Port Forwarding

RouterOS Beginner Basics
1

I have an Arris NVG486MQ router with Frontier. I tried to use its routing function but was having port forwarding problems. 5 ports that I need forwarded will not open up. Four other ports open just fine.

I decided to utilize a RB2011 that I had to give me more functionality (multiple subnets). The Mikrotik utilizes the DMZ feature of the Arris NVG486MQ. The Mikrotik is correctly configured for the functionality I need, except for the port forwarding. For example, here are two port forwarding rules that are very similar. Rule 5 opens the port just fine. Rule 6 does Not open the port.

 
 5    ;;; TCP Port 65520
      chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=65520 protocol=tcp in-interface=ether1 
      dst-port=65520 

 6    ;;;  TCP Port 65532
      chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=65532 protocol=tcp in-interface=ether1 
      dst-port=65532 log=yes log-prefix=""

I configured Rule 6 to log and get this result:
Log Entry
Time: Mar/09/2021…
Buffer: memory
Topic: firewall
info
Message: dstnat: in:ether1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, ad:04:20, proto TCP (SYN), 198.199.98.246:449730->47.187.xxx.xxx:65532, len 60

Port 65520 is opening fine.
Port 65532 is NOT opening

I have talked to Frontier TS. They assure me that by utilizing the DMZ (passthrough) there are no ports being blocked by Frontier.

Any idea what I might be doing wrong? Rule 5 works fine. Rule 6 was a copy of Rule 5 with the port change. I get exactly the same results when I try to forward port 65532 from the Arris router. The same ports that I can open on the Arris router I can open on the Mikrotik router. The same ports that I CANNOT open on the Arris router are the same ports i CANNOT open on the Mikrotik router.

Any insight would be appreciated.

2

Looks to me like port 65532 is hit (because it is logging) and therefor seems to work. Why do you think it is not forwarding? Can you do logging on the service site (or use wireshark)?

3

Unlike erlindan I refuse to speculate ;-PPPP
Perhaps his real life job is fiction writing LOL.

Seriously, without seeing your config its only guesswork.
/export hide-sensitive file=anynameyouwish

4

I agree with erlinden, your rule seems to be working. As a quick sanity check, you can change the to-port to the same as the first one and see if it opens.

It would seem to me that there is an issue with the device you are forwarding to. Either you have the wrong port or it’s firewall is not open to that port.

Side note: to-port is only needed when changing ports, you can omit them in your case.

5

Writing code…nearly science fiction :wink:

Did you miss the log entry:

Message: dstnat: in:ether1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, ad:04:20, proto TCP (SYN), 198.199.98.246:449730->47.187.xxx.xxx:65532, len 60
6

I am sure that is a pretty picture but to be honest just hurts my eyes.
I’d rather read the config and see ALL the firewall rules…

7

I am trying to get several ports opened (65532 and 65510-65515). Four other ports opened with no issue. Port 65520 was one of the ports that opened with no issue. Using yougetsignal.com I see that port 65520 is open. I just configured Windows Firewall to allow ports 65532 and 65510-65515. Port 65532 just showed to be open. I still can’t open 65510-65515. I have tried disabling the Windows Firewall temporarily with no impact on the port opening. Even though I’m connected to the Arris router through the DMZ (supposedly bypassing the Arris routing) could it be blocking my ports?

Does anyone know of a way to “bridge” the Arris to bypass the Arris routing function entirely?

8

So you are experiencing the problems with port 65510-65515 and am showing only forward ports 65532 and 65520 (which both work)? Can you please show the port forwards for the port range? Or better, as anav suggested, show the entire /ip firewall export?

9

I am trying to get several ports opened (65532 and 65510-65515). Four other ports opened with no issue. Port 65520 was one of the ports that opened with no issue. Using yougetsignal.com I see that port 65520 is open. I just configured Windows Firewall to allow ports 65532 and 65510-65515. Port 65532 just showed to be open. I still can’t open 65510-65515. I have tried disabling the Windows Firewall temporarily with no impact on the port opening. Even though I’m connected to the Arris router through the DMZ (supposedly bypassing the Arris routing) could it be blocking my ports?

