.
I tried in the RB3011 and the CCR1036 same results the router becomes unusable.
Anyone can help ? I pay if necessary.
Best regards,
Venancio
Either post full config of your Mikrotik (output of /export hide-sensitive) … or look for a consultant, there’s official list at https://mikrotik.com/consultants
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.46 (c) 1999-2019 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /export hide-sensitive
/interface bridge
add admin-mac=74:4D:28:C2:E2:E6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.251 client-id=1:52:54:0:ce:f4:e9 mac-address=
52:54:00:CE:F4:E9 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500 protocol=
udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=accept chain=input comment=“WinBox Wan Administration” dst-port=8291
protocol=tcp
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=forward dst-address=192.168.88.251 src-address-list=“”
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes dst-address=224.0.0.0/3
add action=drop chain=forward disabled=yes src-address=0.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward disabled=yes src-address=224.0.0.0/3
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=8080 in-interface-list=WAN protocol=
tcp to-addresses=192.168.88.251 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8443 in-interface-list=WAN protocol=
tcp to-addresses=192.168.88.251 to-ports=8443
add action=dst-nat chain=dstnat dst-port=3478 in-interface-list=WAN protocol=
udp to-addresses=192.168.88.251 to-ports=3478
add action=dst-nat chain=dstnat dst-port=8880 in-interface-list=WAN protocol=
tcp to-addresses=192.168.88.251 to-ports=8880
add action=dst-nat chain=dstnat dst-port=8843 in-interface-list=WAN protocol=
tcp to-addresses=192.168.88.251 to-ports=8843
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpn
/system clock
set time-zone-name=Atlantic/Azores
/system script
add dont-require-permissions=yes name=no-ip_ddns_update owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“# N
o-IP User account info\r
\n:local noipuser "cio@venaa.com"\r
\n:local noippass "”\r
\n\r
\n# Set the hostname or label of network to be updated.\r
\n# Hostnames with spaces are unsupported. Replace the value in the quotatio
ns below with your host names.\r
\n# To specify multiple hosts, separate them with commas.\r
\n:local noiphost "inf.vc-neks.com"\r
\n\r
\n# Change to the name of interface that gets the dynamic IP address\r
\n:local inetinterface "ether1"\r
\n\r
\n#-------------------------------------------------------------------------
-----------\r
\n# No more changes need\r
\n\r
\n:global previousIP\r
\n\r
\n:if ([/interface get $inetinterface value-name=running]) do={\r
\n# Get the current IP on the interface\r
\n :local currentIP [/ip address get [find interface="$inetinterface" d
isabled=no] address]\r
\n\r
\n# Strip the net mask off the IP address\r
\n :for i from=( [:len $currentIP] - 1) to=0 do={\r
\n :if ( [:pick $currentIP $i] = "/") do={ \r
\n :set currentIP [:pick $currentIP 0 $i]\r
\n } \r
\n }\r
\n\r
\n :if ($currentIP != $previousIP) do={\r
\n :log info "No-IP: Current IP $currentIP is not equal to previous
IP, update needed"\r
\n :set previousIP $currentIP\r
\n\r
\n# The update URL. Note the "\3F" is hex for question mark (?). Require
d since ? is a special character in commands.\r
\n :local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$curren
tIP"\r
\n :local noiphostarray\r
\n :set noiphostarray [:toarray $noiphost]\r
\n :foreach host in=$noiphostarray do={\r
\n :log info "No-IP: Sending update for $host"\r
\n /tool fetch url=($url . "&hostname=$host") user=$noipuser
password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host . "
.txt")\r
\n :log info "inform.vc-networks.com"\r
\n }\r
\n } else={\r
\n :log info "No-IP: Previous IP $previousIP is equal to current IP,
_no update needed"\r
\n }\r
\n} else={\r
\n :log info "No-IP: $inetinterface is not currently running, so therefo
re will not update."\r
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniff filter-ip-protocol=tcp filter-port=http-alt
[admin@MikroTik] >
Two things:
add action=accept chain=forward dst-address=192.168.88.251 src-address-list=""
You don’t need any special FW rule for port forwarding, NAT settings should be enough.
2. move LAN IP address from interface ether2 zo bridge (where it belongs)
Could be something else still …
Nop same result
Any more ideas please…
(1) The first obvious error is assigning your address to ether2 vice the bridge!
/ip address
add address=192.168.88.1/24 comment=defconf interface**=ether2** network=
192.168.88.0
Should be
/ip address
add address=192.168.88.1/24 comment=defconf interface**=bridge** network=
192.168.88.0
(2) Your input rules need work…
a. add action=accept chain=input comment=“WinBox Wan Administration” dst-port=8291
protocol=tcp
First I would put it it differently and modify the above line as follows: (Assuming your admin staff (you) need access to the router for various uses…, plus create a firewall source address list of the appropriate IPs = adminstaff
add action=accept chain=input in-interface-list=LAN comment=“WinBox Wan Administration” source-address-list=adminstaff
In this way you don’t need to tell the world in input rules what your winbox port number is…
Note1: Change your port from default to something else!!!
Note2: You can use winbox services to also minimize access
Note3: You can also use Users selection to minimize access to router.
b. I don’t see any way for users to access the router for DNS services. I think this may need to be included but hopefully better DNS experts than I can chime in.
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol =tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol =ucp
c. Stop any further traffic to router by last input rule.
add action=drop chain=input comment=“All other traffic dropped”
(that way you can also get rid of this rule as its no longer required… add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN )
Much prefer breaking this out into two rules…
add action=accept chain=forward comment=
“Allow Port Forwarding - DSTNAT” connection-state=new connection-nat-state=dstnat
AND a LAST RULE
add action=drop chain=forward comment=“All other traffic dropped”
What this does is effectively stop all traffic you haven’t explicitly approved of, thus you may also need to add any lan to wan traffic, if permitted…
and place it before the last rule of course…
add action=accept chain=forward comment=“ENABLE LAN to WAN” in-interface=
Bridge out-interface=WAN
add action=dst-nat chain=dstnat comment=PURPOSE/SERVER dst-port=xxxx
in-interface=WAN log=yes protocol=tcp to address=appropriate LANIP\
note1: If doing port translation, then the to port will also be required otherwise only destination port is required.
note2: If you have dual WAN then the in-interface-list=WAN probably applies
note3: Best is if you have a finite known list of external WANIP requiring access and if so then need to add
src-address-list=listofapprovedIPs
note4: adding a source address list to the NAT rule also makes the port in question not visible on scans (vice visible and closed otherwise).
Thanks a lot, i will give it a try tomorrow.
Well, above code actually didn’t helped me. Any alternatives? Same will be wholeheartedly appreciated
Hello,
You have the same problem as me ?