Port forward

senchibald · September 6, 2020, 11:10am

I am a beginner when it comes to Mikrotik and router configuration. I have a problem with port forwarding. On my android mobile I use the FTP application that assigned me port 2211 and I used the command in the terminal /ip firewall nat add chain=dstnat dst-port=2211 action=dst-nat protocol=tcp to-address=IPonMobile to-port=2211 and after that my port is not open, and i cant access my cell phone. Need help.

All settings on the router are initial except that I added static IP addresses to the devices.

k6ccc · September 6, 2020, 4:37pm

Make sure that you have either a firewall rule that allows that port in the forward chain or a rule that allows anything DSTNAT forwarded to be accepted in the forward chain.
Creating a port forward does NOT automatically allow that through the firewall (unless you have a allow anything DSTNAT rule).

anav · September 6, 2020, 5:41pm

Without seeing your config we can only guess, k6 likes to guess when its for free LOL
Please export

/export hide-sensitive file=anynameyouwish

senchibald · September 6, 2020, 6:28pm

sep/06/2020 20:27:02 by RouterOS 6.47.2

software id = C6LW-3CIF

model = RB941-2nD

serial number = D1190B7D20D1

/interface bridge
add admin-mac=C4:AD:34:BB:97:AE auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
country=no_country_set disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=Senchibald tx-power-mode=
all-rates-fixed wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=C6:AD:34:BB:97:B2 master-interface=wlan1 name=
wlan2 security-profile=profile ssid=SenaD
/ip pool
add name=dhcp ranges=192.168.2.150-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/queue simple
add max-limit=35M/60M name=“Racunar Senad” target=192.168.2.100/32
add max-limit=2M/10M name=PlayStation4 target=192.168.2.150/32
add max-limit=20M/20M name=“ZENIT - Server 6” target=192.168.2.102/32
add max-limit=25M/60M name=“Router ZENIT” target=192.168.2.110/32
add max-limit=10M/30M name=“Lamija mobitel” target=192.168.2.152/32
add max-limit=10M/30M name=“Lamija Laptop” target=192.168.2.151/32
add max-limit=20M/60M name=“Router ADIS” target=192.168.2.111/32
/queue type
add kind=pcq name=dl-client pcq-classifier=dst-address pcq-dst-address6-mask=
64 pcq-rate=20k pcq-src-address6-mask=64
add kind=pcq name=ul-client pcq-classifier=src-address pcq-dst-address6-mask=
64 pcq-rate=100k pcq-src-address6-mask=64
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=wlan2
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless access-list
add ap-tx-limit=15000000 interface=wlan2
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=
192.168.2.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.2.151 comment=“Lamija Laptop” mac-address=
50:65:F3:B8:25:4E
add address=192.168.2.20 comment=“Zenit AP - UBNT” mac-address=
00:27:22:B8:00:90
add address=192.168.2.100 comment=“Racunar - Senad\t” mac-address=
AC:9E:17:B6:12:01
add address=192.168.2.102 comment=“ZENIT - Server 6” mac-address=
00:23:24:3D:84:CA
add address=192.168.2.110 comment=“Router ZENIT\t” mac-address=
64:70:02:E0:B2:07
add address=192.168.2.21 comment=“Zenit Client - UBNT” mac-address=
04:18:D6:88:46:87
add address=192.168.2.22 comment=“Adis AP - UBNT” mac-address=
DC:9F:DB:46:0C:0D
add address=192.168.2.23 comment=“Adis Client - UBNT” mac-address=
DC:9F:DB:44:FC:4C
add address=192.168.2.99 comment=“Senad Huawei P30” mac-address=
A4:9B:4F:94:F6:F0
add address=192.168.2.152 comment=“Lamija mobitel” mac-address=
7C:03:AB:2E:0A:67
add address=192.168.2.111 comment=“Router ADIS” mac-address=D8:32:14:20:5E:78
add address=192.168.2.150 comment=PlayStation4 mac-address=E8:9E:B4:ED:0E:BF
add address=192.168.2.154 comment=Akvarij mac-address=2C:F4:32:A9:DF:2F
add address=192.168.2.153 client-id=1:d4:5e:ec:3d:6:36 comment=MiBox
mac-address=D4:5E:EC:3D:06:36
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=2211 protocol=tcp to-addresses=
192.168.2.99 to-ports=2211
/system clock
set time-zone-name=Europe/Sarajevo

anav · September 6, 2020, 8:09pm

Never seen anyone use these, it may not be wrong but its unusual.
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2

Never seen anyone use these, it may not be wrong but its unusual.
Suggest if you have firewall rules you wish to apply use the forward chain vice monkeying around with not utilized functionality.
You should state what you are trying to accomplish with those rules so its clearer.

Do you wish to stop wlan2 users from being able to reach everyone else?
Do you wish to stop wlan2 users from reaching the internet??

Now why would you go to all the trouble to put everything on the bridge and then do this???
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=
192.168.2.0

Dont worry you are not the first or the last to do so. Its as if someone copied a config from somewhere or didnt change a default setup to complete the config, very common though!!
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=
192.168.2.0

senchibald · September 7, 2020, 6:31am

I didn’t even touch the initial settings. In port 2 I put a switch and put all lan users in it and on the third port I put an ubnt antenna that sends the internet on.
The only thing I configured in the router was that I added a static IP address to the users and limited the speeds.
How do activate port forwarding on this existing configuration now?

WeWiNet · September 7, 2020, 8:17am

If your phone is connected to WLAN2 then the bridge filter prevents any “forward” traffic (port forwarding will not change that…)
Which WLAN is phone connected when it is not working?

senchibald · September 7, 2020, 9:20am

It is connected to wlan2 (SenaD). I haven’t tested it, with this router configuration, will port forwarding work on other devices that are connected via lan cable?