So, I’m a mid-level beginner and have upgraded from a piece of junk netgear thing to a 2HaxD. Internet is up, Wireless likewise, not too much sweat. Big projects like container for ad-block comes later.
I self-host a game server and had little trouble before, but after I’ve spent a couple of days fighting with this thing, I concede and turn my question to the mercies of the populace.
I think I have most of the moving parts up and running and I can access the game server internally via hairpin NAT, but no one outside can get in. While secure, not the desired outcome.
I’m relatively sure at this point that I am missing something basic in this new UI, just a checkbox someplace. Can someone 2x-check me?
Layout is very basic: External <> Router <> my machine and server
Everything I believe or remember that I have done has been bolded, everything else is default out of box.
# 2026-04-12 17:49:33 by RouterOS 7.22.1
# model = L009UiGS-2HaxD
/interface bridge
add admin-mac=04:F4:1C:FE:CA:5A auto-mac=no comment=defconf name=bridge
/interface wifi
**…cropped for brevity…**
/disk
**…cropped for brevity…**
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1
/interface bridge settings
**set use-ip-firewall=yes**
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.0.0.10/8 interface=ether1 network=10.0.0.0
/ip cloud
**set ddns-enabled=yes**
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 name=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
**add address=192.168.88.20 comment="My Machine" list="Game Session"
add address=192.168.88.50 comment="Game Server" list="Game Session"
add address=\[private, *seems like a bug to have that identifier in this output*\] comment=WAN-IP list=WAN-Dynamic**
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
**"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN**
/ip firewall nat
**add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=
"Game Session" src-address-list="Game Session"**
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
**add action=dst-nat chain=dstnat comment="AbFactor - Amp" dst-port=2225
in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.88.50
to-ports=2225
add action=dst-nat chain=dstnat comment="AbFactor - Amp" dst-port=7777
in-interface-list=WAN protocol=udp to-addresses=192.168.88.50 to-ports=
7777
add action=dst-nat chain=dstnat comment="AbFactor - Amp" dst-port=27015-27016
in-interface-list=WAN protocol=udp to-addresses=192.168.88.50 to-ports=
27015-27016
add action=dst-nat chain=dstnat comment="AbFactor - Amp" dst-port=27015-27016
in-interface-list=WAN protocol=tcp to-addresses=192.168.88.50 to-ports=
27015-27016**
/ip service
**set www disabled=yes**
/ipv6 firewall address-list
**…cropped for brevity (untouched)…**
/ipv6 firewall filter
**…cropped for brevity (untouched)…**
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Unless you have an actual use for them, I would disable pretty much all the ip services except winbox.
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes
I would also turn the following off.
/interface bridge settings set use-ip-firewall=yes
This is used if you are attempting to firewall traffic transiting the bridge (ie. intra LAN traffic)
And it will only work if you disable hardware offload on the bridge ports that need to be firewalled from each other.
It seems likely you have detect-internet enabled, it often causes problems (maybe at least part of the problems you are having)
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=\
none request-interval=2m wan-interface-list=none
You don't seem to have a default route configured. (I guess not needed if all the external clients connecting are in the 10.0.0.0/8 range)
Otherwise, you may need to add a static route pointing to the upstream router. Or use dhcp.
No, yea, I did forget that part. Comcast intruded, so their thing is in bridge mode as 10.0.0.1 and as I put it out of my mind I forgot to put it in the description. So my diagram is actually: outside <> comcast PoS <> router <> my stuff. Hence the 10.0.0.10 on eth1.
I’ll poke at the suggestions already made and see if I dont get a better result.
If you do not get a public IP, can you at least gain access to the comcast modem/router and forward ports to your router. If not, game serving wouldnt be possible. There are other ways perhaps but more complex to setup.
Suggestion 2: I enabled that as suggested as ‘needful’ on an old thread, but I also didn’t know what it does exactly, so yea, axed.
Suggestion 3: Checked, nope. I saw this pop up on other suggestion threads, but I didn’t remember turning it on. Output verifies that it is off as your example states:
Suggestion 4: Annoyingly, I do/it did; but it wasn’t output in the file dump? There might still be something there in the basis of the setup I put into place to play nice with the Comcast dohickey acting as modem/’bridge mode only router’ that was pointed out rightfully as probably actually ‘meaningful’ in the comment below by rextended
[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
# DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
0 As 0.0.0.0/0 10.0.0.1 main 1
DAc 10.0.0.0/8 ether1 main 0
DAc 192.168.88.0/24 bridge main 0
Suggestion 5: Will try this out. I don’t have access to attempt an ‘external connection attempt’ in a meaningful way, so I’ll have to wait till my cohort rouse themselves for the day and try it. Weirdly, the hairpin NAT has ceased working entirely, for unknown reasons. I’ll leave the suggestions in place until they are proven guilty of non-compliance.
Much obliged to your suggestions, will let you know if it pans out.
Not sure what you mean? It has a public ip. The modem/router device is in open bridge mode. The outer public ip is what it is, undisclosed by me to the networking folks that know more that I do here, which serves raw unfiltered internet firehose to the internal 10.0.0.1. I then partake of that using my router.
I havent changed anything but the new router, same comcast thing, same computer/server. Previously port forwarded through the netgear rinky-dinky interface, like you do on every cheap device with that feature, worked flawlessly, my complaint/impetus to the change was the lack of featureset and age of it.
No, your router has the IP address 10.0.0.10 assigned to its WAN (ether1) interface. This is a private IP address, not directly reachable from the public internet. Which means there is at least an additional NAT layer on the Comcast device(s), that does the address translation between 10.0.0.10 and the real public IP address assigned to you. If your ISP deploys CGNAT, then there might be even another NAT level beyond that.
When NAT is involved like in your case, normally incoming connections originated from the public internet will not be forwarded to your router, only responses to outgoing connections made by your router to the outside internet. Incoming connections are only forwarded to your router at 10.0.0.10 if:
Either you go to the Comcast device and manually configure port forwarding on that device for each port that you need.
Or that device has a function that, when enabled, put your 10.0.0.10 in the DMZ, which causes all incoming connections to be automatically DSTNAT'ed and forwarded to your MikroTik router.
If none of that is configured, then you won't be able to make incoming connections from the internet to your router and then to your internal network.
As @CGGXANNX mentioned, your comcast is doing more than bridging.
My guess is that there is a DMZ configured, and the Netgear was configured with the DMZ destination IP address.
Find out know what IP address was configured on the Netgear's WAN/Internet interface and give the Mikrotik that IP address on ether1 and see if that helps.
Latest Update: Thanks for the help, but it appears that I’ve bodged myself into some sort of semi-functional corner based on half-remembered concepts and ill-defined setups. Starting at the top with a call to Comcast and a factory reset on their router to try and do this properly and burn it all to the ground. If I survive, I’ll resolve things with an update. Thanks again!
Final Update: Multiple called it out. Yes, the xf thing was in DMZ mode. I had to force a factory reset and set it back to ‘actual-true-for_real’ bridge mode and enable DHCP-client to eth1 to pick up the external IP. I listed my machine and the server in the firewall address lists as a group ‘game_session’ then added the following NAT rules in pairs for all needed ports: