problems with port forwarding

fast17 · January 22, 2023, 10:42am

Hello,
I’m having a problem with a fairly simple thing and I’m getting desperate. I need to forward traffic from the input fixed ip port 5001 to internal ip port 5151. I have set up the rule in NAT, but for some reason unknown to me it doesn’t work (error “web not available - connection has been reset”). Can anyone give me some advice?
My firewall config:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=tarpit protocol=tcp dst-port=30555
1 chain=input action=add-src-to-address-list protocol=icmp address-list=allow-ip address-list-timeout=1h packet-size=1088
2 chain=input action=accept src-address-list=allow-ip
3 ;;; VPN: allow IKE
chain=input action=accept protocol=udp in-interface=ether1 dst-port=500
4 ;;; VPN: allow L2TP
chain=input action=accept protocol=udp in-interface=ether1 dst-port=1701
5 ;;; VPN: allow IPsec NAT-T
chain=input action=accept protocol=udp in-interface=ether1 dst-port=4500
6 chain=input action=accept protocol=ipsec-esp in-interface=ether1
7 chain=input action=accept protocol=ipsec-ah in-interface=ether1
8 chain=input action=drop protocol=udp dst-port=53
9 chain=input action=drop protocol=tcp dst-port=53,8728,8729,21,22,23,80,443,8291
10 chain=input action=drop protocol=udp in-interface=ether1 dst-port=53
11 chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53
12 chain=input action=add-src-to-address-list protocol=udp address-list=DNS_ATTACK address-list-timeout=none-dynamic in-interface=ether1 dst-port=53 log=yes
13 chain=input action=passthrough

my NAT config:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=bridge1

1 ;;; masq. vpn traffic
chain=srcnat action=masquerade out-interface=ether1
2 chain=dstnat action=dst-nat to-addresses=server IP to-ports=3389 protocol=tcp src-address=remote IP dst-address=my “outer” fixed ip dst-port=9874
3 chain=dstnat action=dst-nat to-addresses=server IP to-ports=3389 protocol=tcp src-address=remote IP dst-address=my “outer” fixed ip dst-port=9874 log=yes
4 chain=dstnat action=dst-nat to-addresses=server IP to-ports=3389 protocol=tcp src-address=remote IP dst-address=my “outer” fixed ip dst-port=9874
5 chain=dstnat action=dst-nat to-addresses=server IP to-ports=3389 protocol=tcp src-address=remote IP dst-address=my “outer” fixed ip dst-port=9874 log=yes
6 chain=dstnat action=dst-nat to-addresses=server IP to-ports=3389 protocol=tcp src-address=remote IP dst-address=my “outer” fixed ip dst-port=9874
7 chain=dstnat action=dst-nat to-addresses=service ip to-ports=8001 protocol=tcp in-interface=ether1 src-port=“” dst-port=8001
8 chain=dstnat action=dst-nat to-addresses=service ip to-ports=81 protocol=tcp in-interface=ether1 dst-port=81
9 chain=dstnat action=dst-nat to-addresses=service ip to-ports=554 protocol=tcp in-interface=ether1
10 chain=dstnat action=dst-nat to-addresses=nas server ip to-ports=5151 protocol=tcp dst-port=5001 log=no log-prefix=“”

I have to connect my Synology NAS by ddns (already set and looks “normal”) with Lets Encrypt certificate for https.

Thank you in advance for any suggestions.

anav · January 23, 2023, 1:33am

Need to see config not snippets
/export file=anynameyouwish ( minus router serial # and any public WANIP info etc… )

To me this is potentially a security hazard as you should not let any external IP gain access to the router externally.
chain=input action=accept src-address-list=allow-ip

If you need to gain access to the router, its for config purposes and that should be done from the LAN side or after accessing the config from a VPN tunnel.

fast17 · January 23, 2023, 10:58am

I’ve disabled rule you’ve metioned, and after that I cannot access webfig or winbox or the router. Is there any other way to repair it (access the router)?
I’ve try it from LAN side of course.

anav · January 23, 2023, 12:40pm

My bad, if the src-address list contains LAN side IPs then the rule is fine. It was late last night and for some reason I thought you were accessing winbox with public IPs (external) remotely…
Put rule back in… if the src address list only contains LANIPs OR simply remove the external public IPs from the list itself.

fast17 · January 24, 2023, 2:45pm

But I cannot connect to mikrotik now - from webfig it is disabled because of firewall rule. And from winbox there it is impossible too. Any ideas how to change firewall settings?

anav · January 24, 2023, 3:47pm

Not sure, other than a reset to access via MAC, My apologies…
I would imagine by IP:winboxport doesnt work either…

I have done this to myself several times even knowing better and thus I have a failsafe for stewpid lllamas.

I take one port off the bridge lets say ether5
Give it an IP address of
/ip address
add interface=ether5-emergaccess address=192.168.5.1/24 network=192.168.5.0

Then I add it to my firewall rules. such that
add chain=input action=accept in-interface=ether5-emergaccess src-address=192.168.5.55
add chain=input action=accept src-address-list=Authorized…

I never touch the ether5 rule …and just set my computer ipv4 ip to 192.168.55.5 to gain access if I screw something up on bridge settings or input firewall rules…

+++++++++++++++
If you want send me a PM and we can converse via other means for 1:1 help, as I feel real bad for the lockout.
At least we learn the power of the input rules and how access can or cannot be managed to config the router.

fast17 · January 28, 2023, 4:34pm

I’m sorry I paused for a while - I needed to take a break from the constant solving .
Fortunately, I guess I’m a “lucky bastard” so I was able to connect via winbox using the mac address and re-access the microtik via the web interface (definitely relieved that I won’t have to set it all up again ).
So I want to ask, what exactly should I send to be able to detect what is blocking my redirect?

Translated with www.DeepL.com/Translator (free version)

anav · January 28, 2023, 4:42pm

Same answer. Please post config
/export file=anynameyouwish ( minus router serial # and any public WANIP info )

fast17 · January 28, 2023, 5:17pm

here it is
config_sent.rsc (23.7 KB)

anav · January 28, 2023, 6:32pm

(1) Very confusing setup for DHCP and why is bridge proxy arp?
Things above my head.

(2) In any case you are getting a warning that something is amiss.
_/ip pool
add name=dhcp2 ranges=192.168.0.40-192.168.0.60
add name=vpn_tik ranges=192.168.0.160,192.168.0.189
add name=dhcp next-pool=dhcp2 ranges=192.168.0.80-192.168.0.150
/ip dhcp-server

DHCP server can not run on slave interface!

add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=
ether2 name=server1_

(3) Why do you have this enabled???
/ip firewall connection tracking
set enabled=yes
(4) This is known to cause issues and most folks set this to NONE!
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=
all wan-interface-list=all

(5) Also confusing you have a bridge but no address for the bridge???
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=194xxxxxxx interface=ether1 network=194xxxxxxx

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As for port forwarding…
You mix up the format, some have dst-address which is correct if you have static/fixed WANIP, and others you use ether1 which is normally for dynamic wanips.

Also ensure all the source addresses you use in rules are public IPs…

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Overall do not understand what kind of service you are providing, looks like distributing internet to a number of users over ppp???