port forwarding not working

silverd · October 2, 2018, 12:33am

New to this and mikrotik and could really use some help ...my issue is I've followed the port forwarding but it's not working. have a CCR1009-8G-1S-1S+ w/multiple subnets, across a couple of buildings on a campus.
building 1->2 connected via fiber, buildings 2->3 via cat5. have Linksys sge2000 in both building 1&2, dvr/cameras (bob subnet) are in building 2 (spf->Linksys sge2000) don't know if more info needed but happy to provide if someone knows why I can't get through

model = CCR1009-8G-1S-1S+

serial number = 4XXXXXXXXXXX

/interface bridge
add fast-forward=no name=BR-crap
add fast-forward=no name=BR-bob
add fast-forward=no name=BR-Residence
add fast-forward=no name=BR-Security
add fast-forward=no name=BR-VOIP
add fast-forward=no name=BR-WAN
/interface ethernet
set [ find default-name=ether2 ] comment="WiFi 192.168.0.4"
set [ find default-name=ether6 ] comment="security computer 192.168.3.100"
set [ find default-name=ether7 ] comment=
"to pc crap switch port 2 sge2000 192.168.0.3"
set [ find default-name=ether8 ] comment=
"Internet to centurylink modem port 1"
set [ find default-name=sfp1 ] comment="link to bob and residence"
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=
BR-WAN keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name=
pppoe-out1-centutylink
/interface pptp-client
add connect-to=198.144.108.5 disabled=no name=pptp-out1
/interface vlan
add interface=ether7 name=vlan12-7-VOIP vlan-id=12
add interface=sfp1 name=vlan12-sfp1-VOIP vlan-id=12
add interface=sfp1 name=vlan13-Residence vlan-id=13
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool1-reosrt ranges=192.168.1.50-192.168.1.60
add name=pool2-residence ranges=192.168.4.20-192.168.4.40
add name=pool3-VOIP ranges=10.254.0.50-10.254.0.52
add name=pool-crap ranges=192.168.0.2-192.168.0.4
/ip dhcp-server
add address-pool=pool1-reosrt disabled=no interface=BR-bob name=
DHCPD-bob
add address-pool=pool2-residence disabled=no interface=BR-Residence name=
DHCPD-Residence
add address-pool=pool3-VOIP disabled=no interface=BR-VOIP name=DHCPD-VOIP
add address-pool=pool-crap interface=BR-crap name=DHCPD-crap
/interface bridge port
add bridge=BR-crap hw=no interface=ether7
add bridge=BR-WAN hw=no interface=ether8
add bridge=BR-bob interface=sfp1
add bridge=BR-Security interface=ether6
add bridge=BR-crap interface=ether2
add bridge=BR-Residence interface=vlan13-Residence
add bridge=BR-VOIP interface=vlan12-7-VOIP
add bridge=BR-VOIP interface=vlan12-sfp1-VOIP
add bridge=BR-crap interface=ether5
add bridge=BR-VOIP interface=*16
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1
network=192.168.88.0
add address=192.168.0.1/24 interface=BR-crap network=192.168.0.0
add address=192.168.1.1/24 interface=BR-bob network=192.168.1.0
add address=192.168.3.1/24 interface=BR-Security network=192.168.3.0
add address=192.168.4.1/24 interface=BR-Residence network=192.168.4.0
add address=10.254.0.1/24 interface=BR-VOIP network=10.254.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=BR-WAN
/ip dhcp-server lease
add address=192.168.1.51 client-id=1:0:23:63:31:1:3c mac-address=
00:23:63:31:01:3C server=DHCPD-bob
/ip dhcp-server network
add address=10.254.0.0/24 dns-server=4.2.2.2,8.8.8.8 gateway=10.254.0.1
add address=192.168.0.0/24 dns-server=192.168.0.2,8.8.8.8 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=8.8.8.8,4.2.2.2 gateway=192.168.1.1
add address=192.168.4.0/24 dns-server=4.2.2.2,8.8.8.8 gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.2,8.8.8.8
/ip firewall address-list
add address=192.168.0.2 comment=Server list=support
add address=192.168.0.1 comment="crap router" list=router
add address=192.168.4.1 comment=Residence list=router
add address=192.168.1.1 comment="bob" list=router
add address=10.254.0.1 comment=VOIP list=router
add address=192.168.88.1 comment="Default ether1" list=router
add address=192.168.1.51 comment=DVR list=dvr
/ip firewall filter
add action=drop chain=forward dst-port=53 in-interface=BR-WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1-centutylink
add action=dst-nat chain=dstnat dst-port=9000 in-interface=BR-bob
log=yes log-prefix=dst-nat protocol=tcp to-addresses=192.168.1.51
to-ports=9000
add action=dst-nat chain=dstnat dst-port=9000 in-interface=BR-bob
protocol=udp to-addresses=192.168.1.51 to-ports=9000
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name="bob"
/system leds
set 0 interface=sfp-sfpplus1
set 1 interface=sfp-sfpplus1
set 2 interface=sfp1please forgive forum faux pas as new to this
mod.txt (4.66 KB)

Anumrak · October 2, 2018, 7:08am

Wrong interface:
add action=dst-nat chain=dstnat dst-port=9000 in-interface=BR-bob
log=yes log-prefix=dst-nat protocol=tcp to-addresses=192.168.1.51
to-ports=9000

BR-bob should be pppoe-out1-centutylink.

nescafe2002 · October 2, 2018, 7:30am

Kudos for providing correct info (situation + config) in your first post

You may also use dst-address-type=local instead of in-interface to forward connections directed to your router (either internally or externally).

silverd · October 2, 2018, 1:03pm

thanks for responses…changed interface and still can’t get to 192.168.1.51
thanks again silverd

silverd · October 2, 2018, 2:08pm

It works! thanks all…i had external ip in there where it didn’t need to be obviously(wasn’t in code) still can’t get in on “mobile” port but progress
thanks so much
silverd

Anumrak · October 2, 2018, 2:08pm

What exactly ip address do you receive from ISP? If you behind his NAT, port forwarding won’t work.