Xfinity Gateway → Mikrotik ↔ PiHole DNS
EDIT: Found the issue. My Xfinity gateway turned out to be unbridged, so it was double NATing my network.
I’m trying to open port 25565 for a Minecraft server but it’s not opening. I’ve been able to open ports for a teamspeak server in the past, but I’m no longer hosting that server to test those ports now.
I’ve tried disabling most of my router firewall rules as well to no effect.
The Minecraft server is running on Windows 10 with the default AV protection enabled. I do not have a 3rd party AV or firewall.
I’ve tried disabling the Windows firewall and AV, and added the port to both inbound/outbound windows firewall rules to no effect.
I’m able to join the server from the localhost itself. I don’t have access to another computer on the network to see if I can join from within the local network.
Any other ideas are greatly appreciated.
# jan/03/2024 18:19:21 by RouterOS 6.49.11
/interface bridge
add admin-mac=redacted auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip accounting
set threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.1.136/32
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.82 client-id=1:redacted comment=piHole \
mac-address=redacted server=defconf
add address=192.168.1.110 client-id=1:redacted comment=\
"Second Office PC" mac-address=redacted server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set servers=192.168.1.82
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
"default configuration (Protect the router itself)" connection-state=\
established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=\
"FastTrack (Protect the LAN devices)" connection-state=\
established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none log-prefix=masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.110 to-ports=\
25565
add action=dst-nat chain=dstnat comment="TS3 Voice" disabled=yes dst-port=\
9987 in-interface=ether1 protocol=udp to-addresses=192.168.1.56 to-ports=\
9987
add action=dst-nat chain=dstnat comment="TS3 FileTransfer" disabled=yes \
dst-port=30033 in-interface=ether1 protocol=tcp to-addresses=192.168.1.56 \
to-ports=30033
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2216
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow ipfix
set nat-events=yes
/system clock
set time-zone-name=America/New_York
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no