I only need to realize port forward from WAN to internal IP address 192.168.88.247; port 44158. I red all topics about problem, but nothing helps me…Here is my iconfig.
Can someone help me and sad where Im doing wrong ?
Obviously you have more config than that. Please post your complete config. To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Agreed, its clear you need help with rules in general.
Please post config
/export hide-sensitive file=anynameyouwish
Q1. Are you only providing the server for EXTERNAL USERS/
Q2. Are there users on your LAN using the server, and if so how are they connecting to it (by LANIP?)
Q3. If by WANIP are they on the same subnet as the server?
First, thanks for help. Here is my code.
I provide this server only for external users. But when I check it on LAN (via telnet and LANIP) I saw the port is open.
# feb/24/2022 05:28:40 by RouterOS 7.1
# software id = 005S-1G8Z
#
# model = D53G-5HacD2HnD
# serial number = D7B10E08BA10
/interface bridge
add name=local
/interface wireless
set [ find default-name=wlan1 ] country=croatia disabled=no mode=ap-bridge \
ssid=Grlica wireless-protocol=802.11
set [ find default-name=wlan2 ] country=croatia disabled=no frequency=5200 \
mode=ap-bridge ssid="Grlica 5G" wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface lte apn
add apn=internet.ht.hr default-route-distance=1 use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=internet.ht.hr band=3 name=lte1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=local name=dhcp1
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=wlan1
add bridge=local interface=ether1
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=local interface=wlan2
/interface list member
add interface=lte1 list=WAN
add interface=local list=LAN
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=yes
/ip dhcp-server lease
add address=192.168.88.247 client-id=1:e2:e1:a9:a:e1:73 mac-address=\
E2:E1:A9:0A:E1:73 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
new in-interface=lte1
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
/ip firewall nat
add action=dst-nat chain=dstnat comment=Hel dst-port=44158 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.88.247 to-ports=44158
add action=masquerade chain=srcnat out-interface=lte1 out-interface-list=WAN
/ip service
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
set winbox address=192.168.88.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Test_Router
/system routerboard settings
set cpu-frequency=auto
/tool bandwidth-server
set enabled=no
For this line you have duplication. ( you can use either ) but you dont need to use both… redundant. add action=masquerade chain=srcnat out-interface=lte1 out-interface-list=WAN
Now it is normal for any port being DST-NATTED on mikrotik to show the port as EXISTING on a scan but it should show up CLOSED. So open is weird??
Try using an external port checker, the one I use is Gibsons. - https://www.grc.com/x/ne.dll?bh0bkyd2
Much better is to put a further limitation on the dst-nat rule by adding source address or source address list.
In other words, assuming you know who is using your server, they should provide you with their public IP or their dyndns type name so that you can create a source address list.
THen the port should not even show up on any scans.
First of alll, thanks for you advice…I will remove dublicate line when I come home…
Then; the server is actually some blockchain miner, which needs to comunicate with whole blockchain users…so I havent source address and its no exist…
And I was doing testing with online port checker…
I will look to check firewall rules but first I must solve this problem…
second one connects via a LAN cable to first one with the local ip: 192.168.1.150
the second one connected to a mikrotik vpn (the vpn local ip is: 192.168.73.150 and public_ip_141.x.x.x)
the second router/device is running a service on port tcp/44158
without the vpn connected, if I check the open port from <public_ip>:44158(first router which 44158 port forwarded) it says it’s open, but when the vpn is connected, if I check the mikrotik public_ip:44158 it says the port is closed and same for router one.
I’ve set the bellowing rule for Firewall/NAT on mikrotik:
action=dst-nat, chain=dstnat, protocol=tcp, dst port=44158, in-interface=eth1, to address=192.168.73.150, port=44158[/size]
do you have any suggestions?
Thank you
[/quote] @thevayne - Yes start your own thread …
a. Firewall Rule: add chain=forward action=accept connection-nat-state=dstnat
b. Source Nat Rule:
case1: Dynamic WANIP add chain=srcnat action=masquerade out-interface-list=WAN { will also work for fixed/static WANIPs but not as technically correct }
c. Destination Nat Rule:
case1: Dynamic WANIP add chain=dstnat action=dst-nat dst-port=xxxx protocol=yyy in-interface-list=WAN
to-addresses=IPof Server { to ports not required if same as dst-ports }
and get (I know maybe is some double…the last, but I try everything)…but nothing
Try using winbox as perhaps my syntax is not good enough/accurate for CLI
In terms of firewall rules, unplug the WAN Side ethernet cable and then delete all the firewall rules and start fresh!!!
Start with the first one and work your way down the list - https://forum.mikrotik.com/viewtopic.php?t=180838
Starting with … add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
404Network…I tried what anav post…I wrote all…but I must remove the last drop cos with it I havent got internet…
But with all this nothing change…port is still closed
404Network…I do exactly what you post…There was only one little difference…
In
add action=fasttrack-connection chain=forward connection-state=
established,related hw-offload=yes GUI add that
and when I add that order on top of all order GUI comment “…special dummy rule to show fasttrack counters”
And below that GUI add add chain=forward action=passthrough
I would add some servers, and no need to add the 192.168.88.1 as its already noted in your ip dhcp network
/ip dns
from set allow-remote-requests=yes servers=192.168.88.1
to
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
Cleaned up a bit, correct order, enabled some, removed some duplicates etc…
$04Network…I dont understand…how can I surf on internet without public IP ?
…
Hey, I red that…
I look at my public IP in browser. On port checker. But it isnt the same with one in Address list…In that list is some kind of private address…some like 10.x,y,z
I cant see now cos Im not home…but I will post
404Network…I red my local forums and see that my mobile operater uses CGNAT…Im now know why this cant work…Many people on forum call ISP provider to give possibility to implement port forwarding but nothing…Is there some solution vai VPN ?
Was forced to use a temp nick for a week or so.