Port forwarding issue

dencostis · March 20, 2021, 10:50am

Hope that someone will be able to help as I cannot find a logical explanation for the problem that I am facing. As this is the first time for me setting up mikrotik router I do apologise if my issue seems basic. I had a setup as follows: ISP Modem/Router — Tp-Link Router — Local Network. In the Local Network I have 2 DVRs with CCTV cameras connected. I use my smart phone to connect to the DVRs. I had port forwarding from ISP Router to the TP-Link Router and port forwarding from the Tp-Link Router to the DVRs. No issue at all. Everything worked. Then I decided to replace the Tp-link router with a Mikrotik Router. I set up in NAT the 2 port forwards as follows:
add action=dst-nat chain=dstnat comment=DVR1 dst-port=67-68 in-interface=
ether2 protocol=tcp src-port=“” to-addresses=192.168.1.71 to-ports=67-68
add action=dst-nat chain=dstnat comment=DVR2 dst-port=70-72 in-interface=
ether2 protocol=tcp to-addresses=192.168.1.72 to-ports=70-72
The first one, to .71 works. The second one to .72 doesn’t. I can see the packets as the counter increments in NAT but also using TORCH on the in interface. And then nothing. Probably connection is never established. I noticed in the Firewall, Connections TAB, that the connection to the in interface ip:port is established and then nothing. As I thought that there may be a firewall rule dropping I have disabled all firewall rules. Now, I suppose that everything must be accepted but still no luck. Any ideas???

dencostis · March 23, 2021, 12:11pm

Since I hope that someone will eventually look into my problem I am posting the configuration of my router:

mar/23/2021 02:01:41 by RouterOS 6.48.1

software id = V2G1-I8S1

model = 951Ui-2HnD

serial number = 45880238E3C3

/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2
set [ find default-name=ether3 ] comment=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether3 lease-time=3h name=
dhcp1
/system logging action
add email-to=xxxxxxxxxxxx@gmail.com name=Email target=email
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
add address=192.168.2.5/24 interface=ether1 network=192.168.2.0
add address=192.168.3.5/24 interface=ether2 network=192.168.3.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
ntp-server=216.239.35.0,216.239.35.4
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=
not_in_internet
/ip firewall filter
add action=accept chain=forward comment=“Allow port forwarding on ISP2”
connection-nat-state=dstnat connection-state=established,related,new
connection-type=“” log=yes protocol=tcp
add action=drop chain=forward comment=
“Drop packets from LAN that do not have LAN IP” in-interface=ether3 log=
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=accept chain=forward comment=“Established & Related”
connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
log=yes log-prefix=“invalid DROPPED”
add action=drop chain=input comment=Invalid connection-state=invalid
add action=add-src-to-address-list address-list=Over-100-Conn
address-list-timeout=1d chain=input comment=“Connections over 100 for IP”
connection-limit=100,32 protocol=tcp
add action=tarpit chain=input comment=“Drop if over 100 Connections”
connection-limit=3,32 protocol=tcp src-address-list=Over-100-Conn
add action=add-src-to-address-list address-list=Port-Scan
address-list-timeout=1d chain=forward comment=“Port Scan Hamad” log=yes
log-prefix=“Port Scan Fwd” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port-Scan
address-list-timeout=1d chain=input comment=“Port Scan Hamad” log=yes
log-prefix=“Port Scan Input” protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Drop Port Scan Hamad” src-address-list=
Port-Scan
add action=drop chain=forward comment=“Drop Port Scan Hamad”
src-address-list=Port-Scan
add action=jump chain=forward comment=“SYN Flood protect FORWARD”
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment=“SYN Flood protect INPUT”
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new limit=400,5:packet
protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=
“Syn Flood Drop” protocol=tcp tcp-flags=syn
add action=accept chain=input comment=Ping protocol=icmp
add action=drop chain=forward comment=
“ISP1 Drop incoming from internet which is not public IP” in-interface=
ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=
“ISP2 Drop incoming from internet which is not public IP” in-interface=
ether2 log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=input comment=“LAN Traffic” src-address-list=
allowed_to_router
add action=accept chain=input comment=Gmail src-address=74.125.141.108
src-address-list=“”
add action=drop chain=input comment=“Drop All other ISP1” in-interface=ether1
add action=drop chain=input comment=“Drop All other ISP2” in-interface=ether2
add action=drop chain=forward comment=
“ISP1 Drop incoming packets that are not NATted” connection-nat-state=
!dstnat connection-state=new disabled=yes in-interface=ether1 log=yes
log-prefix=!NAT
add action=drop chain=forward comment=
“ISP2 Drop incoming packets that are not NATted” connection-nat-state=
!dstnat connection-state=new disabled=yes in-interface=ether2 log=yes
log-prefix=!NAT
add action=drop chain=forward comment=
“Drop tries to reach not public addresses from LAN” disabled=yes
dst-address-list=not_in_internet in-interface=ether3 log=yes log-prefix=
!public_from_LAN out-interface=!ether3
add action=drop chain=input comment=“drop ftp brute forcers” disabled=yes
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=“530 Login incorrect” disabled=yes
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login incorrect”
disabled=yes protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp
add action=drop chain=forward comment=“drop ssh brute downstream” disabled=
yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting dst-address=192.168.3.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN1
passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN2
passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=
ether3 new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=
ether3 new-routing-mark=ether2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=
ether1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=
ether2-mark passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat comment=“DVR1 Local Access” dst-address=
192.168.1.71 dst-port=67-68 out-interface=ether3 protocol=tcp
src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“DVR2 Local Access” dst-address=
192.168.1.72 dst-port=67-68 out-interface=ether3 protocol=tcp
src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=DVR1 dst-address-type=“” dst-port=
67-68 in-interface=ether2 log=yes protocol=tcp src-port=“” to-addresses=
192.168.1.71 to-ports=67-68
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type=“” dst-port=
54-56 log=yes protocol=tcp src-address=192.168.3.5 src-port=“”
to-addresses=192.168.1.72 to-ports=67-68
add action=dst-nat chain=dstnat comment=PBX1 disabled=yes dst-port=35356
in-interface=ether2 protocol=tcp to-addresses=192.168.1.29 to-ports=5060
add action=dst-nat chain=dstnat comment=“DSP2 DSP” disabled=yes dst-port=
16000-16511 in-interface=ether2 protocol=tcp to-addresses=192.168.1.30
to-ports=16000-16511
add action=dst-nat chain=dstnat comment=DVR1-Local disabled=yes dst-port=
73-74 in-interface=ether2 protocol=tcp to-addresses=192.168.1.71
to-ports=67-68
add action=dst-nat chain=dstnat comment=DVR2-Local disabled=yes dst-port=
75-76 in-interface=ether2 protocol=tcp to-addresses=192.168.1.72
to-ports=70-71
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=
ether1-mark
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=
ether2-mark
add distance=1 gateway=192.168.3.1
add distance=1 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.3.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=VI
/system logging
add action=Email prefix=“Mikrotik Router VI” topics=critical
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.8
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=74.125.141.108 from=xxxxxxxxxx@gmail.com password=
xxxxxxxxxx* port=587 start-tls=yes user=xxxxxxxxxxx@gmail.com
/tool netwatch
add down-script=“ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.
2.1]\r
\n:log error "ISP1 is down"\r
\n/ip firewall connection remove [find]” host=8.8.4.4 interval=10s
timeout=800ms up-script=“ip route enable [find dst-address=0.0.0.0/0 gatew
ay=192.168.2.1]\r
\n:log warning "ISP1 is up"”
add down-script=“ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.
3.1]\r
\n:log error "ISP2 is down"\r
\n/ip firewall connection remove [find]” host=8.8.8.8 interval=10s
timeout=800ms up-script=“ip route enable [find dst-address=0.0.0.0/0 gatew
ay=192.168.3.1]\r
\n:log warning "ISP2 is up"”
Still hoping that someone willhelp me out…

anav · March 23, 2021, 12:40pm

The best thing you could do is
a. reset to defaults to clean up all the bloatware you have added.
b. Figure out why your DHCP network is not for your LAN but setup for an ISP1
c. Understand that port forwarding is not going to work if your ISP gives you a private IP address.
(unless they have forwarded every port to your WANIP, their LANIP on their router) you are out of luck.

sindy · March 23, 2021, 8:58pm

It was working with the previous router, so this point is irrelevant.

sindy · March 23, 2021, 9:07pm

The description in the first post differs from the export in the second post.

When a dst-nat rule (or src-nat rule) doesn’t need to change a port, the to-ports parameter need not be specified at all.

When it has to change a port, and you specify a range for dst-port and for to-ports, there is no predictable mapping from the old port to the new one. E.g. if you set dst-port=100-102 and to-ports=200-202, and the first connection arrives to port 102, the new port may be 200; if the next connection comes also to port 102 but from a different address, the new port may be the 200 one again as the remote address can be used to distinguish between the two connections.

So if the mapping of ports is meaningful for the cameras, you have to use a dedicated rule for each dst-port to be mapped to a particular new one.

dencostis · March 24, 2021, 6:18am

The first one, to .71 works. The second one to .72 doesn’t.

The description in the first post differs from the export in the second post.

When a dst-nat rule (or src-nat rule) doesn’t need to change a port, the to-ports parameter need not be specified at all.

When it has to change a port, and you specify a range for dst-port and for to-ports, there is no predictable mapping from the old port to the new one. E.g. if you set dst-port=100-102 and to-ports=200-202, and the first connection arrives to port 102, the new port may be 200; if the next connection comes also to port 102 but from a different address, the new port may be the 200 one again as the remote address can be used to distinguish between the two connections.

So if the mapping of ports is meaningful for the cameras, you have to use a dedicated rule for each dst-port to be mapped to a particular new one.

Do you mean that it should be something like this?

add action=dst-nat chain=dstnat comment=DVR1 dst-port=67 in-interface=
ether2 protocol=tcp src-port=“” to-addresses=192.168.1.71 to-ports=
add action=dst-nat chain=dstnat comment=DVR1 dst-port=68 in-interface=
ether2 protocol=tcp src-port=“” to-addresses=192.168.1.71 to-ports=

add action=dst-nat chain=dstnat comment=DVR2 dst-port=70 in-interface=
ether2 protocol=tcp to-addresses=192.168.1.72 to-ports=
add action=dst-nat chain=dstnat comment=DVR2 dst-port=71 in-interface=
ether2 protocol=tcp to-addresses=192.168.1.72 to-ports=

sindy · March 24, 2021, 6:41am

Yes, but not exactly.

These four rules will forward ports 67 and 68 to .71, and ports 70 and 71 to .72, without changing them. So a single rule for each target device, with a range as dst-port, would be sufficient. This way is fine if you can configure the target devices to listen at distinct ports.

But if you want to change also the destination port, not only the destination address, e.g. because all the target devices listen at the same pair of ports, you need one rule per port to be changed.

ashpri · March 24, 2021, 11:18am

It’s odd that .71 works but .72 doesn’t. I would expect both would or wouldn’t work.

Add this to your firewall rule:
add action=accept chain=forward connection-nat-state=dstnat connection-state=new in-interface=ether2

dencostis · March 24, 2021, 12:15pm

Thank you for your time. Working like a charm!!!