Port Forwarding

Hello guys, after you guys had helped me wonderfully on this topic http://forum.mikrotik.com/t/iptv-lan-help/131750/1

i am here to ask a little more help if possible.

i am having difficult in opening port and forwarding them.

let me try to guide you what i have gone through.

i have several ports to forward and open, but i will use Qbittorrent for example,

i already set a Dynamic DNS service that is working through No-IP,

i want to be able to open Qbittorrent Web User interface from any place on the internet, it may be on my cellphone, or a computer cross the country.

Qbittorrent uses port 8080, but i want to be able to connect like example.no-ip.org:2045 → 192.168.1.25:8080

for this I

• disabled all my Computers firewalls for testing sake,
• create a firewall rule → NAT → General → chain:dstnat → procotocol:6(tcp) → Dst. Port: 8080 // Action:dst-nat → To Adresses: 192.168.1.25 → To Ports: 8080
  if i put in. Interface: bridge or not put anything

i am able to connect it through another computer in the same network with example.no-ip.org:8080, but i cannot connect through my 4G connection. and if i change Dst. Port:2045

i cannot connect through example.no-ip.org:2045, neither 192.168.1.25:2045,

192.168.1.25:8080 is always accessible in the same network.

Code is like that right now

add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    192.168.1.25 to-ports=8080

thanks for any responses, i am already on this dilemma for more than a few hours, and i am still trying, and i could not find any solution on the internet, i am sorry if it’s already posted somewhere else, if it’s, just guide me through the right link, and i will delete this post.

For start, it should be dst-port=2045 (port on public address) and to-ports=8080 (port on internal address). Then there’s possible address mixup, because in your post are 192.168.1.25 and 192.168.0.25 (pick the right one). And it’s also good idea to specify destination address, but since you don’t have a static one, use dst-address-type=local. If you don’t do it, all your outgoing connections to port 2045 would not work (the chance of your devices connecting to this specific port is not great, but why not do things right).

hey man, thanks for the heads up, i changed ip because i am too much paranoid 0.o, but already fixed it. i will try to do dst-address-type:local and i will get back to you.

it did not work, “local” is not accept, i tried my local ip 192.168.1.1 but it didn’t work either

Make sure you’re entering the right thing, “dst-address-type” is something else than “dst-address”. But anyway, this part is not critical, you can skip it for now. If you change only dst-port and to-ports, does it work? If not, what’s the rest of your firewall config?

i am not finding “dst-address-type” it may be “dst-address-List” instead ?, if i use port 80->8080 it works internal and only internal, but it does not work with internet.

