Port fordwarding not working

ufoloko · February 4, 2020, 11:05pm

Hi, I have created a nat rule to reach port 8090 from internet to an internal Server.

I have tested port 8090 inside my network and is working fin, but from outside not. I have dynamic public IP.

Firewall configuration i have is;

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“Allow Http” dst-port=80 protocol=tcp
add action=accept chain=input comment=“Allow Soundtouch API” dst-port=8090 protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Soundtouch Port Fordward” dst-port=8090 protocol=tcp to-addresses=192.168.88.245 to-ports=8090

I tried to solve this issue for some days but im not able to do it.

Please your help

mkx · February 5, 2020, 6:57am

Remove this firewall filter:

add action=accept chain=input comment="Allow Soundtouch API" dst-port=8090 protocol=tcp

Firstly it’s using wrong chain (chain=input is for traffic targeting router itself … traffic forwarded to other destination is handled by chain=forward) and secondly NAT rules in default (yours seems to be default) config are all allowed implicitly - there’s implicit “action=accept” rule at the end of chain and none of filter rules explicitly drop the traffic you’re trying to port-forward.

There are two considerations:

is your ISP connection truly transparent? Some ISPs filter ingress connections to non-standard ports (i.e. they have firewall service for their clients) so it might happen that connection attempts never reach your RB
are you testing connectivity using a client which is actually remote or rather you’re testing using client in LAN but using your WAN IP address? In the later case you’ll have to implement hairpin NAT

aoakeley · February 5, 2020, 2:23pm

Did you mean to open your router web interface to internet access? that is what this rule will do.

anav · February 5, 2020, 4:02pm

For port forwarding rules these are done in destination nat.
only one firewall rule is needed to ensure all port forwardings declared in dstnat are permitted through.

You have this covered by this rule…
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

(By the way I hate this rule because its more complex not intuitive and thus confusing than it needs to be but since it comes default most people use it.)
Concur with the post above.
WHY THE EFF did you put in these rules…
add action=accept chain=input comment=“Allow Http” dst-port=80 protocol=tcp
add action=accept chain=input comment=“Allow Soundtouch API” dst-port=8090 protocol=tcp ???

This clearly shows you have not yet grasped how and why to make firewall rules on MT devices. This is not meant to be a slam but a comment as MT devices are tricky beasts that take a long time to understand and master. Hence sticking with defaults is a good idea and then venture out slowly…

Don’t see too much wrong with this rule…
add action=dst-nat chain=dstnat comment=“Soundtouch Port Fordward” dst-port=8090 protocol=tcp to-addresses=192.168.88.245 to-ports=8090

where is the source of the info coming in… in-interface…
don’t need the TOO port if its the same as destination port.
if you know the external permitted addresses then add it as a source address list.