Hi all, I have just got back online after changing ISPs.

However, my port forwards are not working, any chance somebody could take a look to see if I have something wrong? Thanks.

Here are my interfaces:
Link to HP is a switch which I have separate VLANs, one for wired and one for wireless.
WAN is the physical connection back to the modem and ADSL is the PPPoE interface.

@MikroTik] > int pr
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R Link_to_HP ether 1500 1598 4074 D4:CA:6D:B5:5C:B8
1 PoE ether 1500 1598 4074 D4:CA:6D:B5:5C:B6
2 Port4 ether 1500 1598 4074 D4:CA:6D:B5:5C:B9
3 Port5 ether 1500 1598 4074 D4:CA:6D:B5:5C:BA
4 R WAN ether 1500 1598 4074 D4:CA:6D:B5:5C:B7
5 R ADSL pppoe-out 1480
6 R LAN vlan 1500 1594 D4:CA:6D:B5:5C:B8
7 R Management vlan 1500 1594 D4:CA:6D:B5:5C:B8
8 R WLAN vlan 1500 1594 D4:CA:6D:B5:5C:B8


Current NAT rules:

k@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""

1 ;;; Management VLAN Masquerade Rule
chain=srcnat action=masquerade src-address=10.0.20.0/24 log=no log-prefix=""

2 ;;; LAN Masquerade Rule
chain=srcnat action=masquerade src-address=192.168.0.0/24 log=no log-prefix=""

3 ;;; WLAN Masquerade Rule
chain=srcnat action=masquerade src-address=10.0.30.0/24 log=no log-prefix=""

4 ;;; uTorrent
chain=dstnat action=dst-nat to-addresses=192.168.0.254 protocol=tcp dst-address-type=local in-interface=ADSL
dst-port=48085 log=no log-prefix=""

5 ;;; FIFA 18
chain=dstnat action=dst-nat to-addresses=192.168.0.254 protocol=tcp dst-address-type=local in-interface=ADSL
dst-port=998 log=no log-prefix=""

6 ;;; FIFA 18
chain=dstnat action=dst-nat to-addresses=192.168.0.254 protocol=tcp dst-address-type=local in-interface=ADSL
dst-port=3569 log=no log-prefix=""

7 ;;; FIFA 18
chain=dstnat action=dst-nat to-addresses=192.168.0.254 protocol=tcp dst-address-type=local in-interface=ADSL
dst-port=9946 log=no log-prefix=""

8 ;;; FIFA 18
chain=dstnat action=dst-nat to-addresses=192.168.0.254 protocol=udp dst-address-type=local in-interface=ADSL
dst-port=3659 log=no log-prefix=""

9 ;;; FIFA 18
chain=dstnat action=dst-nat to-addresses=192.168.0.254 protocol=udp dst-address-type=local in-interface=ADSL
dst-port=9000-9999 log=no log-prefix=""


Current Firewall rules:

@MikroTik] /ip firewall> fi pri
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no log-prefix=""

2 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=PoE log=no log-prefix=""

3 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

4 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""

5 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

6 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=no
log-prefix=""

7 ;;; Allow Limited Pings
chain=input action=accept protocol=icmp limit=50/5s,2:packet log=no log-prefix=""

8 chain=output action=accept protocol=tcp content=530 Login Incorrect dst-limit=1/1m,9,dst-address/1m log=no
log-prefix=""

9 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h
content=530 Login Incorrect log=no log-prefix=""

10 ;;; Drop Excess Pings
chain=input action=drop protocol=icmp log=no log-prefix=""

11 ;;; Drop Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""

12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3
address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 log=no log-prefix=""

13 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2
address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no log-prefix=""

14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1
address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no log-prefix=""

15 ;;; SSH Create Blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1
address-list-timeout=1m dst-port=22 log=no log-prefix=""

16 ;;; SSH
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

17 ;;; Drop Invalid Connections
chain=input,forward action=drop connection-state=invalid log=no log-prefix=""

18 ;;; Drop FTP Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21 log=no log-prefix=""

19 ;;; Drop SSH Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""

20 ;;; Drop Everything Else
chain=input action=drop log=no log-prefix=""


The port I have been testing is the one for uTorrent, I have tried changing the in-interface to WAN but this does not help.

Specific to torrent port forwarding: you want to add rule to allow UDP as well. Most of torrent conections use UDP as transport protocol, my observed ratio is 20:1 in favour of UDP.

Thank you for answering, I just added another rule for that but with UDP set as the protocol, it has not made a difference though.

Just stating the obvious: you need to configure uTorrent to use speciffic port number, by default it chooses random port on start-up. And it needs to match whatever configured on RB.

I’m not sure if you need to set dst-address-type … I rather use in-interface (my PPPoE interface).

Seems the rules are working, just that the torrent client has strange config, when I set the same listening port on utorrent it showed as open, I will have to play with the settings in Deluge.

Thanks for the help anyways.