Port forwarding wont want to work

mangusta86 · November 23, 2016, 9:30am

Hi,
I am trying to set a port forwarding rule but don’t want to work and i don’t know why.

The configuration of the firewall is :

/ip firewall filter
add action=accept chain=input disabled=yes in-interface=ether1-gemenii log=yes
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept establieshed,related" connection-state=established,related
add action=accept chain=input comment="Allow WinBox from outside - Gemenii" dst-port=8291 in-interface=ether1-gemenii protocol=tcp
add action=accept chain=input comment="Allow WinBox from outside -telekom" dst-port=8291 in-interface=ether2-telekom protocol=tcp
add action=accept chain=input comment="Allow HTTP from outside" disabled=yes dst-port=80 in-interface=ether1-gemenii protocol=tcp
add action=accept chain=forward comment="accept established,related" connection-state=established,related log=yes log-prefix=filter_Rules
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=drop chain=input comment="drop all from WAN" in-interface=ether1-gemenii
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment=" drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gemenii
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=1122 in-interface=ether1-gemenii protocol=tcp to-addresses=192.168.1.11 to-ports=22
add action=dst-nat chain=dstnat dst-port=8006 in-interface=ether1-gemenii protocol=tcp to-addresses=192.168.1.11 to-ports=8006
add action=dst-nat chain=dstnat dst-port=43 in-interface=ether1-gemenii protocol=tcp to-addresses=192.168.1.11 to-ports=43

I figure out the router receive SYN and nothing happen ..

asghari · November 23, 2016, 11:49am

i think if you add dst-address=x.x.x.x item problem may solve.

mangusta86 · November 23, 2016, 12:01pm

I tried and without any success.

Sob · November 23, 2016, 12:23pm

If you have public address, it should work from outside with these rules. If you want to test it from inside (same LAN where is 192.168.1.11), you need this. If it still does not work, make sure that it’s not blocked by firewall on 192.168.1.11.

mangusta86 · November 23, 2016, 12:48pm

I have 2 ISP on tat mikrotik router.
I tested a lot of cases like .

test with a firewall nat rulte and completet only interface or only public ip or with both.
tested on both ISP (interfaces)
disabled one interface and runt the test above.
I read / watch a lot of tutorials/video that say add a rule in firewall nat section like i did already.
I dont have an idea on what i can do ..
Maybe to reset router configuration and try again.
I have 2 MIKROTIK router : a RB-3011 and a RB951G-2HnD.
I saw something different about masquarade rule.. I think this is the problem. I didn’t solve the issue yet.

Sob · November 23, 2016, 2:05pm

If you have two ISPs, you need to mark incoming connections from each one and then route the replies back the right way. Do you do that?

See e.g. here.

bayerner · November 23, 2016, 2:27pm

try to disable the fasttrack rule

asghari · November 23, 2016, 3:07pm

I think your configuration is right may you have miss configuration on end device side.so please check the following is right.
1-default gateway on the client
2-if you have switches between the router and client make sure client and router ports are in some broadcast domain.
3-if you have bridge port on router side check ip address is assigned on bridge port.
recommendation for you WAN links:
you have two ISP connectivity so you can run ECMP on router.