Port Forwarding

I was playing around with the router and I’m positive I broke my config because I cannot for the life of me get ports to open back up. At the bottom of the post I have attached the log and I’ve tried to get ports back open in both TCP and UDP with no luck.

I am trying to get ports 192.168.1.40:27015 (UDP) & 192.168.1.40:32600 (TCP) open.

Filter Rule Example:

add action=accept chain=forward comment="Port Opening: Homelab: TCP" \
    dst-port=32600 in-interface="WAN LACP" protocol=tcp
add action=accept chain=forward comment="Port Opening: Homelab: UDP" \
    dst-port=27015 in-interface="WAN LACP" protocol=udp

NAT (example):

add action=dst-nat chain=dstnat comment="Fen: 27015" \
    dst-port=27015 in-interface="WAN LACP" protocol=udp to-addresses=\
    192.168.1.40 to-ports=27015
add action=dst-nat chain=dstnat comment="Fen: 32600" dst-port=32600 \
    in-interface="WAN LACP" protocol=tcp to-addresses=192.168.1.40

I’ve tried changing my in-interface to most of the different interfaces (bridge, WAN LACP, etc.) as well as broadening to include the in-interface-list WAN list. When I use a port checker like canyouseeme.org/yougetsignal it will either timeout or tell me the port isnt open. Oddly enough my counters are still moving in both filter rules and NAT, so I assume its getting some packets and Im just missing something small and silly.

