I have a Mikrotik that’s been working for years, and I’m now trying to port forward 34197 UDP to an internal server.
/ip/firewall/nat print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 ;;; factorio
chain=dstnat action=dst-nat to-addresses=198.168.88.139 to-ports=34197 protocol=udp dst-address=xx.xx.xx.250
dst-port=34197 log=no log-prefix=""
Watching it on the web config shows that the NAT rule is incrementing each time I send a packet from outside.
I have a firewall rule:
/ip/firewall/filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 chain=forward action=accept protocol=udp dst-port=34197 log=no log-prefix=""
3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
5 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
chain=input action=accept dst-address=127.0.0.1
6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
And the rule 2 increments also; but nothing is received on the server.
I’m using:
nc -ul -p 34197
on the server, and sending to it from inside the LAN works great, but from outside I get nothing. What am I missing?
optio
January 13, 2023, 7:19pm
2
xx.xx.xx.250 is your public static IP?
Yeah, that’s my eternal IP. I removed it, and it stopped upping the count; I added the exact interface, it started upping the count again.
The ISP isn’t filtering (the Mikrotik sees it as the count goes up) but something else is missing. The IPv6 firewall wouldn’t be involved, right?
/ipv6/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
2 ;;; defconf: accept ICMPv6
chain=input action=accept protocol=icmpv6
3 ;;; defconf: accept UDP traceroute
chain=input action=accept protocol=udp port=33434-33534
4 ;;; defconf: accept DHCPv6-Client prefix delegation.
chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546
5 ;;; defconf: accept IKE
chain=input action=accept protocol=udp dst-port=500,4500
6 ;;; defconf: accept ipsec AH
chain=input action=accept protocol=ipsec-ah
7 ;;; defconf: accept ipsec ESP
chain=input action=accept protocol=ipsec-esp
8 ;;; defconf: accept all that matches ipsec policy
chain=input action=accept ipsec-policy=in,ipsec
9 chain=forward action=accept src-address=2600:......:7ed7/128 log=no log-prefix=""
10 chain=forward action=accept src-address=2600:.......:f391/128 log=no log-prefix=""
19 ;;; defconf: accept IKE
chain=forward action=accept protocol=udp dst-port=500,4500
20 ;;; defconf: accept ipsec AH
chain=forward action=accept protocol=ipsec-ah log=no log-prefix=""
21 ;;; defconf: accept ipsec ESP
chain=forward action=accept protocol=ipsec-esp
22 ;;; defconf: accept all that matches ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
23 ;;; defconf: drop everything else not coming from LAN
chain=forward action=drop in-interface-list=!LAN
optio
January 13, 2023, 8:16pm
4
Remove firewall rule 23, it’s droping dstnat forwards from non LAN interfaces, your public connection is from WAN interface.
12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Remove firewall rule 23, it’s droping dstnat forwards from non LAN interfaces, your public connection is from WAN interface.
12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Rule 23 was on IPv6, but even so, disabling that didn’t change anything
optio
January 13, 2023, 8:24pm
6
Correction, change that rule 12 to input chain, that rule actually exists by defconf, but chain is input.
optio
January 13, 2023, 8:36pm
7
Rule 23 was on IPv6, but even so, disabling that didn’t change anything
True, did not notice /ipv6/…, I thought that you changed your firewall rules for ipv4. Ipv6 firewall rules will not apply for ipv4 connections.
Rule 2 is catching it, as I see the counter increasing; what else could it be? Is it not “masking” and the recipient system is dropping it for some reason? It’s a linux box with no firewall rules at all, and it works fine on UPD on the same port on LAN.
Do I need to tell it to stop processing after it hits rule 2?
optio
January 13, 2023, 8:55pm
9
That rule 2 is not needed actually if you not blocking all forward rules, which you not (rule 12), if packets counter on nat rule is growing it should work if you can access it from LAN.
bombcar
January 13, 2023, 9:15pm
10
Then I’m flummoxed; maybe I should try TCP instead.