Does anyone know of a way to “bridge” the Arris to bypass the Arris routing function entirely?

Here are my rules

# mar/10/2021 13:30:31 by RouterOS 6.48
# software id = UJVQ-A1VN
#
# model = 2011UiAS-2HnD
# serial number = ********
/ip firewall filter
add action=drop chain=input comment="Drop all invalid packets from WAN"  connection-state=invalid
add action=drop chain=forward comment="Drop all invalid packets from LAN"  connection-state=invalid
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="accept established, related"  connection-state=established,related
add action=accept chain=input comment="Allow Mgmt_VLAN Full Access"   in-interface=Mgmt_VLAN
add action=accept chain=forward comment="Allow Estab & Related"  connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access Only"  connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=input disabled=yes
add action=accept chain=forward connection-state=new src-address-list=Mgmt_VLAN
add action=accept chain=forward connection-state=new src-address-list=Business_VLAN
add action=accept chain=forward connection-state=new src-address-list=Home_VLAN
add action=accept chain=forward connection-state=new src-address-list=Guest_VLAN
add action=accept chain=forward connection-state=new disabled=yes     src-address-list=""
add action=accept chain=forward connection-state=new src-address-list=Mgmt_VLAN
add action=accept chain=forward connection-state=new src-address-list=Business_VLAN
add action=accept chain=forward connection-state=new src-address-list=Home_VLAN
add action=accept chain=forward connection-state=new src-address-list=Guest_VLAN
add action=accept chain=forward connection-state=related
add action=accept chain=forward connection-state=established
add action=drop chain=forward disabled=yes

and nat

# mar/10/2021 13:31:00 by RouterOS 6.48
# software id = UJVQ-A1VN
#
# model = 2011UiAS-2HnD
# serial number = ***********
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade"  out-interface-list=WAN
add action=dst-nat chain=dstnat comment="RemoteWebAccess TCP Port 80 (http)" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200 to-ports=80
add action=dst-nat chain=dstnat comment="RemoteWebAccess TCP Port 443 (https)" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200  to-ports=443
add action=dst-nat chain=dstnat comment="Anywhere Access Certificate web service  TCP Port 65500" dst-port=65500 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.200  \
    to-ports=65500
add action=dst-nat chain=dstnat comment="Anywhere Access Provider Framework  TCP Port 6602" dst-port=6602 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200  to-ports=6602
add action=dst-nat chain=dstnat comment="Anywhere Access Web service for Mac client computers TCP Port 65520" dst-port=65520 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200  \
    to-ports=65520
add action=dst-nat chain=dstnat comment="Anywhere Access Server Loopback Communications  TCP Port 65532" dst-port=65532 in-interface=ether1 log=yes protocol=tcp to-addresses=\
    192.168.1.200  to-ports=65532
add action=dst-nat chain=dstnat comment="Anywhere Access Client computer deployment website TCP Ports 65510-65515" dst-port=65510-65515 in-interface=\
    ether1 log=yes protocol=tcp to-addresses=192.168.1.200  to-ports=65510-65515
10

(1) Firewall rules need work some missing (the most important one is in blue!!) , order not right, duplicates…

(2) INPUT CHAIN
/ip firewall filter
add action=accept chain=input comment=“accept established, related” connection-state=established,related (order)
add action=drop chain=input comment=“Drop all invalid packets from WAN” connection-state=invalid
add action=accept chain=input comment=“Allow Mgmt_VLAN Full Access” in-interface=Mgmt_VLAN (order)
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN (add what specific services needed or remove only admin should have full access)
(for example DNS usually applies, protocol tcp/udp dest port=53
add action=drop chain=input disabled=yes (enable this rule its better security and will eliminate all unauthorized wan to router and lan to router traffic for example)

FORWARD CHAIN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” \ (missing need to add)
connection-state=established,related
add action=accept chain=forward comment=“Allow Estab & Related” connection-state=established,related
add action=drop chain=forward comment=“Drop all invalid packets from LAN” connection-state=invalid (order)
add action=accept chain=forward comment=“VLAN Internet Access Only” connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes (enable which blocks all VLAN to VLAN traffic not specifically allowed above at layer 3, and any unwanted traffic wan to lan etc).