/interface bridge
add admin-mac=XXXXXXXXXXXX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=internet-vlan vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=internet-vlan name=pppoe-wan \
    use-peer-dns=yes user=cliente@cliente
/interface ethernet switch port
set 1 vlan-mode=secure
set 5 default-vlan-id=20 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=20
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=\
    bridge,ether2,ether3,ether4,ether6,ether7,ether8,ether9,ether10 vlan-ids=1
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether5 vlan-ids=20
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=\
    switch1
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1,ether5 switch=switch1 vlan-id=20
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-wan list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=2045 protocol=tcp to-addresses=\
    192.168.1.5 to-ports=8080
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Sao_Paulo
/system scheduler
add interval=1m name="atualizacao no-ip" on-event=No-Ip policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=No-Ip owner=example policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# N\
    o-IP automatic Dynamic DNS update\r\
    \n\r\
    \n#--------------- Change Values in this section to match your setup -------\
    -----------\r\
    \n\r\
    \n# No-IP User account info\r\
    \n:local noipuser \"example@gmail.com\"\r\
    \n:local noippass \"example\"\r\
    \n\r\
    \n# Set the hostname or label of network to be updated.\r\
    \n# Hostnames with spaces are unsupported. Replace the value in the quotatio\
    ns below with your host names.\r\
    \n# To specify multiple hosts, separate them with commas.\r\
    \n:local noiphost \"hostname.no-ip.net\"\r\
    \n\r\
    \n# Change to the name of interface that gets the dynamic IP address\r\
    \n:local inetinterface \"ether1\"\r\
    \n\r\
    \n#-------------------------------------------------------------------------\
    -----------\r\
    \n# No more changes need\r\
    \n\r\
    \n:global previousIP\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n# Get the current IP on the interface\r\
    \n   :local currentIP [/ip address get [find interface=\"\$inetinterface\" d\
    isabled=no] address]\r\
    \n\r\
    \n# Strip the net mask off the IP address\r\
    \n   :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n       :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
    \n           :set currentIP [:pick \$currentIP 0 \$i]\r\
    \n       } \r\
    \n   }\r\
    \n\r\
    \n   :if (\$currentIP != \$previousIP) do={\r\
    \n       :log info \"No-IP: Current IP \$currentIP is not equal to previous \
    IP, update needed\"\r\
    \n       :set previousIP \$currentIP\r\
    \n\r\
    \n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Require\
    d since \? is a special character in commands.\r\
    \n       :local url \"http://dynupdat
    tIP\"\r\
    \n       :local noiphostarray\r\
    \n       :set noiphostarray [:toarray
    \n       :foreach host in=\$noiphosta
    \n           :log info \"No-IP: Sendi
    \n           /tool fetch url=(\$url .
    password=\$noippass mode=http dst-pat
    .txt\")\r\
    \n           :log info \"servidordofe
    \n       }\r\
    \n   }  else={\r\
    \n       :log info \"No-IP: Previous 
    \_no update needed\"\r\
    \n   }\r\
    \n} else={\r\
    \n   :log info \"No-IP: \$inetinterfa
    re will not update.\"\r\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

this is my whole configuration i hope i didn’t leave any sensitive information in there.

Other than having to-addresses=192.168.1.5, when you previously wrote 192.168.1.25, I don’t see any problem.

I’m sure about dst-address-type, but you can save it for later.

Stupid question, do you have public IP address? When you look in IP->Addresses and find dynamic address on pppoe-wan, it’s not 10.x.x.x, 192.168.x.x, 172.16-31.x.x or 10.64-127.x.x, and it’s the same one as example.no-ip.org points to, right?

i do have a public address, but it’s dynamic my ISP can change it at any time, No-ip just updates it. already tried to copy this public address on Dst. Address, but didn’t work either.

now it’s something like 177.x.x.x

If you check dstnat rule’s counter, does it increase when you try to connect?

i found my mistake, it was this rule that was disabling any connection from wan

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

thanks for you help.

Hmm, no. It’s chain=input, it doesn’t touch anything going through router. It blocks connections from WAN, but only connections to router itself, i.e. to some service running on it (WinBox, WebFig, …). Connections to forwarded ports are going through chain=forward.

if i disable that rule, i can connect through internet to any port forwarding that i do, but i do know that if i do that, i will be defenseless and anyone will be able to connect through any port on my router, i am trying to open just ports i want, but i am having some difficult.

But it’s really not possible. There must be some better explaination than your router being haunted, but right now I don’t see it. It would only make sense if you’d be forwarding ports to router’s own address (192.168.1.1). But if target address belongs to another device, those packets will never see input chain and any rule there can’t apply to them.

hey man thanks for the reply, i was using router ip to self test ports, i never assumed it was a problem, i just did all configuration again with correct ip, and it did work, sorry for my confusion.

just to clarify i couldn’t forward any port, if i forward 700->700 it works, but it does not work 400->700, it’s ok, a little less safe, but will work as intended

Router doesn’t care about different ports, it’s all the same to it. I can imagine problem on application level, because http sends header with hostname and port to server, so the server may see different port than it’s using and not like it. But it usually works fine, especially with simple admin interfaces, they serve only one site anyway, so they ignore it.

You’d have to dig deeper into “does not work”. Check if packets are passing correctly through router, if server responds, what exactly the response is, etc. You can use Tools->Torch, logging rules or packet sniffer.