problems with port forwarding

mojoman · May 18, 2019, 9:39am

Hi,

I’ve set up a minecraft server on a raspberry pi. Everything works fine within the LAN. ss -tlpn shows that the server listens correctly on default port 25565.

I’ve set up port forwarding on my mikrotik GL750 using this:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=25565 in-interface=ether1 action=dst-nat to-address=SERVER.INTERNAL.IP.HERE to-ports=25565

Double and triple checked the ports and IP, ether1 is my incoming interface. Still, it’s not possible to connect from WAN and port scanning (using canyouseeme.org) can’t detect the service on the port.

I’ve googled around and read the wiki’s and to the best of my limited knowledge this should do it. The solution above have worked for others and I’m starting to suspect that the problem lies elsewhere. The reason is that when I do port scans t says that port 80 is closed too. That should register as open, right?

There is a modem before the GL750 but it is provided by the landlord so I can’t really do anything with it. I’m at loss here, and any input would be appreciated.

regards
mojoman

mkx · May 18, 2019, 10:10am

Check settings in /ip firewall filter …

Default rule, which allows DST-NAT, is very similar to this one:

add action=accept chain=forward comment="allow dst-nat connections from WAN" \
    connection-nat-state=dstnat connection-state=new in-interface=ether1

It works together with a very generic one

add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked

Sob · May 18, 2019, 10:59am

If the modem is actually router, then it’s very likely that your GL750 doesn’t have public address itself (and even the modem doesn’t necesarily have any). And without public address there’s no port forwarding (you can configure it, but nobody from internet will be able to reach it). So either you convince the landlord to forward a port to you (if the modem has public address) or you’re out of luck.

mojoman · May 18, 2019, 11:10am

Hi,

@mkx:
I have four filter rules, all from default configuration. All four are on input chain. One is to accept protocol icmp, one to accept established connections, one to accept related connections, and the last to drop incoming from ether1.

Is there any command to print out enabled firewall rules to the terminal? The four filter rules enabled from default doesn’t seem like anything of the rules you posted.

@sob:
How would I find if the problem is connected to the modem?

I appreciate your input in this.

Sob · May 18, 2019, 11:47am

Check the IP address on GL750. If it’s 10.x.x.x, 192.168.x.x, 172.16-31.x.x or 100.64-127.x.x, it’s not public.

mkx · May 18, 2019, 12:21pm

Command

/ip firewall filter print without-paging where chain=forward

will print out all firewall rules which affect traffic through router. If a rule is disabled, it’ll show ‘X’ in column between sequential number and rule itself.

I think it’d be easier to help you if you posted complete output of /ip firewall export … No need to redact internal IP addresses (nobody from internet can reach those), but do hide your public IP address (if it’s there) … hiding two least significant octets would do.

Btw, you can get IP address, bound to ether1, using command

/ip address print where interface=ether1

mojoman · May 19, 2019, 7:25am

Hi all,

The ISP hade given me an IP starting with 100, i.e. internal to them basically. I said I needed a public IP and they gave me one. Problem solved.

Thanks for your input, and it’s always nice to pick up some things from the forum gurus.

mojoman