I have problem to connect to my server from internet outside my home internet(my public ip: 213.151.203.22)https://213.151.203.22:10000 it works, but everywhere outside my local network it is not possible.
43 chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=22 dst-address=213.151.203.22
dst-port=22 protocol=tcp
(this is to connect from outsid using putty, ssh 22, on mikrotik ssh is disabled)
44 chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=10000 dst-address=213.151.203.22
dst-port=10000 protocol=tcp
this is for connecting using webmin(Linux)
I have no idea where is the problem, when I connect to my router using 213.151.203.22 in web browser it works from anywhere, but to connect to my server is not possible.
jwcn
May 7, 2008, 5:40pm
2
You need to post all your firewall rules.
0 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid
1 ;;; allow already established connections
chain=forward action=accept connection-state=established
2 ;;; allow related connections
chain=forward action=accept connection-state=related
3 ;;; SSH block(7lines)
chain=input action=accept connection-state=new dst-port=22 protocol=tcp src-address-list=sshaccept
4 chain=input action=drop connection-state=new dst-port=22 protocol=tcp src-address-list=sshdrop
5 chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp
src-address-list=stage4 address-list=sshdrop address-list-timeout=0s
6 chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp
src-address-list=stage3 address-list=stage4 address-list-timeout=20s
7 chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp
src-address-list=stage2 address-list=stage3 address-list-timeout=20s
8 chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp
src-address-list=stage1 address-list=stage2 address-list-timeout=20s
9 chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp
address-list=stage1 address-list-timeout=20s
10 ;;; drop ftp brute forcers
chain=input action=drop in-interface=internet dst-port=21 protocol=tcp
src-address-list=ftp_blacklist
11 ;;; auto-firewall ftp - stage 5
chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage4
address-list=ftp_blacklist address-list-timeout=1w
12 ;;; auto-firewall ftp - stage 4
chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage3
address-list=ftp_stage4 address-list-timeout=1m
13 ;;; auto-firewall ftp - stage 3
chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage2
address-list=ftp_stage3 address-list-timeout=1m
14 ;;; auto-firewall ftp - stage 2
chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage1
address-list=ftp_stage2 address-list-timeout=1m
15 ;;; auto-firewall ftp - stage 1
chain=input action=add-src-to-address-list in-interface=internet dst-port=21 protocol=tcp
address-list=ftp_stage1 address-list-timeout=1m
16 ;;; BLOCK SPAMMERS AND INFECTED USERS
chain=forward action=drop dst-port=25 protocol=tcp src-address-list=spammer
17 ;;; IDENTIFY SPAMMERS AND INFECTED USERS
chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp connection-limit=30,32
limit=50,5 address-list=spammer address-list-timeout=1d
18 ;;; telnet
chain=input action=drop dst-port=23 protocol=tcp
19 X ;;; S-AP
chain=forward action=accept src-address=192.168.76.55 src-mac-address=00:0E:2E:93:AF:1F
20 X ;;; R-C
chain=forward action=accept src-address=192.168.76.99 src-mac-address=00:C0:9F:C0:73:45
21 X ;;; S-PC
chain=forward action=accept src-address=192.168.76.56 src-mac-address=00:0E:2E:93:AF:1F
22 X chain=forward action=log src-address=192.168.76.0/24 log-prefix=""
23 ;;; p2p_den
chain=forward action=drop p2p=all-p2p src-address-list=STAHOVACI P2P
24 ;;; Call of Duty
chain=forward action=accept dst-port=28959-28961 protocol=udp src-address-list=STAHOVACI P2P
25 chain=forward action=accept dst-port=8291 protocol=tcp src-address-list=STAHOVACI P2P
26 ;;; ICQ
chain=forward action=accept dst-port=5190 protocol=tcp src-address-list=STAHOVACI P2P
27 ;;; Jabber
chain=forward action=accept dst-port=5222 protocol=tcp src-address-list=STAHOVACI P2P
28 ;;; stahovaci_p2p_block_udp
chain=forward action=drop dst-port=2000-65535 protocol=udp src-address-list=STAHOVACI P2P
29 ;;; stahovaci_p2p_block_tcp
chain=forward action=drop dst-port=1000-65535 protocol=tcp src-address-list=STAHOVACI P2P
30 ;;; CA(MAC+IP)
chain=forward action=accept src-address=192.168.76.88 src-mac-address=00:19:DB:E5:35:0F
31 chain=forward action=drop src-mac-address=00:19:DB:E5:35:0F
32 ;;; CL(MAC+IP)
chain=forward action=accept src-address=192.168.76.86 src-mac-address=00:18:F3:3C:25:E0
33 chain=forward action=drop src-mac-address=00:18:F3:3C:25:E0
34 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus
35 ;;; Drop Blaster Worm
chain=virus action=drop dst-port=135-139 protocol=tcp
36 ;;; Drop Messenger Worm
chain=virus action=drop dst-port=135-139 protocol=udp
37 X ;;; Drop Blaster Worm(blokuje MS samba)
chain=virus action=drop dst-port=445 protocol=tcp
38 X ;;; Drop Blaster Worm
chain=virus action=drop dst-port=445 protocol=udp
39 ;;; ________
chain=virus action=drop dst-port=593 protocol=tcp
40 ;;; ________
chain=virus action=drop dst-port=1024-1030 protocol=tcp
41 ;;; Drop MyDoom
chain=virus action=drop dst-port=1080 protocol=tcp
42 ;;; ________
chain=virus action=drop dst-port=1214 protocol=tcp
43 ;;; ndm requester
chain=virus action=drop dst-port=1363 protocol=tcp
44 ;;; ndm server
chain=virus action=drop dst-port=1364 protocol=tcp
45 ;;; screen cast
chain=virus action=drop dst-port=1368 protocol=tcp
46 ;;; hromgrafx
chain=virus action=drop dst-port=1373 protocol=tcp
47 ;;; cichlid
chain=virus action=drop dst-port=1377 protocol=tcp
48 ;;; Worm
chain=virus action=drop dst-port=1433-1434 protocol=tcp
49 ;;; Bagle Virus
chain=virus action=drop dst-port=2745 protocol=tcp
50 ;;; Drop Dumaru.Y
chain=virus action=drop dst-port=2283 protocol=tcp
51 ;;; Drop Beagle
chain=virus action=drop dst-port=2535 protocol=tcp
52 ;;; Drop Beagle.C-K
chain=virus action=drop dst-port=2745 protocol=tcp
53 ;;; Drop MyDoom
chain=virus action=drop dst-port=3127-3128 protocol=tcp
54 ;;; Drop Backdoor OptixPro
chain=virus action=drop dst-port=3410 protocol=tcp
55 ;;; Worm
chain=virus action=drop dst-port=4444 protocol=tcp
56 ;;; Worm
chain=virus action=drop dst-port=4444 protocol=udp
57 ;;; Drop Sasser
chain=virus action=drop dst-port=5554 protocol=tcp
58 ;;; Drop Beagle.B
chain=virus action=drop dst-port=8866 protocol=tcp
59 ;;; Drop Dabber.A-B
chain=virus action=drop dst-port=9898 protocol=tcp
60 ;;; Drop Dumaru.Y
chain=virus action=drop dst-port=10000 protocol=tcp
61 ;;; Drop MyDoom.B
chain=virus action=drop dst-port=10080 protocol=tcp
62 ;;; Drop NetBus
chain=virus action=drop dst-port=12345-12346 protocol=tcp
63 ;;; Drop Kuang2
chain=virus action=drop dst-port=17300 protocol=tcp
64 ;;; Drop SubSeven
chain=virus action=drop dst-port=27374 protocol=tcp
65 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus action=drop dst-port=65506 protocol=tcp
rado3105
Basically Admins block the 10000 port in their router firewall for few reasons so when you can’t logon to your MT from out side(Internet) then I think port 10000 is blocked by the router(other ISP) and for that you can’t logon to your MT.
