Port Forwarding not working properly

willieneethling · October 23, 2024, 4:10am

Hi All,
I have a weird issue in regard to my port forwarding and it goes like this.
I am not able to access any of my servers including the Mikrotik webconfig from outside the network or inside using the Mikrotik Cloud DDNS including the IP from a fibre connection. Here it becomes weird, I am however to connect to these servers from a mobile LTE connection (mobile device). I am not sure if its an ISP issue or misconfiguration on the Mikrotik or browser issue.

Can someone please assist in this weird scenario I am having?

# 2024-10-23 05:51:10 by RouterOS 7.16.1
/interface bridge
add name=Bridge_Interfaces port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether3 ] name=ether3-lan
set [ find default-name=ether4 ] name=ether4-lan
set [ find default-name=ether5 ] name=ether5-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=Level7_ISP \
    user=<SensitiveString>
/interface list
add name=WAN
add name=LAN
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=dhcp ranges=192.168.5.10-192.168.5.50
/ip dhcp-server
add address-pool=dhcp interface=Bridge_Interfaces name=dhcp1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=Bridge_Interfaces interface=ether2-lan internal-path-cost=10 \
    path-cost=10
add bridge=Bridge_Interfaces interface=ether3-lan internal-path-cost=10 \
    path-cost=10
add bridge=Bridge_Interfaces interface=ether4-lan internal-path-cost=10 \
    path-cost=10
add bridge=Bridge_Interfaces interface=ether5-lan internal-path-cost=10 \
    path-cost=10
add bridge=Bridge_Interfaces interface=wifi1-lan internal-path-cost=10 \
    path-cost=10
add bridge=Bridge_Interfaces interface=wifi2-lan internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/interface list member
add interface=Level7_ISP list=WAN
add interface=Bridge_Interfaces list=LAN
/ip address
add address=192.168.5.1/24 interface=Bridge_Interfaces network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.29 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.5.0/24 list=LAN
add address=<SensitiveString> list=DynDNS_House
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
add action=accept chain=input comment="01._Accept ICMP (ping)" protocol=icmp
add action=drop chain=forward comment="02._Block Website L7" disabled=yes \
    dst-address-list=Block_Website
add action=reject chain=forward comment="02_B._Block website TLS Host" \
    disabled=yes dst-port=443 log=yes protocol=tcp reject-with=\
    icmp-network-unreachable tls-host=*.youporn
add action=accept chain=input comment=\
    "04._Allow public access to mikrotik router" dst-port=55111 log=yes \
    protocol=tcp
add action=accept chain=input comment="03._Accept established, related" \
    connection-state=established,related
add action=accept chain=input comment="05._Allow everything from Main Router" \
    src-address-list=LAN
add action=drop chain=input comment=\
    "06._Drop all packets which does not have unicast source IP address"
add action=drop chain=input comment=\
    "07._Drop all packets which are not destined to routes IP address"
add action=drop chain=input comment="08._Drop invalid connections" \
    connection-state=invalid
add action=accept chain=forward comment="09._Accept established, related" \
    connection-state=established,related
add action=accept chain=forward comment="10._Accept ICMP (ping)" protocol=\
    icmp
add action=accept chain=forward comment=\
    "11._Allow everything from Main Router" src-address-list=LAN
add action=accept chain=forward comment=\
    "12._Allow connect to outside internet" in-interface=Bridge_Interfaces
add action=drop chain=forward comment="13._Drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "14._defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1-wan
add action=drop chain=forward comment="15._Drop to bogon list" \
    dst-address-list=Bogons
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "(1). Allow Internal devices to access internal devices using the DDNS" \
    dst-address-list=DynDNS_House new-connection-mark=Hairpin_NAT \
    passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN
add action=dst-nat chain=dstnat comment=CCTV dst-address-list=DynDNS_House \
    dst-port=55112 in-interface-list=WAN log=yes protocol=tcp to-addresses=\
    192.168.5.36 to-ports=80
add action=dst-nat chain=dstnat comment="RDP Connection" dst-address-list=\
    DynDNS_House dst-port=55113 in-interface-list=WAN log=yes protocol=tcp \
    to-addresses=192.168.5.17 to-ports=3389
add action=dst-nat chain=dstnat comment=QBittorrentGUI dst-address-list=\
    DynDNS_House dst-port=55114 in-interface-list=WAN log=yes protocol=tcp \
    to-addresses=192.168.5.17 to-ports=8081
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=55111
set ssh disabled=yes
set www-ssl port=55111
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Mikrotik_House_HapAX3
/system note
set show-at-login=no
/system package update
set channel=long-term
/tool e-mail
set from="" tls=yes

TheCat12 · October 23, 2024, 7:26am

Looking at the config, most probably an ISP problem. Only one tip for the firewall: the fasttrack connection rule is a bit too forward for my liking, better put it somewehere after, for example, the “Accept established, related” one

willieneethling · October 23, 2024, 7:49am

Hi TheCat12,
At this very moment I am using that line as a place holder (disabled) state. Just to keep it nice. But noted on the fasttrack connection rule.

mkx · October 23, 2024, 8:46am

I’m not checking the config in details … but it does sound like you have to configure hairpin NAT.