Port Forwarding for a Noob

Hello towards the MikroTik Community!

I tried to follow some Tutorials on how to do a Port Forwarding so that a Device can be reached from the Internet.
To be more specific i want to open Port 44158 TCP for a Device with a static IP on the ETH 2 Interface.

I am using a mAP2nD, running RouterOS v7.1rc2 and a Huawei E3372h-320 as LTE Backhaul, the SIM Card has a public IP.
To check if it is working i am using the Port Checker from Port Forward Network Utilities Tool.

So far i did the following two steps in WebFig:

  1. The NAT
    Chain: dstnat
    Protocol: 6 (TCP)
    Dst.Port: 44158
    Action: dst-nat
    To Addresses: 192.168.88.250
    To Ports: 44158

  2. The Firewall Rule
    chain: forward
    Dst. Address: 192.168.8.106
    Protocol: 6 (TCP)
    Dst.Port: 44158
    Action: accept
    And i moved the Rule below the dummy rule for Fasttrack counters.
    All the other Rules are the default Firewall rules.

When i am testing the connection with the mentioned tool above it tells me that the Port is closed or not reachable.
I would be very happy if someone could direct me to a noob firendly tutorial or to tell me what my mistake is!

Best regards!
ManniaC

could you export your firewall rules and post them over here, so we could check what goes on, please?

The Firewall rules:
add action=accept chain=forward comment=“Helium Routing” dst-address=192.168.8.106 dst-port=44158 protocol=tcp
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

The NAT:
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Helium Routing” dst-port=44158 protocol=tcp to-addresses=192.168.88.250 to-ports=44158

Best regards! :slight_smile:

Get rid of the forward chain rule, not needed.
add action=accept chain=forward comment=“Helium Routing” dst-address=192.168.8.106 dst-port=44158 protocol=tcp

Modify this rule
add action=dst-nat chain=dstnat comment=“Helium Routing” dst-port=44158 protocol=tcp
in-interface-list=WAN to-addresses=192.168.88.250 { note to-ports not require if same as dst-port )

I think i followed your advice correctly. But unfortunately it is still not working.

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Helium Routing” dst-port=44158 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.250 to-ports=44158

I realized that ether1 was still listed in the Interface List as a viable WAN. I did delete it, but it didnt change a thing.
The port forward port checker tool tells me its IP adress and that i should search in the logs for it.
How can i access logs to search for that IP? It should give me a hint where the problem lies.

As usual, best regards. :slight_smile:

Not sure what you mean.
But yes your config should be as complete as possible and accurate.

If ether1 is your wan port then
/interface list members
add interface=ether-1 list=WAN

if ether1 is a wan port for pppoe with name pppoe-1out
/interface list members
add interface=ether-1 list=WAN
add interface=pppoe1-out list=WAN

If ether1 is a wan port but with a vlannamexx
/interface list members
add interface=ether-1 list=WAN
add interface vlanamexx list=WAN

++++++++++++++++++++++++++++++++++++++

How are you reaching your webserver to test??

a. from an external IP (like your smartphone via cellular) or via a friends WANIP?
b. from a user on the same lansubnet using the LANIP of the server directly?
c. from a user on the same lansubnet but using the DyDNS name or wanip of the router to access the server??

My WAN Port is the LTE Interface. And it is working correctly.
For example, i can browse the Internet.

I am trying to reach a Helium Hotspot. This is a LoRaWAN Gateway that runs on a Raspberry Pi. There is no Webserver running on that pi.
I need to open Port 44158 so that it can communicate with other Hotspots via the libp2p protocol.
It takes quite some time to see if the port is open via libp2p.

I´ve done the port forwarding for these devices with routers of the Brands Fritz!Box, Dovado and Speedport.
To see if a Port is open or not. I am using this tool: https://portforward.com/store/pfconfig.cgi

I have this tool installed on a Laptop. And i am simply connecting to the same router via WiFi and then i am using the port checker tool.
In this tool I can enter a port and a protocol. Its possible to check if a port is open to another Device in the same Network with the TCP protocol.
The tool uses a external server that is trying to access the open port. Maybe it tries to reach the Program running on the laptop, but i am not entirely sure how it works.

Long story short:
I am using method a. to see if the port is open.
But since i dont know the exact procedure how the port checker works it might be possible that some local rules are in conflict with it.

I am saying two things.

a. the port will not appear open on a normal scan, visible but closed and thats normal with MT.
b. test the access to the server or whatever it is in the following ways.

i. log in from another user on the LAN using the lanip of the server thingy
ii. log in from an external web user (could be you on your cell phone or a friend).

The config is correct so our job has ended here, the issue seems to be your testing methods.

If your tool is attempting to reach the server by going out to the internet then its using the WANIP to access the server.
Being on the same subnet this will not work as you are running into a loopback or hairpin nat scenario.

Easiest is to create a second subnet for your testing 192.168.66.0/24 and plug your laptop into that network and try your test, it should work.

Alternatively stick this rule in before the default sourcenat rule…
/ip firewall nat
add action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Helium Routing” dst-port=44158 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.250 to-ports=44158

I gave myself some time to think and to google additionally.

The port forward port checker tool. My favorite tool works flawless.
The problem was that the huawei surfstick is also a router and not just a modem.
So I had a double NAT.

I managed to solve the problem like this:
Set the DHCP range in the Huawei Stick to 192.168.8.100 - 192.168.8.100.
So that the WAN Interface in the MikroTik has always the same IP.
Then i put that IP into a DMZ and now my favorite tool tells me that 44158 TCP is open, while the others stay closed.

Best regards and thank you very much for your solution! :slight_smile:

There are a number of common things that will prevent port forwarding
Private WANIP
Hairpin NAT
Wrong sourcenat config
Wrong dst nat config.

Glad you got it going!!