Port forward setup?

cdeastesllo · June 7, 2014, 6:12am

Hi,
I try to open port forward. I did some research and tried. It still said the port is closed.

/ip firewall nat add chain=dstnat protocol=tcp
dst-port=X action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=X

X = the port I want to forward
xxx.xxx.xxx.xxx = my local computer ip

I use port forwarding check website. It said the port still closed. Any suggestion?

CTrain · June 7, 2014, 6:21am

You need to configure your firewall filter rules to accept the packet as well

cdeastesllo · June 7, 2014, 6:41am

/ip filter rule add chain=input protocol=tcp dst-port=X
action=accept

Still not working

rextended · June 7, 2014, 6:59am

/ip firewall nat add chain=dstnat dst-address=your.ip.vs.internet protocol=tcp dst-port=X action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=X

If not work, remember to disable all antivirus and firewall on the target device.

CTrain · June 7, 2014, 7:17am

Also the firewall rule should be the forward chain because the packet is not finishing at the router and the in interface or public ip of the network should be specified.

cdeastesllo · June 7, 2014, 7:21am

my current setting are…

/ip firewall nat add chain=dstnat src-address=my.real.ip protocol=tcp
dst-port=X action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=X

/ip filter rule add chain=forward protocol=tcp dst-port=X
action=accept

I tried disable firewall and anti-virus. It still not working. Any suggestion on it x.x?

Rudios · June 7, 2014, 10:33am

You have to put your real public ip on the dst-address, not the src-address.

rextended · June 7, 2014, 10:57am

…

cdeastesllo · June 7, 2014, 4:26pm

Rudios:

cdeastesllo:

CTrain:

Also the firewall rule should be the forward chain because the packet is not finishing at the router and the in interface or public ip of the network should be specified.

rextended:

/ip firewall nat add chain=dstnat src-address=your.ip.vs.internet protocol=tcp dst-port=X action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=X

If not work, remember to disable all antivirus and firewall on the target device.

my current setting are…

/ip firewall nat add chain=dstnat src-address=my.real.ip protocol=tcp
dst-port=X action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=X

/ip filter rule add chain=forward protocol=tcp dst-port=X
action=accept

I tried disable firewall and anti-virus. It still not working. Any suggestion on it x.x?

You have to put your real public ip on the dst-address, not the src-address.

Still don’t working. What else I can do?

rextended · June 7, 2014, 10:22pm

put full “/export compact” on the forum.

cdeastesllo · June 8, 2014, 3:54am

Do you mean everything from “/export compact”?
Here is what showed on firewall filter and nat. I re-edit a bit.

/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add chain=forward dst-port=16261 protocol=tcp
add action=drop chain=forward comment=“default configuration”
connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=my.real.ip dst-port=port.want.to.open
protocol=tcp to-addresses=my.local.ip to-ports=port.want.to.open

rextended · June 8, 2014, 10:14am

you must remove this:
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway

or permit on INPUT interface the port 16261 because the real ip is on inpuit chain, not on forward, because dst-nat happen after matching connection already estabilished (forward)

add one other rule on src-nat: dst-address=internal.ip.of.local.device action=src-nat to-addres=the.gateway.address.on.local.device.config.

both rule moust be the first on NAT, and the firewall rule allowing port 16261 must be first on input chain.

If none happen, check the device you want reach, or substitute it temporarly with another device for see if the rule is really working.

Rudios · June 8, 2014, 1:56pm

You are wrong.
The dst-nat chain is carried out in the prerouting chain, which in either case comes before input or forward chain.
So the correct way of letting traffic in is creating a dst-nat rule to forward from public ip towards internal private ip.
And in forwarding chain the access to the internal ip must be allowed in the forward chain.

colto92 · June 8, 2014, 10:17pm

Im having a issue similar to this. When I have applied my port forward rules they are fine and accessible on the outside, however in the LAN it is not accessible. I have tried applying the Hairpin Nat the past couple of days without success. Does anyone have any pointers?

cdeastesllo · June 10, 2014, 3:49am

It still don’t work. I am plan to do a reset. I will update once I reset the router.

deanabiepepler · June 15, 2014, 10:47am

does anyone Know how to access the Mikrotik bypassing Admin login

MY ISP wont let me login with Admin rights.

they SO STUPID and annoying. especially the current technical staff.

