Port Forwarding not working

willieneethling · June 24, 2024, 8:36am

Hi All,
I am new to Mikrotik and was wondering if someone could assist me with getting Port Forwarding to work as it should.

I have seen a couple of videos and with a trial and error I am still not able to get this to work.

Description:
I would like to access my servers from outside my network on specific ports from anywhere using the Mikrotik Cloud Address and not the public address.

Issues:

I am not able to connect from outside the network.
Log error captured: (dstnat: in:pppoe-out1 out:(unknown 0), connection-state:new proto TCP (SYN), 105.245.102.247:43502->102.217.111.245:55111, len 64)
Portable device: (Connection timed out)

Notes:

I have disabled the firewall on the OS level and still the same issue.

Exported Firewall Filter and NAT:
/ip firewall address-list
add address=(Hidden Info) list=PublicDNS
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=Bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you need
this subnet before enable it” list=Bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=Bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=Bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you ne
ed this subnet before enable it” list=Bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=Bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=Bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=Bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=Bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=Bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it” list=
Bogons
add address=192.168.5.0/24 list=LAN
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=forward comment=
“Mark incoming connections from the WAN port” in-interface=ether1
new-connection-mark=Incoming_From_WAN passthrough=yes
add action=mark-packet chain=forward comment=
“Mark all incoming packets from the WAN port” connection-mark=
Incoming_From_WAN new-packet-mark=Incoming_Packets_From_WAN passthrough=yes
add action=mark-connection chain=prerouting comment=
“Mark upload connections to WAN port” in-interface=Lan_Bridge
new-connection-mark=Upload_Connections_to_WAN passthrough=yes
add action=mark-packet chain=prerouting comment=
“Mark upload packets to WAN port” connection-mark=Upload_Connections_to_WAN
new-packet-mark=Upload_Packets_To_WAN passthrough=yes
add action=mark-packet chain=forward comment=
“Mark HTTP/HTTPS traffic (Download)” new-packet-mark=
“HTTP/HTTPS Traffic (Download)” packet-mark=Incoming_Packets_From_WAN
passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=“Mark HTTP/HTTPS traffic (Upload)”
new-packet-mark=“HTTP/HTTPS Traffic (Upload)” packet-mark=
Upload_Packets_To_WAN passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=“Mark all other download packets”
new-packet-mark=All_Other_Download_Packets packet-mark=
Incoming_Packets_From_WAN passthrough=no
add action=mark-packet chain=forward comment=“Mark all other upload packets”
new-packet-mark=All_Other_Upload_Packets packet-mark=
Incoming_Packets_From_WAN passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAT_To_Qbittorrent dst-address-list=
PublicDNS dst-port=55111 log=yes protocol=tcp to-addresses=192.168.5.39
to-ports=8080

Your help would be appreciated.

erlinden · June 24, 2024, 10:19am

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

Because you are using a pppoe connection, your in-interface above is incorrect.
Why was the connection-state added?

It will probably work when you change it to:

add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

willieneethling · June 24, 2024, 11:47am

Thanks erlinden,

I have changed the in. Interface to WAN however it appears that the issue still exists.

Getting the following errors:

(dstnat: in:pppoe-out1 out:(unknown 0), connection-state:new proto TCP (SYN), 105.245.102.247:33167->102.217.111.245:8080, len 60)
Remote device (Connection timed out)

Is there anything else I could try?

erlinden · June 24, 2024, 12:59pm

add action=dst-nat chain=dstnat comment=NAT_To_Qbittorrent dst-address-list=PublicDNS dst-port=55111 log=yes protocol=tcp to-addresses=192.168.5.39 to-ports=8080

Is your PublicDNS indeed your public IP address?
Which rule is logging the mentioned log entry?
Is there anything responding on 192.168.5.39:8080 (if you test it locally)?

willieneethling · June 24, 2024, 1:13pm

Is your PublicDNS indeed your public IP address? → Yes
Which rule is logging the mentioned log entry? → The
[add action=dst-nat chain=dstnat comment=NAT_To_Qbittorrent dst-address-list=PublicDNS dst-port=55111 log=yes protocol=tcp to-addresses=192.168.5.39 to-ports=8080]
Is there anything responding on 192.168.5.39:8080 (if you test it locally)? This is working internally.

I have noticed another thing it appears that the “Cloud DNS” inside the mikrotik is not working…

Normally starts with “d7160d.sn.mynetname.net”

anav · June 24, 2024, 3:13pm

(1) You can easily check if your MYNETNAME is working or not.
If IP cloud it should show you the resolved address
" public address= W.X.Y.Z "

You can double check this on your firewall address list entry.

/ip firewall address list
add address=MYNETNAME list=myWAN

When you check, in winbox, your entry it will show it as two lines, the first line is like a comment with your netname and the second line with a D for dynamic the resolved IP.

:::mynetname.net
D o myWAN ---------------------- W.X.Y.Z … DATE

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(2) Ensure your firewall forward chain rule shows the following:

/ip firewall filter (forward chain only)
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
Bogons
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

(3) If you have USERS attempting to access a server in the SAME SUBNET you will need a source nat rule for that:
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 ( assumes server and users in 192.168.88.0/24 subnet ).

(4) In terms of your destination nat port forwarding rule… Would appear to be okay on the surface.
It looks like it should work IF, the public DNS resolved IP is the same wanip your router gets.
Its no use to put in public IP of an upstream router like your ISP.

The rule should always reference the actual WANIP assigned to the router,
For fixed/static IP (private or public ) one can use dst-address=static IP
For public and dynamic IP the IP cloud or dst-address-list=MyWAN works great.

anav · June 24, 2024, 3:15pm

Last comment. Its not clear why you are mangling as your config is incomplete.
Be careful as you may be mangling server traffic unintentionally.
If the fixes provided dont work, then I suspect the issues may be with
a. ridonkulous firewall rules
b. mangling interference

willieneethling · June 28, 2024, 2:00pm

Hi, just an update.

I got the port forwarding to work from external seems that my server that I needed to be the issue at the end.

However, the Issue that I am currently facing is to use the DDNS internally inside my network any ideas round about that particular issue?

willieneethling · June 28, 2024, 2:22pm

Fixed the issue as there is a YouTube video that assisted me with something small.

I am happy where I am at and this tread can be closed off.

Thanks for the assists guys,