Hi,
I am having issues doing port forwarding on my new mikrotik i installed. I have been watching youtube videos and browsing forums to no avail. I have tried messing around with the filter and NAT rules, reset my router a couple of times too with default config loaded and no config at all.
Device : RB2011UiAS-2HnD
OS : 6.46.5
Post your config for review.
/export hide-sensitive file=anynameyouwish
Diagrams are helpful if you have a mix of router, switches and access points.
I have been watching youtube videos and browsing forums to no avail.
So you searched everywhere but the wiki ?
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Destination_NAT
Hi,
Thank you for helping!
Here is the Export:
# apr/12/2020 14:33:46 by RouterOS 6.46.5
# software id = 0YM1-Y44B
#
# model = 2011UiAS-2HnD
# serial number = 727A06C59D2A
/interface bridge
add admin-mac=6C:3B:6B:F2:DB:4E auto-mac=no comment="LAN - Bridge" name=\
bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether10 ] name=ether10-PoE
set [ find default-name=sfp1 ] comment="Fiber Port" disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
comment=WiFi country="south africa" disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=DK_WIFI \
wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes comment="ISP Connection" disabled=no interface=\
ether1-WAN name=pppoe-out1 use-peer-dns=yes user=\
sybrand.dekock@coolideas.co
/interface wireless nstreme
set wlan1 comment=WiFi
/interface wireless manual-tx-power-table
set wlan1 comment=WiFi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="DHCP Server"
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10-PoE
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add comment=ISP interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment="DHCP Server" gateway=192.168.1.1 netmask=\
24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=Minecraft dst-port=25565 \
in-interface=ether1-WAN protocol=tcp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-state=new disabled=\
yes in-interface=ether1-WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.129
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Africa/Johannesburg
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=41.78.128.17
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Network Diagram :
Mikrotik → Switch → Server&Computers
→ Access Point 1 (Wifi Extension)
→ Access Point 2 (POE Wifi Extension)
(Hope that makes sense)
I am trying to port forward the server with port 25565 for a minecraft server im hosting. I have tried a port scanner online, i just cant get any ports to open at all (TCP & UDP).
Edit : I have also been browsing the wiki. Everything i tried does not work. (In gui and on terminal). Tried dstnat and netmap, with and without filters.
(1) Before reading the comments, for a long code string, please use the code blocks, found on the top line to the right of B (bold) I (Italics) etc… its the black square with white square brackets!
(2) Ports should appear closed not open…
(3) Get rid of this I dont see how it provides anything useful.???**
/interface detect-internet**
set detect-interface-list=all
(4) Main Error!
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=
192.168.1.0
(5) Not sure you want this static DNS (it looks like the default setting still there easy to miss when cleaning up the config, you may want to add some servers to the /Ip dns list 1.1.1.1, 9.9.9.9, 8.8.8.8 for example)
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
(6) /ip firewall filter
GET RID OF THIS>>>>>
add action=accept chain=forward comment=Minecraft dst-port=25565
in-interface=ether1-WAN protocol=tcp
(7)ENABLE THIS RULE>>>>>>>
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-state=new disabled=
yes in-interface=ether1-WAN
(8)Are you using ipv4 or ipv6??
Confused as to why you have the below… In any case not qualified to talk to ipv6 rules. 
/ipv6 firewall filter
(9)Not a good idea to allow mac-server access unless you have a specific purpose…
/tool mac-server
set allowed-interface-list=LAN
Hi,
Thanks once again!
Sorry im not to clued up about these forums or mikrotik. I made the changes (Hopefully did it right.)
See below :
# apr/12/2020 16:34:50 by RouterOS 6.46.5
# software id = 0YM1-Y44B
#
# model = 2011UiAS-2HnD
# serial number = 727A06C59D2A
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether10 ] name=ether10-PoE
set [ find default-name=sfp1 ] comment="Fiber Port" disabled=yes
/interface pppoe-client
add add-default-route=yes comment="ISP Connection" disabled=no \
interface=ether1-WAN name=pppoe-out1 use-peer-dns=yes user=\
sybrand.dekock@coolideas.co
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
20/40mhz-XX comment=WiFi country="south africa" disabled=no \
distance=indoors frequency=auto installation=indoor mode=ap-bridge \
ssid=DK_WIFI wireless-protocol=802.11
/interface wireless nstreme
set wlan1 comment=WiFi
/interface wireless manual-tx-power-table
set wlan1 comment=WiFi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=vpn ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="DHCP Server"
/ppp profile
set *FFFFFFFE local-address=192.168.2.1 remote-address=vpn
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10-PoE
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan1
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=\
icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment=\
"defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-state=new \
in-interface=ether1-WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.126
/ip upnp
set enabled=yes
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add name=vpn
/system clock
set time-zone-name=Africa/Johannesburg
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=41.78.128.17
I will post a reply if i still cant get it working.
Still no luck
(1) Are all the interfaces identified on the config? WHERE ARE ether2-9 for example??
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether10 ] name=ether10-PoE
(2) add this… (so there are two entries for WAN)
/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether1-WAN list=WAN
(3) YOU STILL DIDNT FIX THIS ARGGGG>…
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
should be
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
(4) In your IP Client you have selected use PEER DNS, which means the router uses the ISPs dns, set that to NO if you want to use the dns servers below.
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.4.4,8.8.8.8
(5) /ip firewall filter
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-state=new
in-interface=ether1-WAN
TO
in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565
in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.126
To
in-interface-list=WAN …
NOTE I think it would work if you used all in-interface=pppoe-out1 but the above is safer… more encompassing.
