Hi
Yet another post about failed port forwarding 
I’ve read a bunch of the other posts and none have helped so far.
newest stable update on mikrotik to.
Here is what I’m trying to do:
Trying to make a secure access from wan to my home unraid server and therefore i installed openvpn on it.
ISP is not blocking any port any protocol.
Unraid openvpn settings:
openvpn server settings:
Mikrotik NAT rule:
Mikrotik firewall filter rule:
Ive tryed everything on earth
Can somebody HELP me
Screenshots are (almost) useless, please post configuration export (run /export hide-sensitive from the command line) instead.
# sep/19/2020 13:57:53 by RouterOS 6.47.3
# software id = 332D-2RRB
#
# model = 951Ui-2HnD
# serial number = 64310566BB50
/interface bridge
add admin-mac=************** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-EDB75B \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.124 client-id=1:70:f3:95:2:84:4 mac-address=70:F3:95:02:84:04 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=openvpn dst-address=192.168.88.124 dst-address-list="" dst-port=1194 in-interface=ether1 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=openvpn dst-address=0.0.0.0 in-interface=ether1 protocol=udp to-addresses=192.168.88.124 to-ports=1194
/system clock
set time-zone-name=Europe/Tallinn
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I didn’t examine the rest, but remove dst-address=0.0.0.0 from dstnat rule, that’s clearly wrong.
huuh stupid mistake, removed but still cant connect 
Why not use IPSEC on the router and then simply connect then to your server??
Ok, I checked the rest, but I don’t see anything wrong, it’s just default config. So if you have public IP address, either directly on router, or at least somewhere else (modem or another ISP’s router) with port(s) forwarded to your router, it should work. As a first step, check if your dstnat rule has any hits, it will tell you whether incoming traffic from internet reaches your router or not. If that works, then verify that server gets packets and sends some responses back.
Okay, since you wont answer my question Sob, I will answer the ops question LOL.
Your error is here
/ip address
add address=192.168.88.1/24 comment=defconf interface**=ether2** network=192.168.88.0
It should be
/ip address
add address=192.168.88.1/24 comment=defconf interface**=bridge** network=192.168.88.0
Not sure why you put this destination type rule in the forward chain SO it needs to be removed
add action=accept chain=forward comment=openvpn dst-address=192.168.88.124 dst-address-list=“” dst-port=1194 in-interface=ether1 protocol=udp
As far as port forwarding it should look like this.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN (required standard source nat rule).
add action=dst-nat chain=dstnat comment=“openvpn” in-interface-list=WAN protocol=udp dst-port=1194 to-addresses=192.168.88.124
The final determination of rules structure is what kind of ISp connection you have! Is it a static/fixed WANIP or a dynamic WANIP??
The only other comment I would make on port forwarding is that if you know the wanip addresses you wish to allow to access the server then you would make up a firewaall address list and add it to the dst nat rule - source-address-list=name_of_list
Ok, I need bigger glasses, of course it should be dst-port=1194 in dstnat rule. On the other hand, posted rule should forward all ports to 1194, so connection to OpenVPN server should still work, even if it’s wrong.
@anav: Suggestion, when pointing out mistakes, it’s good to tell if it’s related to the problem or not. E.g. IP address on ether2 instead of on bridge is wrong, but it doesn’t influence dstnat at all. And if OP likes external OpenVPN server better than VPN options in RouterOS, it’s ok.
Isnt this my automatic router defconf where it shares the wan that is coming through eth2 in to all other lan aadresses?
Nope its the default config which doesnt apply as soon as you start changing the config.
Here you have set the bridge AND NOT ether2 to do DHCP
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
Here you have set the interfaces which belong to the bridge including ether2 and the rest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
I have made all the changes recommended by you but still it shows port closed when i try it from wan! (otherhands when i uncheck the firewall router checkbox under quickset menu then the port checker tool shows port open, can the error then be in wrong or missing firewall filter rules?)
sep/26/2020 12:03:51 by RouterOS 6.47.3
# software id = 332D-2RRB
#
# model = 951Ui-2HnD
# serial number = 64310566BB50
/interface bridge
add admin-mac=E4:8D:8C:ED:B7:57 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-EDB75B wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=default-encryption enabled=yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.124 client-id=1:70:f3:95:2:84:4 mac-address=70:F3:95:02:84:04 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=forward comment=openvpn dst-address=192.168.88.124 dst-port=1194 in-interface=ether1 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=openVPN dst-port=1194 in-interface-list=WAN protocol=udp to-addresses=192.168.88.124
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Tallinn
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
new changes in conf are because i tryed to use the mikrotik vpn service but again without any results im so tired of this s…
My IP is dynamic WANIP
Cant connect, i read that with mac its not so easy as with windows and best way is to enable the openvpn server in mikrotik, create certs and so on?
I did configure as shown in many youtube videos but no luck again. I just dont have time to study the hole networking topic
I would put these rules as first rules in forward chain
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
I still don’t know why you have this rule in the forward chain and recommend removing it??
add action=accept chain=forward comment=openvpn dst-address=192.168.88.124 dst-port=1194 in-interface=ether1 protocol=udp
(my limited understanding is that VPN is defined in the input chain for the most part, and port forwarding in the NAT section so this really seems out of place to me!!!)
Then again I have no idea what kind of VPN you are trying to achieve as your rules above in the input chain seem to indicate you have a hockey sock full of VPN going on.
FROM
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=openVPN dst-port=1194 in-interface-list=WAN protocol=udp to-addresses=192.168.88.124
(no quote marks around openVPN ???)
(what the heck does 192.168.89.0 subnet have to do within anything? Not defined above in your config? If its the subnet created internally for VPN then I dont think you need to sourcenat that .
TO
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“openVPN” dst-port=1194 in-interface-list=WAN protocol=udp to-addresses=192.168.88.124
other thoughts.
(1) maybe you need to define an IP Pool for your VPN??
(2) maybe you need an input rule to allow the VPN tunnel created to access the router (from ip pool for vpn to router I mean)??
(3) maybe you need forward rules for VPN pool to LAN, or VPN pool to internet as well…??
Is it also public? I.e. not 192.168.x.x, 10.x.x.x, 172.16-31.x.x, 100.64-127.x.x.
When you’re trying to connect from outside, is dstnat rule’s packet counter increasing?