# sep/19/2023 20:22:19 by RouterOS 6.48.2
# software id = WBCW-3MQ3
#
# model = RB4011iGS+
# serial number = DDDDDDDDDDD
/interface bridge
add admin-mac=11:11:11:11:11:99 auto-mac=no comment=defconf name=bridge
/interface bonding
add comment="Main Home LACP" mtu=1504 name=Home-Main slaves=\
    ether6,ether7,ether8,ether9 transmit-hash-policy=layer-2-and-3
add comment="Homelab LACP" mtu=1504 name=Homelab slaves=ether3,ether4,ether5 \
    transmit-hash-policy=layer-2-and-3
add comment="WAN LACP" mode=802.3ad name="WAN LACP" slaves=ether1,ether2 \
    transmit-hash-policy=layer-2-and-3
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Homelab - NO SETUP" name=Homelab ranges=\
    192.168.1.10-192.168.1.254
add comment="Home/Main - NO SETUP" name=Home-Main ranges=\
    192.168.2.10-192.168.2.254,192.168.3.19-192.168.3.254
add comment=Default name=Backup ranges="192.168.3.10-192.168.3.254,192.168.4.1\
    0-192.168.4.254,192.168.2.10-192.168.2.254,192.168.88.10-192.168.88.254,19\
    2.168.1.10-192.168.1.254"
add comment=Default name=secondary-dhcp ranges="192.168.4.10-192.168.4.254,192\
    .168.2.10-192.168.2.254,192.168.88.10-192.168.88.254,192.168.1.10-192.168.\
    1.254"
add comment=Default name=default-dhcp next-pool=secondary-dhcp ranges=\
    192.168.3.10-192.168.3.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=bridge name=\
    defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=Home-Main pvid=2
add bridge=bridge interface=Homelab trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="WAN LACP" list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.1/24 comment="Homelab IP Address Range" interface=\
    Homelab network=192.168.1.0
add address=192.168.2.1/24 comment=\
    "Main Home IP Address Range - Trusted Static IPs" interface=Home-Main \
    network=192.168.2.0
add address=192.168.3.1/24 comment="Dynamic (Untrusted) Addresses" interface=\
    Home-Main network=192.168.3.0
add address=192.168.4.1/24 comment=Monitored/Family interface=Home-Main \
    network=192.168.4.0
/ip dhcp-client
add comment=defconf disabled=no interface="WAN LACP"
/ip dhcp-server lease
add address=192.168.1.20 client-id=1:11:11:11:11:1:ac comment=\
    "Homelab: Fen" mac-address=1:11:11:11:11:1:ac server=defconf
add address=192.168.1.21 client-id=1:11:11:11:11:1:ac comment=\
    "Homelab: Fen" mac-address=1:11:11:11:11:1:ac server=defconf
add address=192.168.1.40 client-id=1:11:11:11:11:1:ac comment=\
    "Homelab: Fen" mac-address=1:11:11:11:11:1:ac server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,1.1.1.1,1.0.0.1 gateway=\
    192.168.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.3.0/24 comment=Untrusted gateway=192.168.3.1
add address=192.168.4.0/24 comment=Monitored dns-server=192.168.1.60 gateway=\
    192.168.4.1
add address=192.168.5.0/24 comment="OLD Monitored (TEMP)" dns-server=\
    208.67.222.222,208.67.220.220 gateway=192.168.4.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.3.0/24 comment="For blocking unrecognized devices" list=\
    "Block External Access"
/ip firewall filter
add action=accept chain=forward comment="Port Opening: Homelab: TCP" \
    dst-port=32600 in-interface="WAN LACP" protocol=tcp
add action=accept chain=forward comment="Port Opening: Homelab: UDP" \
    dst-port=27015 in-interface="WAN LACP" protocol=udp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Related / Established / Untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Allow Related / Established / Untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack (Not sure if needed)" connection-state=established,related \
    disabled=yes
add action=accept chain=input comment=\
    "Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "Accept in ipsec policy" disabled=yes ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment=\
    "Accept out ipsec policy" disabled=yes ipsec-policy=\
    out,ipsec
add action=drop chain=input comment=\
    "Drop all not coming from LAN" disabled=yes \
    in-interface-list=!LAN
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    disabled=yes
add action=drop chain=forward comment="For Blocking Unauthorized Devices" \
    disabled=yes in-interface=bridge src-address=192.168.3.0/24 \
    src-address-list="Block External Access"
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop everything not whitelisted" \
    in-interface="WAN LACP"
add action=drop chain=forward comment="Drop everything not whitelisted" \
    connection-nat-state="" connection-state=new in-interface="WAN LACP"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Fen: 27015" \
    dst-port=27015 in-interface="WAN LACP" protocol=udp to-addresses=\
    192.168.1.40 to-ports=27015
add action=dst-nat chain=dstnat comment="Fen: 32600" dst-port=32600 \
    in-interface="WAN LACP" protocol=tcp to-addresses=192.168.1.40
/ip firewall raw
add action=notrack chain=prerouting comment=\
    "Let devices talk between subnets" dst-address=192.168.1.0/24 \
    src-address=192.168.88.0/24
add action=notrack chain=prerouting comment=\
    "Let devices talk between subnets" dst-address=192.168.2.0/24 \
    src-address=192.168.88.0/24
add action=notrack chain=prerouting comment=\
    "Let devices talk between subnets" dst-address=192.168.2.0/24 \
    src-address=192.168.1.0/24
add action=notrack chain=prerouting comment=\
    "Let devices talk between subnets" dst-address=192.168.88.0/24 \
    src-address=192.168.1.0/24
add action=notrack chain=prerouting comment=\
    "Let devices talk between subnets" dst-address=192.168.1.0/24 \
    src-address=192.168.2.0/24
add action=notrack chain=prerouting comment=\
    "Let devices talk between subnets" dst-address=192.168.88.0/24 \
    src-address=192.168.2.0/24
/ip upnp
set allow-disable-external-interface=yes enabled=no
/ip upnp interfaces
add interface=Home-Main type=internal
add interface=bridge type=external
/system clock
set time-zone-name=America/Denver
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Are you sure that ports are not blocked on ISP side ?

I had trouble when we had DSL connection in our office, you can open ports on your router but ISP is blocking them so they reports as blocked. Once we get fibre connection with public IP there is no more problem.

Also ports can appear closed if there is no service listening on them.

I havent phoned yet to verify but they really shouldnt be closed. I know for sure 32600 has been open now for quite awhile.

And both services are active, so its a bit of a head scratcher. I might backup my config tonight and redo it from scratch and see if that helps.