Port forwarding issues

idzuwan · June 7, 2022, 11:14am

Hello,

I’m trying to set port forwarding, but seem it does not work at all I do remember it was working before on my RB750G but after I swapped it with 951G-2HnD because the old one die on me it stopped working, I used the exact same rules, so I’m not sure where when wrong here,

I’m trying to port forward port 8080/8123 to local LAN PC/server, I can access the mikrotik router on port 80 via WAN IP (hair pin nat) from local LAN but not those port 2 port, connecting to the port via WAN-IP from the internet does not work either (used the online port checker and accessing it via my phone using mobile data), the NAT counter is 0 which indicating there was no connection to it, perhaps my isp is blocking on their side?

here is my firewall export

# jun/07/2022 18:57:09 by RouterOS 6.46.5
/ip firewall address-list
add address=172.16.1.0/24 list=LAN
add address=WANHOSTNAME list=WAN
add address=XASAAAA.sn.mynetname.net list=WAN2
add address=172.16.1.136 list=PC
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=FWR
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=DROPFW
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=UniFi-Internet
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=WAN \
    new-connection-mark=HairPin_NAT passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hair Pin NAT" connection-mark=\
    HairPin_NAT
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=8123 \
    in-interface=UniFi-Internet protocol=tcp to-addresses=172.16.1.254 \
    to-ports=8123
add action=dst-nat chain=dstnat comment=ianseo dst-address-list=WAN2 \
    dst-port=8080 in-interface=UniFi-Internet protocol=tcp to-addresses=\
    172.16.1.136 to-ports=80

Sob · June 7, 2022, 4:46pm

If you add:

/ip firewall mangle
add chain=prerouting in-interface-list=WAN connection-state=new action=log

and you try some connection from outside, does it log anything? It will tell if ISP blocks it or not.

idzuwan · June 8, 2022, 3:07am

If you add:
/ip firewall mangle
add chain=prerouting in-interface-list=WAN connection-state=new action=log
and you try some connection from outside, does it log anything? It will tell if ISP blocks it or not.

I can see only UDP connection from 1 host to port 60547 nothing more (even I try to do the port connection test on https://www.yougetsignal.com/tools/open-ports/)