Port forwarding

sonnyboy · August 8, 2013, 10:08am

Could someone please put me in the right direction.

Im trying to open a port to my razberry, so i can access i from my mothers house.
I have read the forum for a couple of days but i cant get it to work.
Is there anybody that could make a step by step turtorial?

Raz ip 192.168.88.223
external ip 90.xx.xx.xx

Edit: i have a mikrotik rb2011uas-2hnd-in

cbrown · August 8, 2013, 10:30am

Which port and protocol are you trying to use?

sonnyboy · August 8, 2013, 10:53am

Port 8083
protocol tcp

efaden · August 8, 2013, 10:57am

/ip firewall nat
add action=dst-nat chain=dstnat` dst-port=8083 \
    in-interface=ether1-gateway protocol=tcp\
    to-addresses=192.168.88.223 to-ports=8083

sonnyboy · August 8, 2013, 11:09am

I have tried that and did it again, but no luck
i dont have to do anything in firewall filter rules?

efaden · August 8, 2013, 11:13am

Post your config. Also are you trying to access it from within the network, by the public ip? (e.g. hairpin)

sonnyboy · August 8, 2013, 11:18am

im trying to connect via public ip xx.xx.xx.xx:8083
How do i get out the config?

cbrown · August 8, 2013, 11:20am

Open a new terminal and type /export compact if using v5 or if using v6 just /export will be fine.

efaden · August 8, 2013, 11:21am

Right, but are you trying to connect via public IP from inside your 10.0. network? Or from the internet? If you are doing it from within you will need hairpin rules also.

/ip firewall export

sonnyboy · August 8, 2013, 11:31am

im trying to connect from the internet.
Firewall export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=no dst-port=8083 in-interface=\
    ether1-gateway protocol=tcp to-add
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 si
set pptp disabled=no
[admin@MikroTik] >

cbrown · August 8, 2013, 11:52am

Your dst-nat rule does not look correct. Did you cut it off trying to paste it or is it just wrong?

It should be.

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8083 protocol=tcp to-addresses=192.168.88.223

sonnyboy · August 8, 2013, 12:08pm

cbrown:

Your dst-nat rule does not look correct. Did you cut it off trying to paste it or is it just wrong?

It should be.
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8083 protocol=tcp to-addresses=192.168.88.223

must have been me when i past it.
is this all that i need?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8083 protocol=tcp to-addresses=192.168.88.223

cbrown · August 8, 2013, 12:17pm

Yes, unless you are wanting to send port 8083 coming in on your WAN to a different port on the Rasberry (let’s use 80 for example) then you would add “to-ports=80”. It also doesn’t hurt to specify the WAN interface with “in-interface”. The resulting rule then would like.

add action=dst-nat chain=dstnat dst-port=8083 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.88.223 to-ports=80

But if you don’t need that then just use

add action=dst-nat chain=dstnat dst-port=8083 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.88.223

sonnyboy · August 8, 2013, 12:29pm

ill get this when i tried

[admin@MikroTik] > /ip firewall nat
[admin@MikroTik] /ip firewall nat> add action=dst-nat chain=dstnat dst-port=8083 i
n-interface=ether1 protocol=tcp
... to-addresses=192.168.88.223
ambiguous value of interface, more than one possible value matches input
[admin@MikroTik] /ip firewall nat>

cbrown · August 8, 2013, 12:32pm

That is because your WAN interface is not named ether1. Change out ether1 with the interface name of your WAN interface.

sonnyboy · August 8, 2013, 12:46pm

Ahhh ether1-gateway
But no luck so far, ihave tested everything, when i check the staistic it happens nothing

It must be my modem that stops this, i have even put the mikrotik router in dmz in my modem, i cant bride the modem.

cbrown · August 8, 2013, 1:07pm

Torch your WAN interface and see if you see the traffic coming in.

As was stated earlier. If you are trying to connect to the to the server via the public IP and setting on the same LAN as the server you will need to setup a hairpin nat rule.

sonnyboy · August 8, 2013, 1:33pm

Im not at home so im not in the same LAN
Torch doesent show my ipadress at any time, so my call to my raz never gets to the router.

sonnyboy · August 8, 2013, 2:24pm

Topic solved
Many thanks for the help

cbrown · August 8, 2013, 2:31pm

No problem. What was the final fix?