Hi everyone. I have a RB760iGS, connected as main router. I’m trying to open ports for plex media server or others similar services but they don’t work.
Considering that I have a FTTH ONT, connected to mikrotik by ether1, that my NAS’ IP is 192.168.1.24 and the external port should be 34375, I used the following command:
/ip firewall nat add chain=dstnat dst-port=34375 in-interface=pppoe-out1 protocol=tcp action=dsn-nat to-addresses=192.168.1.24 to-ports=34375
(but I also tried to use in-interface=ether1 or nothing)
Even if the command is sent and the rules are created inside mikrotik, plex doesn’t work and using a programme to check ports status, they are always closed (every ports I tried, the same results).
P.S: the strangest thing is that, inside my nas, I also have a “Transmission” service (for torrents), which use another different port. I don’t know why but this port is the only open and fully working (check programme sees port as open). But if I decide to use this port for plex or other service, it magically turns closed and there are no reasons to open -.-.
Make that a FORWARD rule and things will work.
Do not provide a “source-IP” for this rule or something. Just make a rule in the forward-chain pointing to IP + PORT of your server for the tcp-protocol.
I have similar setup.
For the Transmission/Torrent , you don’t have UPNP activated on the Mikrotik so it can dynamically punch holes in your firewall ? (PS : You should disable the UPNP stuff)
The rule in chain=input is useless, it would have to be in chain=forward (input is for router itself, forward is for forwarded traffic). But it’s even better to use common rule to allow all forwarded ports at once:
Another problem could be with your testing, it depends if you’re trying to connect from internet or from same LAN. In latter case you need to read this:
So, I tried with these advices but without any result. Everything seem to be identical as before.
I didn’t understand very well the “Hairpin NAT” but all I want to do is open a specific port, in order to make Plex server (or an OpenVPN server) reachable from another network. When I used a commercial router was easy to make all working but here, it’s another world.
The “hairpin” is essential if you are testing from WITHIN your own network! Eg. you have a plex app on your mobile connected on your home LAN and you want to test by connecting to the Plex server on your PUBLIC IP (or some DynDNS name associated with it).
By default this will not work! and with Hairpin_NAT you can fix this.
So how did you “test” . Are you really coming from the outside world trying to hit your plex server ?
On the PLEX interface, is everything configured correctly for “Remote Access” ?? What does it say ? It performs a remote-access test from their Amazon AWS systems to see if your Plex is fully reacheable.
No, I’m not trying to test it using public IP. I’m just checking the port status.
In my previous router, after setting the port, Plex media server gave me access (the green status inside “Remote Access” section). Now, when I specify the port I want and I test connection, Plex remote access is green for 3-5 seconds; after that, it turns red again.
I checked config many and many time. I think that everything is corrected so, I don’t really know why it doesn’t work.
p.s: UPnP is disabled. I don’t know why only transmission port works. Trying to enabled it, plex and the other services keep not working
Did you manually specify the port in Plex ?
I’ve selected that box and I’m using port 32400 for Plex.
Hmm, very difficult to troubleshoot through some forum posts.
But I’m sure the Mikrotik config should do it. I have exactly the same.
Make sure the firewall-rules in the FORWARD chain are above in the list to be hit early. If you create a new one it is added on the bottom and you might not want this.
Reset the counters on the packet-filter, enable/disable the remote access in Plex and see if the counters go up.
You really have to do this sort of troubleshooting in order to understand.
If the counter goes up for dstnat rule, it means that it sees packets and forward them to configured destination. If they are not blocked by firewall filter, you can see them on LAN interface using Tools->Torch or you can add logging rule to postrouting:
My experience with port forwarding is that if you limit access on the destination nat rule (such as my source address list), the associated port on the router will be invisible on an external scan.
If you have no such list (no limits on access to specific WANIPs) then the port is visible but appears closed. Hope that helps.
Sorry, I missed this one. If you see both incoming request and outgoing response, and if it’s not connection reset, then it’s open port. In theory, since it’s prerouting on LAN interface, the response could be blocked later in forward chain, but it’s extremely unlikely.