(5) Duplicates in forward chain removed.
add action=accept chain=forward connection-state=related (duplicate remove)
add action=accept chain=forward connection-state=established (duplicate remove)

(6) Forward chain rules that seem to serve no purpose and are way to wide open. You have already allowed vlan to wan traffic. What else do they need for example??
add action=accept chain=forward connection-state=new src-address-list=Mgmt_VLAN
add action=accept chain=forward connection-state=new src-address-list=Business_VLAN
add action=accept chain=forward connection-state=new src-address-list=Home_VLAN
add action=accept chain=forward connection-state=new src-address-list=Guest_VLAN
add action=accept chain=forward connection-state=new disabled=yes src-address-list=“”
add action=accept chain=forward connection-state=new src-address-list=Mgmt_VLAN
add action=accept chain=forward connection-state=new src-address-list=Business_VLAN
add action=accept chain=forward connection-state=new src-address-list=Home_VLAN
add action=accept chain=forward connection-state=new src-address-list=Guest_VLAN


(7) Destination NAT rules. Better to use in-interface-list=WAN vice interface=eth1.
You can simplify the rules if you desire, otherwise nothing seems wrong. I would be concerned about opening so many ports, and assume you have encrypted logins not plaintext passwords.

/ip firewall nat
add action=masquerade chain=srcnat comment=“Default masquerade” out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80,443,6602,65500,65510-65515,65520,65532 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.1.200

(8) Assume you let friends and family access your server, suggesting that you
a. create a list of allowable domain names for those folks.
b. get those folks to get free domain names available on the net, its really a simple ask.
c. create firewall address list.
/ip firewall address-list
add address=freedomain.net comment=george list=allowedusers
add address=myfreeorg.com comment=parents list=allowedusers
add address=nocosthome.org comment=sister list=allowedusers
Note: The router will resolve domain names to IP addresses automatically!!

Destination nat rule becomes.
add action=dst-nat chain=dstnat dst-port=80,443,6602,65500,65510-65515,65520,65532 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.1.200
source-address-list=allowedusers

11

anav,
Thanks for the detailed info. You make very good points.

I’ve incorporated you info but I am still not able to open the block of ports 65510-65515.

12

Please post your latest config for a fresh look!