my internal Router IP (for wireless) : 192.168.0.1

my internal Desktop IP: 192.168.1.250 Monster advanced CAT6+e 10 Gb/s

i want to setup my own Dedicated Game Server @ home

please can someone HELP

i want to open Port 27035 for Left 4 Dead 2 {SRCDS.exe} command line interface Desktop shortcut

my External IP: 41.78.167.133
my private WAN IP: 41.78.165.111

http://gametracker.com/clan/left4dead2southafrica

when i run the SRCDS.exe shortcut and input my IP to gametracker it Says “server NOT Detected”

PLEASE HELP ME.

i disabled my internal router as the dhcp server.

so now how do i access my interal router without having to be re-directed to my Mikrotik Login page.

PLEASE HELP im such a Noob @ this ;'{

rextended · June 16, 2014, 11:28am

does anyone Know how to access the Mikrotik bypassing Admin login
there is no way

MY ISP wont let me login with Admin rights.
obviously

they SO STUPID and annoying. especially the current .

i want to setup my own Dedicated Game Server @ home
please can someone HELP
ask your ISP technical staff, is the only able to do that

i want to open Port 27035 for Left 4 Dead 2 {SRCDS.exe} command line interface Desktop shortcut
use UPNP if UPNP are active on your router

when i run the SRCDS.exe shortcut and input my IP to gametracker it Says “server NOT Detected”
also check if some you set is wrong…

i disabled my internal router as the dhcp server.
so now how do i access my interal router without having to be re-directed to my Mikrotik Login page.
???

im such a Noob @ this ;'{
For this reason the user do not have CPE access.
Understand now?

deanabiepepler · June 16, 2014, 12:27pm

rextended:

does anyone Know how to access the Mikrotik bypassing Admin login
there is no way

MY ISP wont let me login with Admin rights.
obviously

they SO STUPID and annoying. especially the current .

i want to setup my own Dedicated Game Server @ home
please can someone HELP
ask your ISP technical staff, is the only able to do that

i want to open Port 27035 for Left 4 Dead 2 {SRCDS.exe} command line interface Desktop shortcut
use UPNP if UPNP are active on your router

when i run the SRCDS.exe shortcut and input my IP to gametracker it Says “server NOT Detected”
also check if some you set is wrong…

i disabled my internal router as the dhcp server.
so now how do i access my interal router without having to be re-directed to my Mikrotik Login page.
???

im such a Noob @ this ;'{
For this reason the user do not have CPE access.
Understand now?

actually i disabled my internal router as DHCP Server and i can access my router as 192.168.1.248

although since when do ISP’s have the right to refuse port forwarding for me

rextended · June 16, 2014, 12:42pm

although since when do ISP’s have the right to refuse port forwarding for me

You have the right to change ISP.

If you buy the CPE, you have the right to access it BUT, you do not have the right to know wifi password etc.
There is no way to give “half” access to CPE.

If the CPE still property of WISP, you do not have any right on that.

The WISP usually*** refuse port forwarding because do not want follow continuosly user on that way…

If you need port forwarding, public ip address, etc. buy you own router and ask the price for one public IP address then you configure all on your router.

*** some not-improvvisated WISP (like most start from 0 ask in this forum help for startup),
or better, serious WISP use MikroTik and provide metarouter to end user >>>BUT<<< the WISP do not want give continuosly free lessons for the end user…

deanabiepepler · June 17, 2014, 2:33pm

rextended:

although since when do ISP’s have the right to refuse port forwarding for me

You have the right to change ISP.

If you buy the CPE, you have the right to access it BUT, you do not have the right to know wifi password etc.
There is no way to give “half” access to CPE.

If the CPE still property of WISP, you do not have any right on that.

The WISP usually*** refuse port forwarding because do not want follow continuosly user on that way…

If you need port forwarding, public ip address, etc. buy you own router and ask the price for one public IP address then you configure all on your router.

*** some not-improvvisated WISP (like most start from 0 ask in this forum help for startup),
or better, serious WISP use MikroTik and provide metarouter to end user >>>BUT<<< the WISP do not want give continuosly free lessons for the end user…

agh man … you wont believe it. i can use my internal router DHCP disabled.

internal desktop IP: 192.168.1.250 plugged directly to the Mikrotik Satelite

the installation guy of the WISP was left in charge on the weekend

so he wasnt so skilled @ this.