How would I DMZ the machine and forward EVERYTHING to it?
optio
January 13, 2023, 9:30pm
11
Forwarding TCP if factorio is using UDP will not help even if TCP forward will work.
Setting DMZ if different thing… You can search forum for examples, topics like: http://forum.mikrotik.com/t/setting-dmz-in-mikrotik/137177/1
bombcar
January 13, 2023, 9:34pm
12
yeah, I’m just trying to prove that ANY forwarding can work, and I don’t know what else to try
anav
January 14, 2023, 2:02am
13
post complete config for analysis,
bombcar
January 14, 2023, 6:12am
14
# jan/14/2023 00:08:25 by RouterOS 7.7
# software id = AICP-V6XM
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxx
/interface bridge add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet set [ find default-name=ether1 ] mac-address=xxxxx
/interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united states" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-frequency=auto ssid=xxxxx wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="united states" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=xxxxx wireless-protocol=802.11
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server add address-pool=dhcp interface=bridge name=defconf
/ipv6 dhcp-server option add code=23 name=dnsserver value="'fe80::xxx:f186'"
/port set 0 name=serial0
/port set 1 name=serial1
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf instance add disabled=no name=default-v3 version=3
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/routing ospf area add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set max-neighbor-entries=8192
/ipv6 settings set max-neighbor-entries=8192
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server set auth=sha1,md5
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=xxxx.com gateway=192.168.88.1 ntp-server=192.168.88.1 wins-server=192.168.88.139
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward dst-port=34197 protocol=udp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward src-address=192.168.88.182
/ip firewall filter add action=drop chain=forward src-address=192.168.88.177
/ip firewall filter add action=drop chain=forward src-address=192.168.88.101
/ip firewall filter add action=drop chain=forward src-address=192.168.88.112
/ip firewall filter add action=drop chain=forward src-address=192.168.88.118
/ip firewall filter add action=drop chain=forward src-address=192.168.88.132
/ip firewall filter add action=drop chain=forward src-address=192.168.88.109
/ip firewall filter add action=drop chain=forward src-address=192.168.88.111
/ip firewall filter add action=drop chain=forward src-address=192.168.88.134
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment=factorio dst-port=34197 in-interface=ether1 protocol=udp to-addresses=198.168.88.139 to-ports=34197
/ip route add blackhole disabled=no dst-address=10.0.0.0/8
/ip route add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.100.1
/ip service set www-ssl certificate=fullchain.cer_0 disabled=no
/ip ssh set always-allow-password-login=yes strong-crypto=yes
/ip upnp set enabled=yes
/ip upnp interfaces add interface=bridge type=internal
/ip upnp interfaces add interface=ether1 type=external
/ipv6 address add address=::xxx:f186 eui-64=yes from-pool=ipv6-pool interface=bridge
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=ipv6-pool request=address,prefix
/ipv6 dhcp-server add address-pool="" dhcp-option=dnsserver interface=bridge name=dhcp6
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=accept chain=forward src-address=2600:xxxx:7ed7/128
/ipv6 firewall filter add action=accept chain=forward src-address=2600:xxxx:f391/128
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd set [ find default=yes ] advertise-dns=no interface=bridge
/system clock set time-zone-name=xxxxx
/system identity set name=basement-router
/system leds add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
/system leds add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
/system leds add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client set enabled=yes
/system ntp server set broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes manycast=yes multicast=yes
/system resource irq rps set sfp-sfpplus1 disabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
bombcar
January 14, 2023, 7:21am
15
/ip firewall nat add action=dst-nat chain=dstnat comment=factorio dst-port=34197 in-interface=ether1 protocol=udp to-addresses=198.168.88.139 to-ports=34197
198.168.88.139
198 .168.88.139
198
bombcar
January 14, 2023, 7:41am
16
thanks for help; now if I just wasn’t typoing it would have worked much earlier
works now
Znevna
January 14, 2023, 8:24am
17
eternal copy pasta problem