/export hide-sensitive file=anynameyouwish

13

Here is my complete config

# mar/11/2021 09:50:18 by RouterOS 6.48
# software id = UJVQ-A1VN
#
# model = 2011UiAS-2HnD
# serial number = **********
/interface bridge
add name=Bridge1 protocol-mode=none vlan-filtering=yes interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge ssid=Blue
/interface vlan
add interface=Bridge1 name=Business_VLAN vlan-id=10
add interface=Bridge1 name=Guest_VLAN vlan-id=30
add interface=Bridge1 name=Home_VLAN vlan-id=20
add interface=Bridge1 name=Mgmt_VLAN vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=MGMT
add name=Mgmt
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=66:D1:54:39:72:41 master-interface=wlan1 name=wlan2 security-profile=Home ssid=Yellow
/ip pool
add name=Business_POOL ranges=192.168.1.25-192.168.1.100
add name=Home_POOL ranges=10.10.10.11-10.10.10.254
add name=Guest_POOL ranges=192.168.5.25-192.168.5.50
add name=Mgmt_POOL ranges=192.168.99.11-192.168.99.50
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=Bridge1 name=dhcp1
add address-pool=Business_POOL disabled=no interface=Business_VLAN name=Business_DHCP
add address-pool=Home_POOL disabled=no interface=Home_VLAN name=Home_DHCP
add address-pool=Guest_POOL disabled=no interface=Guest_VLAN name=Guest_DHCP
add address-pool=Mgmt_POOL disabled=no interface=Mgmt_VLAN name=Mgmt_DHCP
/interface bridge port
add bridge=Bridge1 interface=ether2
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=99
add bridge=Bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
add bridge=Bridge1 interface=wlan1 pvid=10
add bridge=Bridge1 interface=wlan2 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Mgmt
/interface bridge vlan
add bridge=Bridge1 tagged=Bridge1,ether5 untagged=wlan1 vlan-ids=10
add bridge=Bridge1 tagged=Bridge1,ether5 untagged=wlan2 vlan-ids=20
add bridge=Bridge1 tagged=Bridge1,ether5 vlan-ids=30
add bridge=Bridge1 tagged=Bridge1,ether5 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=Mgmt_VLAN list=VLAN
add interface=Business_VLAN list=VLAN
add interface=Guest_VLAN list=VLAN
add interface=Mgmt_VLAN list=MGMT
add interface=Mgmt_VLAN list=Mgmt
/ip address
add address=192.168.99.1/24 interface=Mgmt_VLAN network=192.168.99.0
add address=192.168.1.1/24 interface=Business_VLAN network=192.168.1.0
add address=10.10.10.1/24 interface=Home_VLAN network=10.10.10.0
add address=192.168.5.1/24 interface=Guest_VLAN network=192.168.5.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=192.168.1.0 list=Business_VLAN
add address=192.168.99.0 list=Mgmt_VLAN
add address=10.10.10.0 list=Home_VLAN
add address=192.168.5.0 list=Guest_VLAN
/ip firewall filter
add action=accept chain=input comment="accept established, related" connection-state=established,related
add action=drop chain=input comment="Drop all invalid packets from WAN" connection-state=invalid
add action=accept chain=input comment="Allow Mgmt_VLAN Full Access" in-interface=Mgmt_VLAN
add action=drop chain=forward comment="Drop all invalid packets from LAN" connection-state=invalid
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=drop chain=forward comment="Drop all invalid packets from LAN" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-state=related
add action=accept chain=forward connection-state=established
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=\
    80,443,6602,65500,65510-65515,65520,65532 in-interface-list=WAN log=yes \
    protocol=tcp to-addresses=192.168.1.210
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
/ip ssh
set strong-crypto=yes
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/system clock
set time-zone-name=America/Chicago
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=Mgmt
/tool mac-server mac-winbox
set allowed-interface-list=Mgmt
/tool mac-server ping
set enabled=no
14

(1) This looks extra and can be removed.
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=Bridge1 name=dhcp1

(2) Why the duplication and where is the guest vlan identified??
/interface list member
add interface=Mgmt_VLAN list=MGMT
add interface=Mgmt_VLAN list=Mgmt

(3) This may be extra and could be removed.
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

(4) Duplicates should be removed.
add action=accept chain=forward connection-state=related
add action=accept chain=forward connection-state=established

(5) Duplicate rule located in the input chain so it can be removed. Further what is the point of the first rule if you have the third rule???
The answer is, change the third rule to be only DNS services and then you stop complete access to the router for all users on all vlans and then the first rule makes sense!!
add action=accept chain=input comment=“Allow Mgmt_VLAN Full Access” in-interface=Mgmt_VLAN
add action=drop chain=forward comment=“Drop all invalid packets from LAN” connection-state=invalid
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN

(7) I am not seeing why port forwarding is not working though. Can you check the device/server itself to ensure its setup for those ports and check out any firewall rules if on a PC that may be blocking those ports…

15

anav,

I appreciate your help in cleaning up my config file. I strongly suspect that the modem itself may be blocking the ports. Arris builds the router but they do NOT support it. They refer me to the ISP. The ISP refuses to do anything other than vanilla networking. They indicate that all ports are open on their side.

The GUI of the Arris modem is limited (as are most GUIs). I am trying to track down a user manual and/or CLI manual for this model.

I’ll post as I get more information to provide some closure to this topic.

16

No worries, if I was conversant at logging/sniffing traffic I would recommend attempting to see if you are getting any incoming traffic on those ports at least reaching the router?
In other words have a friend attempt to log into the device on those ports while your sniffing traffic for example.
It should be clear if the incoming traffic gets past the modem.

If you are getting a public IP address chances are the modem is in bridge mode and all ports should be open.
However if they are giving you a private IP chances are you are in a NAT situation but I hardly doubt they just blocked that particular port range, its either all or none usually and thus why I suspect the server or firewall rules on the PC the server is on for example. Just trying to work through the logic.