I have been trying to forward a port for several hours, no matter what I try, the results are the same, I can only access the port when I am connected to the same router. I have a webserver that I want to access remotely via the internet, the ip address is W.W.W.W:8123, the IPV4 address is V.V.V.V as obtained from ipconfig and IP query websites. I am more comfortable with the UI than the command line. I have the following:
ID - 1
Chain: dsnat
Dst. Adress: MYPUBLICIP
protocol: tcp
Dst.Port: 8123
Dst. Address Type: local
Action: dst-nat
to address: MYWEBSERVERIP
to Ports: 8123
ID - 2
Chain: srcnat
out interface:pppoe VOX
action: masquerade
ID - 3
Chain:srcnat
src address: 192.168.1.0/24
dst address: MYWEBSERVERIP
protocol:tscp
dst port: 8123
outinterphase: bridge or ether1 or all ethernet
src address type: local
action: masquerade
ID 1 and 2 show some packets and I can access MYPUBLICIP:8123 when connected to the router, but not remotely, ID-3 does not show packets at all, please assist, I want to be able to see my webserver from work..
“Rule 3” is only necessary if you want clients in the same LAN subnet like the server to connect to the server using the WAN address of the router (hairpin NAT). So don’t worry about that rule.
If the dst-nat rule doesn’t count any matches when you attempt to connect from outside (to wan.ip.add.ress:8123), it most likely means that something else between the client and your 'Tik is blocking access to that socket address. As you say you want to be able to connect “from work”, it may be that the network admin there has prohibited connections to unusual ports.
Thank you for the reply, I tried to connect using two cell phones, connected via 3G to no avail, could it be that the router has a firewall or the service provider is blocking this somehow, when I try connecting from the mobile, there is a long delay, then it eventually returns an error that there is no connection as it took too long. The service provider is the one who set up my router after installing fibre, so maybe there are settings in the router that I am not aware of that can restrict certain connections.
Then try again from the mobiles, and if this added rule’s counter doesn’t show any matched packets, you can be sure that the issue is outside the 'Tik. That does not necessarily mean that it is in the modem/router provided by the ISP; e.g. my ISP blocks access to some ports centrally, not at the router I have from them.
Hi @Sindy, the new mangle rule shows packets, my dsnat shows packets, I’ve removed the hairpin rule, but still no connection from outside the router (via 3G), I can only connect to it on the ext.er.nal.ip:8123, when I try from a device connected to the router, external IP address has changed since yesterday so I changed it as well. Just out of curiosity, I don’t see the 8123 port in the filter rules under firewall, should it be there as well.
What makes this so confusing is that it is connecting from the inside using the external IP, which they say cannot happen without the hairpin, and it is not connecting from the outside, which it should be able to with the dsnat. Is this going through the wide area network or is the connection direct via the router wifi network, my logic tells me it should be via the WAN.
I suspect the dynamic=no in the mangle rule you gave me is meant to keep the IP address static, but I suspect is still not static as it says dynamic when I check under IP/Addresses.
Sure there should be a rule permitting these connections if your firewall is a proper one (drop everything but listed exceptions). But nobody else than you can add that rule
One idea is to add just chain=forward action=accept connection-nat-state=dstnat to the firewall where your permissive forward rules are, see this topic where we’ve discussed pro’s and con’s of various approaches for details.
The fact that it works without hairpin nat confuses me as well. But maybe you have some masquerade rule open enough to actually provide hairpin NAT inadvertently? It is really not easy to analyze if you post just the three rules you’ve added last and keep the rest of your firewall configuration a secret
The rest is a matter of a firewall - if you permit anything from LAN back to LAN, no wonder that it worked also for the dstnat’ed connections. What I’ve just said above applies here as well.
A complete miss here. The actual purpose is the following:
As order of rules in chain is important, I needed to insert the counter rule as high as possible in its chain. The place-before parameter decides where to put the new rule, and the value of this parameter is a reference to an existing rule. The problem is that I did not know whether you have used any mangle prerouting rules at all, but RouterOS inserts some automatically (they call that “dynamic” items), and it does not let you insert anything before dynamic rules in firewall. Plus the actual pointers to the rules are special values. But if you use print to show any list of items, these items get numbered by a monotonous sequence starting from 0, and you can use these numbers to refer to the items when you want to modify or remove them, until any configuration change you’ve done affects the list (so remove and add terminate the validity of the numbers, set doesn’t).
So the whole exercise was to create an ad-hoc list of the static rules in chain prerouting of mangle and place the newly added rule before the first (0’th) one of them. dynamic=no was a filtering parameter used to exclude dynamic rules from that list.
thanks, Will post all the rules in mangle and NAT, there was only one srcnat rule with just action =accept, I left it there and added the srcnat I indicated above, the other srcnat with hairpin is gone, I will try the filter rule you suggest, please let me know what else I need to post to make the diagnosis easy. I can currently access the webserver via Thor browser, not sure if that setup can block access via port forwarding, but I doubt very much, the issue I have is that it’s tedious to access homeassistant via Thor, hence my migration to port forwarding and duckdns, mikrotik seems unique in its setup.
It was all in the filter rules, I am now able to control from inside and from WAN, there were two rules that were marked drop, input and forward, when I activated it, the floodgates opened. the forward accept is of source the same one you gave, for some reason it was in the filter but marked drop, this was a setup by the ISP techie.
next step is duckdns. Is there a way of making the external IP static??
You make me scared, action=drop rules are usually there for a reason. If you should only understand one single thing about how your router works, it should be the firewall.
So please post the complete output of /export hide-sensitive, and replace each occurrence of the public address (if it is there at all) by my.public.ip (find&replace function of a text editor is the best way to do that).
To make your public address static you would have to agree with your ISP (or change ISP if this one has a problem doing that). But unless you are going to run a server for wide public, use of dynamic DNS solves most cases with a tolerable amount of discomfort.
thanks, Will post all the rules in mangle and NAT, there was only one srcnat rule with just action =accept, I left it there and added the srcnat I indicated above, the other srcnat with hairpin is gone, I will try the filter rule you suggest, please let me know what else I need to post to make the diagnosis easy. I can currently access the webserver via Thor browser, not sure if that setup can block access via port forwarding, but I doubt very much, the issue I have is that it’s tedious to access homeassistant via Thor, hence my migration to port forwarding and duckdns, mikrotik seems unique in its setup.
It was all in the filter rules, I am now able to control from inside and from WAN, there were two rules that were marked drop, input and forward, when I activated it, the floodgates opened. the forward accept is of source the same one you gave, for some reason it was in the filter but marked drop, this was a setup by the ISP techie.