Hello,
First of all hi, i’m new here and i got my hap ac2 today, so.. The problem.. I cant port forward a port, in this case team speak 3 port which is 9987 udp, i tried with many tutorials, but no success. Can I get some help from you guys, to try and understand how this work in routeros?
Let’s assume you started off with a default settings for your firewall and NAT.
So you should go to IP → Firewall → NAT and add a new rule:
And that’s about it.
If your current configuration is not like default one, then you might need to construct the NAT rule differently (but then you need to show us current configuration … by executing cammnd /export hide-sensitive from a terminal window).
Note that the above NAT rule only handles connections originating from internet (WAN). If you want to connect in exactly the same way (i.e. by connecting WAN IP address) from within LAN, you need additional setup (search for hair-pin NAT).
I used that game that uses upnp as an example
So it used escom, which is my pppoe connection, not wan or ether1
[admin@MikroTik] > /export hide-sensitive
# jun/19/2019 13:19:46 by RouterOS 6.44.3
# software id = NQ5C-PVRW
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XXXXXXXXX
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=escom use-peer-dns=yes user=nedko93
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-XX country=bulgaria \
disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge ssid=\
"le wild wifi [guest]" wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=bulgaria \
disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge ssid=\
"le wild wifi" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=escom list=WAN
/ip address
add address=192.168.88.1/16 comment=defconf interface=ether2 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/16 comment=defconf gateway=192.168.88.1 netmask=16
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-sta
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-li
add action=dst-nat chain=dstnat comment="Team Speak 3" dst-port=9987 in-interface=escom protocol=udp \
to-addresses=192.168.88.254 to-ports=9987
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=escom type=external
/system clock
set time-zone-name=Europe/Sofia
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
As they say: there are many ways to skin the sheep. So you can configure DST-NAT by using dst-address (and omit in-interface/in-interface-list altogether … which has its own merits which I won’t discuss at this place) or by using in-interface (which, as you say, is the way done by UPnP) or by using in-interface-list. Even if we only discuss about in-interface vs. in-interface-list … each approach has its own merits and drawbacks. In order to choose best approach one has to understand all the peculiarities and how they affect particular use case.
So I tried with that tutorial:
https://www.youtube.com/watch?v=_kw_bQyX-3U
But damn..i just doesn’t want to work.. With my old ddwrt router it was way easier.
This way the port forwarding is working for outside.. I just cant mange to figure that hair-pin nat. Port forwarding works for anything inside from the router event without specifying and interface, or if i leave it with escom.. the hair-pin nat is the problem
Surely you did read this manual page? In short: you need one additional src-nat rule to make hair-pin NAT working.
I definitely tried firstly with that, reading it, but the aftermath is the same. Working outside, not inside, I even put the rule on first position (so its 0).
One setting which is not right and usually fixing it makes unexpected performance improvements: move LAN IP address from ether2 to bridge “interface”.
As you’re using PPPoE you can probably disable/unconfigure DHCP client from ether1?
Firewall filter with “action=fasttrack-connection”: by default it has connection-state=established**,related**.
In the configuration you posted a few posts back, some lines are obviously clipped. And there’s no sign of hair-pin NAT. So it’s hard to say if you correctly implemented rule or not.
BTW, what exactly do you expect from NAT which is not working for you (even when you implement hair-pin NAT)?
Don’t I need that? Since i have a dynamic IP address? And if no, can’t find that too.. :X
Yes, do I need to remove the related part?
Im trying to achieve that I can connect to anything, example - my team speak server, with my WAN IP, not my local ip (e.g localhost for example)
Not here. It’s in IP → address
In IP → DHCP client (or something like that) …
My point being that you made changes to default settings which are a really good starting point to add some rules. You changed some and it seems as you didn’t know what you were doing.
And your posted config is not what your router is running with (I’m not discussing the reason for it) so it’s hard to tell what is preventing you from implementing hair-pin NAT …
edit:
So this https://www.youtube.com/watch?v=_kw_bQyX-3U seems to work now.. I started from the scratch. So now all is working as intended. Thank you very much for your afford to help me, appreciate it