Port Forwarding not working at all. No ports open on port checkers!

Hello

I have the same situation as in this topic http://forum.mikrotik.com/t/port-forwarding-not-working-at-all-no-ports-open-on-port-checkers/138439/1

I try to go through the steps but had no success

I have RB952Ui-5ac2nD r2 OS 7.1

I recently reset my router config. and setup only WiFi, Lan, DNS and NAT.
I want to host Nextcloud through port 443, I am already set up everything on my Raspberry in Docker and everything works smoothly on the internal network.
By the way, I am using Pi-Hole.

I’m not sure if firewall rules have meaning by position, so I attached a screenshot.

# dec/15/2021 23:27:42 by RouterOS 7.1
# software id = LJCS-UUPJ
#
# model = RB952Ui-5ac2nD
# serial number = CC3E0B2B77B5
/interface bridge
add admin-mac=C4:AD:34:98:27:C6 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=lithuania disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MATRIX wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=lithuania disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MATRIX \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.127.10-192.168.127.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.127.1/24 comment=defconf interface=bridge network=\
    192.168.127.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.127.0/24 comment=defconf dns-server=192.168.127.3 \
    gateway=192.168.127.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.127.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.127.0/24 src-address=\
    192.168.127.0/24
add action=dst-nat chain=dstnat comment=Nextcloud dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.127.2
add action=dst-nat chain=dstnat dst-address=!192.168.127.1 dst-address-type=\
    local dst-port=443 protocol=tcp to-addresses=192.168.127.2
add action=dst-nat chain=dstnat dst-address=!192.168.127.1 dst-address-type=\
    local dst-port=443 protocol=udp to-addresses=192.168.127.2
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

When configuring Ports for port forwarding, the MT router NORMALLY show closed not open.
Expected behaviour!
If you add a source address or list to the dst nat rule, it should not show any port on the scans…


As for your server etc…
I see that you want LAN users to access your Server via the WANIP ( dyndns Url etc, vice local LANIP) and hence the hairpin nat rule.

However the rule set looks a bit funny…
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.127.0/24 src-address=
192.168.127.0/24
add action=dst-nat chain=dstnat comment=Nextcloud dst-port=443
in-interface-list=WAN protocol=tcp to-addresses=192.168.127.2
add action=dst-nat chain=dstnat dst-address=!192.168.127.1 dst-address-type=
local dst-port=443 protocol=tcp to-addresses=192.168.127.2
add action=dst-nat chain=dstnat dst-address=!192.168.127.1 dst-address-type=
local dst-port=443 protocol=udp to-addresses=192.168.127.2

The rule in orange wont work for a dynamic IP and thus can be removed because following that you have two rules one for udp and one for tcp that will work correctly.

Sorry I am very bad at networking.
Ok I removed:
add action=dst-nat chain=dstnat comment=Nextcloud dst-port=443
in-interface-list=WAN protocol=tcp to-addresses=192.168.127.2

# dec/16/2021 15:28:44 by RouterOS 7.1
# software id = LJCS-UUPJ
#
# model = RB952Ui-5ac2nD
# serial number = CC3E0B2B77B5
/interface bridge
add admin-mac=C4:AD:34:98:27:C6 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=lithuania disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MATRIX wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=lithuania disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MATRIX \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.127.10-192.168.127.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.127.1/24 comment=defconf interface=bridge network=\
    192.168.127.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.127.0/24 comment=defconf dns-server=192.168.127.3 \
    gateway=192.168.127.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.127.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.127.0/24 log=yes \
    src-address=192.168.127.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.127.1 dst-address-type=\
    local dst-port=443 protocol=tcp to-addresses=192.168.127.2
add action=dst-nat chain=dstnat dst-address=!192.168.127.1 dst-address-type=\
    local dst-port=443 protocol=udp to-addresses=192.168.127.2
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Safari:
Now then I type HTTP request I get a message in a web browser: server unexpectedly dropped connection. (So this sounds logical)
But then I type HTTPS request I get a message in a web browser: can’t establish a secure connection to the server.
Microsoft Edge:
Then I type HTTPS request I get a message in a web browser: ERR_TIMED_OUT.
Then I type HTTP request I get a message in a web browser: ERR_EMPTY_RESPONSE. (I think this sounds logical)

And then I try from my Cell Phone with mobile data and browser Safari an HTTPS request I get a message in a web browser: could not open the page because the server stopped responding.

