Port forwarding problems

RouterOS Beginner Basics
1

Hi, I’m trying to get portforwarding working and have tried quite a few things but nothing has worked.
The setup is a little strange cause the fttc comes in and goes to a technicolor router first (using it as a “modem”, wifi disabled and one ethernet connected, to ether1 of mikrotik router) which has login details then using a mikrotik router to connect to all the devices.
I have tried:

  • adding port forwarding to technicolor router & setting it’s firewall to low meaning it wont silently drop incoming traffic
  • disabling “drop all not coming from LAN” rule
  • various versions of the dstnat rule for port forwarding

testing with https://www.yougetsignal.com/tools/open-ports/

/ip firewall filter
add action=accept chain=input comment="Management" dst-port=22 protocol=tcp src-address=[redacted]
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forwarding" dst-port=25565 in-interface=ether1 protocol=tcp to-addresses=192.168.88.176

Any ideas?
Thanks in advance
Thomas :slight_smile:

2

have to see the whole config, nothing of significance to stop port forwarding in what you have shown!
/export hide-sensitive file=anynameyouwish

Plus how does inbound traffic get from first device to mikrotik? public IP, private IP??

3

Two things:

  • Your dstnat rule, if you check its counters, are they non-zero?
  • Mainly if not, public address, do you know what it is and are you sure you have it (on the first router)?
4

Here’s the exported:

# apr/03/2022 19:28:44 by RouterOS 6.44.6
# software id = X6DX-16TW
#
# model = RBD52G-5HacD2HnD
# serial number = [redacted]
/interface bridge
add admin-mac=C4:AD:34:9C:53:93 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="adsl link"
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out3 use-peer-dns=yes \
    user=[redacted]
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=[redacted] \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=[redacted] wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
add comment="v usb tethering with moto g6 to unlimited smarty plan." list=WAN
add comment="ADSL link" list=WAN
add comment="adsl ether 1" interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.102/24 comment=adsl interface=ether1 network=\
    192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Management" dst-port=22 protocol=\
    tcp src-address=[redacted]
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forwarding" dst-port=25565 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.176
/ip route
add comment="adsl the one i added" distance=1 gateway=192.168.1.1
/ip smb
set enabled=yes
/ip smb shares
add directory=/disk1 name=disk1share
/ip smb users
[redacted]
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=[redacted]
/system logging
add topics=lte
/system package update
set channel=long-term
/tool graphing interface
add interface=pppoe-out1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Mikrotik is at 192.168.88.1 as usual and that connects to technicolor at 192.168.1.1 which I believe then connects to the public ip.

currently at 5kib with 94 packets so tiny but non zero. (this is with that drop all not from lan rule enabled)

5

Your setup is confused on the wan side.
Why do you have any pppoe client if the IP is a fixed private IP from an ADSL modem?

Further its not clear how the modem pushes any traffic to the mikrotik?
Is there a port forwarding menu on the modem, or a way to set static routes?

6

That’s a good point, when I was trying to get something to work I did try quite a few things and didn’t tidy up. I’ve removed all of them except the correct one which is the ether1 one.

Hmm ok, so because the public/private ip “barrier” would be at the “modem”, I should be doing the port forwarding from there?

I’ve had a better look at the technicolor end and it seems to have its own dhcp server because the only ip it autocompletes is 192.168.1.102. It will only accept 192.168.1.X address in that field.

Looking from the mikrotik end:




The technicolor does have something for static routes but I can’t change anything on there.

7

Yes, you need to forward port from first router. If static routes and forwarding directly to .88.x address doesn’t work, then use whatever RB gets on ether1 (192.168.0.103 according to your screenshot). You must have had that before if dstnat rule on RB had non-zero counters.

8

As sob stated, the technicolor port forward has to be the same PRIVATE IP that the mikrotik is getting from the technicolour modem
Then it will all work!

If you think about it, the Technicolour modem has not awareness of the private LAN behind the mikrotik it is hidden behind NAT.
Thus the router doesnt know where to send the information.
However the technicolor knows about the mikrotik so it will send the traffic onward to the MT, for the destination port on the incoming traffic.
The MT will get the traffic and say oh okay for that destination port, I have a dst-nat rule, and the filter rule allows such traffic and it will reach the intended server.

9

If you think about it, the Technicolour modem has not awareness of the private LAN behind the mikrotik it is hidden behind NAT.
Thus the router doesnt know where to send the information.
However the technicolor knows about the mikrotik so it will send the traffic onward to the MT, for the destination port on the incoming traffic.
The MT will get the traffic and say oh okay for that destination port, I have a dst-nat rule, and the filter rule allows such traffic and it will reach the intended server.

Ah that makes a lot of sense.

Setting technicolor to .1.103 (and opening the server) fixed it. Now works flawlessly.

Thank you both :slight_smile: