Port Forwarding through the NAT rules gives me Error: gateway timeout. Couple of other questions as well.

Introduction as this my first post:

First of all, you have my and many others great thanks for every supporter and all of your work done on such great service and community.

I’m a starter at this field, getting certification for the first level of routing and switching (not mikrotik at the moment) just to enter some job interviews and start in the networking field. I’m not sure I can mention the name of the other company here. However, the firewall and the hotspot concepts are great puzzles to me at this point so I’m sorry if this sounds to n00b or I post this in the wrong section or something, this is my first post.


The problem:

1- The main problem, I get connection slowness and gateway timeout (I get time out pinging from my PC to the gateway as well) unless I disable the port forwarding rules that I made for using bittorrent application on it. Now here are my NAT rules which has four rules for opening (forwarding) two ports (I got this from MikroTik documentation) on TCP and UDP protocols

I use 5.26 version by the way.
2015-10-05_20-16-22.jpg

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=192.168.88.0/24
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=no dst-port=65529 in-interface=wan \
    protocol=tcp to-addresses=192.168.88.49 to-ports=65529
add action=dst-nat chain=dstnat disabled=no dst-port=65529 in-interface=wan \
    protocol=udp to-addresses=192.168.88.49 to-ports=65529
add action=dst-nat chain=dstnat disabled=no dst-port=65520 in-interface=wan \
    protocol=tcp to-addresses=192.168.88.49 to-ports=65520
add action=dst-nat chain=dstnat disabled=no dst-port=65520 in-interface=wan \
    protocol=udp to-addresses=192.168.88.49 to-ports=65520
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

I generated this code using this command

/ip firewall NAT export file=“firewall_rules.txt”

But for some reason I can’t see the commands for the hotspot so I figured I should attach the screenshot image. I should mention that I ordered the rules to make the forwarding ports rules on the TOP and changed (played the order) many times but the problem always there (it shows after some time of usage not instantly) until I disable these rules

add action=dst-nat chain=dstnat disabled=no dst-port=65529 in-interface=wan \
    protocol=tcp to-addresses=192.168.88.49 to-ports=65529
add action=dst-nat chain=dstnat disabled=no dst-port=65529 in-interface=wan \
    protocol=udp to-addresses=192.168.88.49 to-ports=65529

The bittorrent app that use that port doesn’t have that many of running connection but not few either and no traffic in anyway (I’m 100% sure of that) just reporting some data. I tried to change the port by the way it was different and I changed and the problem remains.

2- Is there better way maybe I’m not aware of to export commands from the GUI winbox of any part of the router like the hotspot rules, users , firewall .. etc other than the export command ? Also, why the export command didn’t export the hotspot NAT rules ?


Again and ever, thank you and sorry for the long detailed info but I just wanted to provide as much as I can to not waste much time of yours.

I should mention that with these NAT rules the port appeared forwarded successfully. Is there more proper way to do this or I did it correctly ?

Is my problem that hard ? or I’m doing something wrong reporting the necessary info to solve it ? Please, any suggestion would be really very appreciated.

Dynamic rules are not exported as there is no command to create them in their section.

Too many rules can make performance problem or you could have some bottleneck elsewhere. You need to observe the situation under high load. Use profiler, see the rules count, maybe you try to change interface queue types or reorganise the firewall… Look ať IT more.

Not familiar with that old of RoS, but shouldn’t the masquerade have some more filter’s on it for out-interface? Just wondering if maybe the dst-nats are getting routed back thru the masquerade rule.

I have no idea, This was default like that once the system installed. suggest me what rule should add and I’ll try it. Thank you for replying a LOT.

Instead of your current masquerade try replacing with this:

add action=masquerade chain=srcnat out-interface=wan

Only masquerade’s anything going out the wan interface.

OK did it, everything as before, working fine except when I enable the port forwarding rule. When the rule is active three things I test the connectivity with

1- Ping the default gateway of the modem (not the mikrotik) gives me time out.
2- Pinging any public ip on the internet gives me time out.
3- Browsing websites either extremely slow that ends with loading small pieces of the page or not loading at all giving the “Error: gateway timeout”.


Waiting for more suggestions and again, thank you

It seems I get too many connections on the port I’m forwarding.