I don’t get is a problem in Router or “server”? Why “server” working just fine in the local network then?

Hmm good question. The rules seem good to me?
Do you have a normal WANIP, ISP setup ?

When you google whats my IP is it the same result as you get from your IP cloud and whats set in your IP DHCP Client settings and in IP routes…
(dont need to know the numbers).

But for example if I do
whats my ip - 1x.yz.pp.240
ip cloud - 1x.yz.pp.240
ip dhcp clien settings - 1x.yz.pp.240/22
ip routes (DAC gateway reachable preferred source - 1x.yz.pp.240)

It is not the same

what is my IP: 78.xxx.xxx.140
in the cloud IP is the same: 78.xxx.xxx.140
in DHCP Client on Mikrotik I can see it is not the same IP: 10.xxx.xxx.18/19 Gateway: 10.xxx.xxx.1
added screenshot

I am not an expert but it looks like the ISP modme or ISP modem router you have been provided does have a public IP address, but the router has been given a private IP address (and not the public IP address) but that is just a guess.

If that is the case, do you have any access to the ISPs device, lets say its a modem router, normally you can put in the gateway address from the LAN of the modem router 10. xx.xx.1 and enter it.
Hopefully this is the case and then will need to port forward 443 to your WANIP…

@anav: One suggestion, to save time and energy, every time there’s “my port forwarding doesn’t work”, start with four questions:

1. Do you know what is public address?
2. Are you sure?
3. Do you have public address?
4. Are you sure?

If you get 4 x YES, then next step is to add (as first rule):

/ip firewall mangle
add chain=prerouting in-interface=<WAN> connection-state=new action=log log-prefix=INCOMING

and try some online port tester and any port. Possible outcomes:

a) Something gets logged with every test. You can continue with debugging, check config, look for mistakes, …
b) Nothing gets logged, so user was wrong with at least some of YESes. You can direct them to ISP’s router/modem (if they have access), tell them to ask ISP about public address, …

Then I try accessing IP 10.xxx.xxx.1 I get the message: connection dropped.
It is an ISP device somewhere outside I think it is a big fiber router or something like this.
I have only Mikrotik and a basic fiber converter on my network side.

Do you mean I have to port forward 443 from IP 10.xxx.xxx.1 into IP 78.xxx.xxx.140 ? I think this is not possible, but I will ask my ISP maybe they can help me.

Added:

/ip firewall mangle
add chain=prerouting in-interface= connection-state=new action=log log-prefix=INCOMING

Nothing is coming then I run an online port scan test. So I will try to communicate with ISP.

Wait I got something but I am not sure what:

INCOMING prerouting: in:ether1 out:(unknown 0), src-mac 00:xx:xx:xx:xx:67, proto UDP, 10.xxx.xxx.254:67->255.255.255.255:68, len 358

This message comes 2 or 3 min after I run port tests.

Interesting proposal Sob, I have always made the wrong assumption that although the user may know very little about MT they do know their own internet connection…

What is not clear to me is the purpose of
/ip firewall mangle
add chain=prerouting in-interface= connection-state=new action=log log-prefix=INCOMING

Why not just
/ip raw
add chain=prerouting in-interface= connection-state=new action=log log-prefix=INCOMING

Raw doesn’t have connection-state (it’s the point of raw, to be able to handle packets before any heavy processing like connection tracking), so you’d have to use some other filter instead, for example watch for single port (protocol=tcp dst-port=666), otherwise you’d log every single incoming packet, not just new connections.

Sorry, it’s dhcp, it doesn’t count. If you use some online port tester to test port 443, you need to see it logged like this:

<some source address / testing server>:->10.xxx.xxx.18:443

Got it, a mechanism that does the trick simply to log the connection tracking if occurring.
Please check the addition to my “useful” article as I have added a bit for this scenario.
Specifically if the addition is perfect (which it is not) the one thing I dont grasp kicks my nuts everytime is a 'special case" cgnat… awaiting brilliance!!

Hello

Thank you very much for your time and help me find where is the problem.

I call IPS and ask for public IP, they did changes to the fiber converter and now everything is working fine.

I have the same IP in the cloud, I have the same IP in whatismyip and I have the same IP in the Mikrotik DHCP client: 78.xxx.xxx.xxx…

Thank you very much again, I learned a little bit more about networking now.

Happy upcoming holidays