Port Forwarding issue

wookieesa · October 16, 2015, 8:35am

I’ve recently replaced my old router with an RB750, and I’m trying to replicate my previous port forwards, but seem to be having some issues. The ports had forwarded on previous routers without issue, so I know there isn’t an issue of ISP blocking, or the destination devices not listening on those ports.

I have worked on Mikrotiks before so have some competency, but wouldn’t consider myself as expert, at least not yet.

I have an ADSL modem running in bridge mode connected to Eth1 of the Routerboard and a pppoe account set on interface Eth1. Eth3 then runs into my LAN switch. The connection to the net connects fine, just the various port forwards fail.

Here are some examples from /ip firewall nat:

     chain=dstnat action=dst-nat to-addresses=192.168.6.1 protocol=tcp
     in-interface=pppoe-out1 dst-port=9091

     chain=dstnat action=dst-nat to-addresses=192.168.6.253 protocol=tcp
     in-interface=pppoe-out1 dst-port=8080

    chain=dstnat action=dst-nat to-addresses=192.168.6.1 to-ports=80
     protocol=tcp in-interface=pppoe-out1 dst-port=8081

Interesting thing is if I go into winbox and then get a friend to try connect from their internet, I do see the “bytes” and “packet” counters increment at the time they try connect. So the traffic is being processed by the Mikrotik, but the connection always times out.

I did go through the following forum post, but nothing posted there seems to have helped me: http://forum.mikrotik.com/t/port-forwarding-not-working/43010/1

jtommasi · October 16, 2015, 11:08pm

Do the hosts in your LAN have default route pointing to your MK box?

May be they send the reply packets to other box, so you never receive any response.

Rgds,

Julio

miahac · October 18, 2015, 9:09pm

I always add a to port i.e.

chain=dstnat action=dst-nat to-addresses=192.168.6.1 protocol=tcp
     in-interface=pppoe-out1 dst-port=9091 to-ports=9091

Also with a simple config, there is no need to specify the in-interface unless you think you might have a conflict from traffic arriving at the router from other interfaces.

wookieesa · October 19, 2015, 7:16am

@miahac: I’ve found usually when you have the same to-port as dst-port, only the dst-port is needed and to-port is taken as the same. but for the sake of being thorough I made changes and tested with no improvement.

I’m on a dynamic wan ip so I cant set a to-address field in the rule, and leaving out the in interface did cause some conflict with the LAN

@jtommasi: I think that might be the case, I forgot all the destination machines were on static ips. I’ve made changes to the one server and it seems to be connecting now, the other devices I cant check until I’m back home in my LAN, but I suspect it will be the same issue.

Thanks all for the assist.