Port Forwarding

afotek · March 24, 2013, 6:56am

Hello,
I’ve been trying to set up basic port forwarding for port 49457 for two days with no luck. Packet count in Firewall - NAT is increasing, but I’m still getting “port closed” on all kinds of online port checkers.
I’d be really glad if someone could help me out.
I have following settings on my router (pptp-out1 is internet connection, ether1-gateway is ISP connection, public IP is dynamic):
/ip firewall filter
add action=accept chain=input comment=“Allow ICMP” disabled=no protocol=icmp
add action=accept chain=input comment=“Allow established connections”
connection-state=established disabled=no
add action=accept chain=input comment=“Allow related connections”
connection-state=related disabled=no
add action=accept chain=input comment=“Allow local connections” disabled=no
in-interface=bridge-local
add action=accept chain=forward comment=
“Allow established connections for user” connection-state=established
disabled=no
add action=accept chain=forward comment=“Allow related connections for user”
connection-state=related disabled=no
add action=drop chain=input comment=“Drop everything else” disabled=no/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=pptp-out1
add action=dst-nat chain=dstnat disabled=no dst-port=49457 protocol=tcp
to-addresses=192.168.88.2 to-ports=49457
add action=dst-nat chain=dstnat disabled=no dst-port=49457 protocol=udp
to-addresses=192.168.88.2 to-ports=49457ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=bridge-local actual-interface=bridge-local

1 D address=10.160.110.83/24 network=10.160.110.0 interface=ether1-gateway actual-interface=ether1-gateway

2 D address=94.41.65.2/32 network=92.50.189.37 interface=pptp-out1 actual-interface=pptp-out1interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=“ether1-gateway” type=“ether” mtu=1500 l2mtu=1598 max-l2mtu=4074

1 R name=“ether2-master-local” type=“ether” mtu=1500 l2mtu=1598 max-l2mtu=4074

2 R name=“ether3-slave-local” type=“ether” mtu=1500 l2mtu=1598 max-l2mtu=4074

3 name=“ether4-slave-local” type=“ether” mtu=1500 l2mtu=1598 max-l2mtu=4074

4 name=“ether5-slave-local” type=“ether” mtu=1500 l2mtu=1598 max-l2mtu=4074

5 name=“wlan1” type=“wlan” mtu=1500 l2mtu=2290

6 R name=“bridge-local” type=“bridge” mtu=1500 l2mtu=1598

7 R name=“pptp-out1” type=“pptp-out” mtu=1400ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=92.50.189.37 gateway-status=92.50.189.37 reachable via pptp-out1 distance=1 scope=30
target-scope=10

1 ADS dst-address=10.0.0.0/8 gateway=10.160.110.1 gateway-status=10.160.110.1 reachable via ether1-gateway distance=1 scope=30
target-scope=10 vrf-interface=ether1-gateway

2 ADC dst-address=10.160.110.0/24 pref-src=10.160.110.83 gateway=ether1-gateway gateway-status=ether1-gateway reachable distance=0
scope=10

3 ADC dst-address=92.50.189.37/32 pref-src=94.41.65.2 gateway=pptp-out1 gateway-status=pptp-out1 reachable distance=0 scope=10

4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local gateway-status=bridge-local reachable distance=0
scope=10

jandafields · March 26, 2013, 3:42am

Make sure your ISP isn’t blocking port 49457

Do this:

Disable the DROP rule on input, and disable the NAT dst-nat rules.

Then, change the winbox service port to 49457 (IP → SERVICES → winbox)

Then, you will have to connect to winbox by putting :49457 after the IP address
(like 192.168.1.1:49457 or whatever your IP address is)

Then, try to connect to winbox from over the Internet (with your public ip address followed by :49457. If it doesn’t connect, then your ISP is blocking it.

afotek · March 26, 2013, 7:08am

Thank you for answering, jandafields.
I did as you said. My ISP isn’t blocking any ports. What I did:
Instead of changing winbox port, I changed telnet port (makes no difference, because I’m not using actual tools)

Disabled dstnat rules, disabled “Drop else” rule, enabled telnet on port 49457 - port open.
Disabled dstnat rules, enabled "Drop else rule, added and enabled following firewall rule, enabled telnet on port 49457 - port open.
chain=input action=accept protocol=tcp dst-port=49457If I disable telnet service and enable dstnat rule, leaving that new rule enabled, port gets closed. Dstnat rule packet counter is increasing.

Sob · March 26, 2013, 1:56pm

So packets come to your router. That’s the most important part, because when this works, the rest is only in your hands.

Make sure that they are really coming through the router, look for them using torch on LAN interface.

If they do, then it moves the problem further. E.g. firewall on 192.168.88.2 might not have the port open.