Thanks
Also I cant get there from port 22, and that shouldnt be blocked(using putty and ssh)
Disable your this firewall filter rule and try again
60 ;;; Drop Dumaru.Y
Thanks
I changed it to port 8080 and still it is not able to get there, and that port is not blocked in my firewall
You’ll need to specify the In Interface.
So this should do it;
chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=22 dst-address=213.151.203.22
adsl_pppoe=whatever your internet ppp profile is set to.
Hope this works.
Still doesnt work, how to find out if it is blocked by my internet provider. I dont think that port 22 should be blocked and 8080.
jwcn
May 9, 2008, 2:20pm
10
You need to disable all your firewall rules and get it working without them. Then bring them back one by one until you figure out which is causing the problem.
I have the same problem my public ip is 213.192.20.61, i have no firewall rule and disabled port 21 in ip-services, i cant connect to my ftp box with ip 192.168.2.236, loccaly using ftp://192.168.2.236 i can connect there but using public ip no. When I enable port 21 in ip-services i can connect using ftp://213.192.20.61 to mikrotik ftp. So it shouldnt be blocked by my provider. Wlan1 is interface from which i am supported by internet connectiviy by my provider. Can you help?
Could it be problem that I am using masquerade? Because I have no idea where is the problem
My contribution to this VERY helpful forum
hilton:
You’ll need to specify the In Interface.
So this should do it;
chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=22 dst-address=213.151.203.22
adsl_pppoe=whatever your internet ppp profile is set to.
Hope this works.
Excellent!!!
I got stuck on the in-interface part!!!
I have an ADSL router – NETGEAR router DG834 with internal IP 10.0.0.1, connected to it is my MT Router at 10.0.0.254 on ether1.
On my adsl router, I use port forwarding to 10.0.0.254, when somebody accesses my public ip it will show the mikrotik web access page, all I do then is to add the NAT rules on the MT router as follows…
My configuration:
/ ip firewall nat
add chain=srcnat action=masquerade comment="" disabled=no
add chain=dstnat action=dst-nat to-addresses=10.254.0.6 to-ports=80 \
in-interface=ether1 dst-address=10.0.0.254 dst-port=80 protocol=tcp comment="" \
disabled=no
and it then changes from the MT Router access page to the server web page as expected.
The same can be said for any other access like SMTP or whatever Eg:
add chain=dstnat action=dst-nat to-addresses=10.254.0.6 to-ports=25 \
in-interface=ether1 dst-address=10.0.0.254 dst-port=25 protocol=tcp comment="" \
disabled=no
jwcn
May 15, 2008, 8:51pm
14
Move the rules to the top of the list. They are down too far.
I cant solve this problem, I have no idea what is wrong.
Internet is going from my provider to WAN port of rb1 to Bridge(rb1) and from bridge to WAN(rb2)
chain=srcnat action=masquerade src-address=192.168.1.0/24
and also the same in rb2(to get there internet).
When i put 215.55.76.88 in winbox(outside of my network, internet), I get to rb1, despite that I have this rule:
chain=dstnat action=dst-nat to-addresses=192.168.76.99 to-ports=8291
in-interface=internet dst-address=215.55.76.88 dst-port=8291
protocol=tcp
and using that rue in nat, I should get to rb2, not to rb1.
Can you help me what can be wrong. Can it be caused using bridge? I use router os v2.9.51 in borth rb1 and rb2.
hilton
December 2, 2008, 3:34pm
16
Port 8291 is already assigned to RB1 so in order to get to RB2 you need to stipulate another port number in your dstnat rule.
Something like this;
chain=dstnat action=dst-nat to-addresses=192.168.76.99 to-ports=8292
Then connect to the router like this in winbox;
215.55.76.88:8292
Still cant connect using ip:port
and I dont have any firewall rule to block that port.
The problem was in using dst-address, it cant be use.
jwcn
May 29, 2011, 1:45am
19
And I’m sure that after three years the question is still relevant. Aren’t there enough recent threads for you? Geeze, don’t resurrect dead threads.
