Hi.
I'm setting up a simple Ethernet router (public WAN IP) to get access to a Unici Cloud Key on the LAN side. Using an old RB433 board with Ether1 as the WAN and Ether2 as the LAN interface. Have configured a number of MT routers previously, but this one refuses to give me access throuh the router. My config is listed below. CloudKey is using the following ports
Could someone find what I'm doing wrong and give some advice to get it up and running? (I had this working previously, but config was lost. The CloudKey uses the following ports: 3478 (udp), 8080 (tcp), 8880 (tcp) and 8443 (tcp). Thanks!!!
-Olaf

dec/21/2020 23:32:58 by RouterOS 6.43.8

software id = DMR5-KYHL

model = 433L

serial number = 37DD01753A91

/ip firewall filter
add action=accept chain=forward comment="ipsec in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="ipsec out" ipsec-policy=out,ipsec
add action=accept chain=forward comment=
"defconf: accept established, related untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=input comment=defconf protocol=icmp
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input comment="accept winbox" connection-state=
established,related dst-port=8291 protocol=tcp
add action=accept chain=input comment="accept CloudKey" connection-state=
established,related,untracked disabled=yes dst-port=8443 protocol=tcp
add action=accept chain=input connection-state=established,related,untracked
disabled=yes dst-port=8880 protocol=tcp
add action=accept chain=input connection-state=established,related,untracked
disabled=yes protocol=udp
add action=accept chain=input connection-state=established,related,untracked
disabled=yes dst-port=8080 protocol=tcp
add action=drop chain=forward comment="Drop from WAN not dstnat"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

\

dec/21/2020 23:39:16 by RouterOS 6.43.8

software id = DMR5-KYHL

model = 433L

serial number = 37DD01753A91

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade outbound traffic"
out-interface=ether1
add action=dst-nat chain=dstnat comment=
"Forward (NAT) traffic to specified ports" dst-port=8080 in-interface=
ether1 protocol=tcp to-addresses=192.168.1.49 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8443 in-interface=ether1 log=yes
protocol=tcp to-addresses=192.168.1.49 to-ports=8443
add action=dst-nat chain=dstnat dst-port=3478 in-interface=ether1 log=yes
protocol=udp to-addresses=192.168.1.49 to-ports=3478
add action=dst-nat chain=dstnat dst-port=8880 in-interface=ether1 log=yes
protocol=tcp to-addresses=192.168.1.49 to-ports=8880

Is there a problem for outside users or lan users trying to use the wanip of the router to gain access to the server?

The problem is for WAN users (outside) to reach the Unifi controller on the LAN side.

Can you please post your complete firewall configuration (/ip firewall export)?

Hi.
Thanks for responding.
Have attached the firewall export (fwexp).

BUT - I have discovered that I most likely have created the problem in my home router (also a Mikrotik)…
I will soon move the Unifi controller from the external site and into my home LAN (which also has an official IP). To prepare this move, I set up the same port forwardings (dst-nat) in my home router’s firewall as I have in the firewall at the external site. This seems to have created the problem. When disabling these forwards, I’m able to access the external site/controller just fine. Have attached the firewall settings from the home router as well (home-fw).

Thanks for helping me to see the problem that I created myself. Sorry!!

-Olaf-
home-fw.txt.rsc (4.45 KB)
fwexp.txt.rsc (2.49 KB)

yes what looked strange from your first post was nat rules mixed into firewall input filter rules…

What seems strange to me is that the dstnat rules on my home router should stop the communication to the external server. Had the understanding that the dstnat worked only on inbound traffic.
In my previous post, in the “home-fw” script under /ip firewall nat, the rules that made the problem are marked as disabled. If they are enabled, the communication (access to the remote site) stops. Don’t quite understand…?

-Olaf