Hi,
Sorry im trying to change this all through the GUI xD.
Did the changes. I believe i got the ‘ether2’ one right this time. Im not sure why ether2-ether9 is not showing in the config, when i try and add it manually through the terminal it says it already exists?
Here is the code :
# apr/12/2020 17:55:12 by RouterOS 6.46.5
# software id = 0YM1-Y44B
#
# model = 2011UiAS-2HnD
# serial number = 727A06C59D2A
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether10 ] name=ether10-PoE
set [ find default-name=sfp1 ] comment="Fiber Port" disabled=yes
/interface pppoe-client
add add-default-route=yes comment="ISP Connection" disabled=no \
interface=ether1-WAN name=pppoe-out1 user=\
sybrand.dekock@coolideas.co
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
20/40mhz-XX comment=WiFi country="south africa" disabled=no \
distance=indoors frequency=auto installation=indoor mode=ap-bridge \
ssid=DK_WIFI wireless-protocol=802.11
/interface wireless nstreme
set wlan1 comment=WiFi
/interface wireless manual-tx-power-table
set wlan1 comment=WiFi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=vpn ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="DHCP Server"
/ppp profile
set *FFFFFFFE local-address=192.168.2.1 remote-address=vpn
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10-PoE
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan1
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
add interface=ether1-WAN list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.4.4,8.8.8.8 \
gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=\
icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment=\
"defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.126
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface-list=WAN protocol=udp to-addresses=192.168.1.126
/ip upnp
set enabled=yes
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add name=vpn
/system clock
set time-zone-name=Africa/Johannesburg
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=41.78.128.17
Tested, still not working, sorry about all the trouble 
Yeah its starting to look good from my point of view…
(1) for DNS on this setting simply use the gateway IP not the rest.
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.4.4,8.8.8.8
gateway=192.168.1.1 netmask=24
(2) For this setting just use the external server IPs and NOT the gateway.
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.4.4,8.8.8.8
Can you not use winbox??
Found the culprit and is your firewall rule to allow destination nat - it is incomplete…
Fix that and you should be good to go.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-state=new
in-interface-list=WAN
Somehow part of the rule went missing including the important symbol !
Look at your rule above and the properly formatted rule below
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN
I believe we are close, i can see the ports are open now on the online port checkers using the public IP and DDNS address.
Code:
# apr/12/2020 19:27:41 by RouterOS 6.46.5
# software id = 0YM1-Y44B
#
# model = 2011UiAS-2HnD
# serial number = 727A06C59D2A
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether10 ] name=ether10-PoE
set [ find default-name=sfp1 ] comment="Fiber Port" disabled=yes
/interface pppoe-client
add add-default-route=yes comment="ISP Connection" disabled=no interface=\
ether1-WAN name=pppoe-out1 user=sybrand.dekock@coolideas.co
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
comment=WiFi country="south africa" disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=DK_WIFI \
wireless-protocol=802.11
/interface wireless nstreme
set wlan1 comment=WiFi
/interface wireless manual-tx-power-table
set wlan1 comment=WiFi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=vpn ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="DHCP Server"
/ppp profile
set *FFFFFFFE local-address=192.168.2.1 remote-address=vpn
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10-PoE
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
add interface=ether1-WAN list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip accounting web-access
set address=192.168.1.2/32
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=\
udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=\
tcp
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=\
icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment=\
"defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.126
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface-list=WAN protocol=udp to-addresses=192.168.1.126
/ip upnp
set enabled=yes
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add name=vpn
/system clock
set time-zone-name=Africa/Johannesburg
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=41.78.128.17
I am currently using Winbox to configure everything.
Connecting to the Minecraft server now gives me connection refused instead of connection failed. Definitely not Firewalls or Anti virus blocking it. I used to run this server on my old ASUS router.
Are you trying to reach the server from within your LAN but using the WANIP of the router?? or are you trying to get a buddy to connect from the outside?
If so does it work if you use the lanip of the server directly?
If trying to connect from within the same LAN, its called hairpin nat and will need to add an extra masquerade rule and modify the two dstnat rules already there.
Hairpin nat.
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24
add chain=dstnat action=dst-nat dst-address=**!**192.168.1.1
dst-address-type=local protocol=tcp dst-port=25565 to-address=192.168.1.126
add chain=dstnat action=dst-nat dst-address=**!**192.168.1.1
dst-address-type=local protocol=udp dst-port=25565 to-address=192.168.1.126
Perfect! Its working thank you very much!
The hairpin was all i needed to access it with the public ip within my network.
I have learned quite a bit on how everything works.
Once again thank you!
Solved!
I would suggest an improvement…
The “dst-address=!192.168.1.1” is not actually needed.
And instead of “dst-address-type=local” you can go to IP-> Firewall-> Address lists, create an entry with whatever name you wish e.g “cloudDNS” and at the address type the cloud DNS of your Mikrotik…
This will automatically resolve the name to your Public IP address…
Then you can go to firewall and convert the rule to:
add action=dst-nat chain=dstnat dst-address-list=cloudDNS dst-port=25565 \
protocol=tcp to-addresses=192.168.1.126
This is a more precise rule…
It may be, but your relying on additional config with cloud and also relying on another service outside the router not to fail ie cloud…
The question does arise though, how does the op direct people to his server?
I ve used cloud DNS a lot… It does not fail to me…
This dst-nat rule works from outside as well without changing anything…
Nice!!