Hi Guys,
I’m trying to open port for remote desktop connection (RDP) to my home server, I went through a lot of guides, but I just cannot to get it work.
I have MT hEX as my gateway router, I use DDNS and I’m testing open port by yougetsignal.com, where I test Remote address = myDDNS address, port number 3389.
This is my first forwarding rule on Mikrotik.
Where DDNS is enabled, it says Router is behind a NAT.
you need to forward this port on the router between your MTK and internet, forwarding this port only at your MTK will not work for you
What does it mean? Do I need to contact my ISP or where can I forward the port between my router and internet?
i don’t know your network desing, but port forward must be on the router before your MTK, you are behind NAT
ask your ISP
If you want to pass traffic incoming to YourIPFromISP:ServicePort to device Inside then the same rule applies to yor ISP … traffic you want receive has to be allowed and passed by ISP to your device. If it is filtered before it reaches your device then there is no way to achieve what you want.
That is why you need your own public IP in such situations.
You’re saved by the bell! You DON’T WANT to open RDP to your server…
I understand the risk, opening RDP port is for short period of time to test remote connection and to learn port opening, later I will deploy VPN server.
That is why you need your own public IP in such situations.
I have already requested my ISP for public IP.
Sooner is better than later 
On the other hand why to open 3389 for tests?
Select any random port # on the WAN side and then redirect it to 3389 in DST rule to make bots/scanner life harder
What does it mean “Select random port # on the WAN side?” Any example?
Redirecting means forwarding by DST-NAT rule, right?
I agree. Just don’t do it. You will only regret it, especially when not having much technical knowledge.
So, after a few days I have now public IP. Now my port forwarding rules are working and currently I would like to deploy WireGuard VPN server. I should have everything setup, except it is not working, assuming because my port to WireGuard is closed.
How to open port to the router itself without forwarding it?
Tried it without “To address” as shown below, but not wokring.
If you follow the guide (https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-Applicationexamples), you would have known there is no port forward involved. Forwarding means, forward traffic to other device. I assume you want to run a Wireguard server on your MikroTik?
Unless you are running Wireguard on another device, then a forward is required.
To answer the Wireguard question: you will have to add an accept rule for that port to the “input” filter rules, not put a dst-nat in the NAT rules.
Actually I followed some other guide, where port opening was not mentioned.
Yes, I prefer to run Wireguard on the router.
I have created new rule, but it seems it doesnt work. It is on 2nd position (from top).
Do you have a Wireguard enabled?
Is it working locally (next step should be port check)?
Better share your current config (screenshots are unnecessary):
/export file=anynameyoulike
Remove serial and any prive information (like public IP).
Yes, wireguard interface should be enabled.
Actually I'm doing this remotely, since I'm not at home currently. Hopefully I will check it today.
My config:
# 2023-08-21 06:08:34 by RouterOS 7.10.2
# software id = **ELIDED**
#
# model = RB750Gr3
# serial number = -
/interface bridge
add admin-mac=- auto-mac=no comment=defconf name=BRIDGE-LAN
/interface ethernet
set [ find default-name=ether2 ] name=LAN1
set [ find default-name=ether3 ] disabled=yes name=LAN2
set [ find default-name=ether4 ] disabled=yes name=LAN3
set [ find default-name=ether5 ] disabled=yes name=LAN4
set [ find default-name=ether1 ] name="WAN (ether1)"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/caps-man configuration
add country=slovakia datapath.bridge=BRIDGE-LAN name="gNET config" \
security.authentication-types=wpa2-psk ssid=gNet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=10.10.10.1-10.10.10.250
/ip dhcp-server
add address-pool=dhcp interface=BRIDGE-LAN lease-time=1d name=DHCP-LAN
/port
set 0 name=serial0
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BRIDGE-LAN
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="gNET config"
/interface bridge port
add bridge=BRIDGE-LAN comment=defconf interface=LAN1
add bridge=BRIDGE-LAN comment=defconf interface=LAN2
add bridge=BRIDGE-LAN comment=defconf interface=LAN3
add bridge=BRIDGE-LAN comment=defconf interface=LAN4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=BRIDGE-LAN list=LAN
add comment=defconf interface="WAN (ether1)" list=WAN
/interface wireguard peers
add allowed-address=**ELIDED**/32 interface=wireguard1 public-key=\
"myKey"
/ip address
add address=10.10.10.254/24 comment=defconf interface=BRIDGE-LAN network=\
10.10.10.0
add address=172.78.0.1 interface=wireguard1 network=172.78.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface="WAN (ether1)"
/ip dhcp-server lease
add address=10.10.10.100 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.252 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.4 mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.1 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.2 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.10 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.3 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.253 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.7 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf dns-server=10.10.10.254 gateway=\
10.10.10.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.10.254 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.10.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment="Open port for WireGuard" dst-port=\
13321 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
HairPin_NAT
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="RDP port forwarding to togo-server" \
dst-port=7878 protocol=tcp to-addresses=10.10.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment="OPEN port for WIREGUARD VPN" \
dst-port=12345 protocol=udp to-ports=13231
add action=dst-nat chain=dstnat comment=\
"Port forwarding to JELLYFIN @ togo-server" dst-port=8888 protocol=tcp \
to-addresses=10.10.10.10 to-ports=8096
add action=dst-nat chain=dstnat comment="Port forwarding template/sample" \
dst-port=9000 protocol=tcp to-addresses=10.10.10.10 to-ports=3000
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=hEX
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Not sure if you removed it…do both the interface and the peer have public (and private) key implemented?
I assume it is not working on local network?
Follow the link I posted before, then it will work. And consider moving the wireguard firewall filter rule below the Drop invalid rule.
I would help but you use capsman,cannot help those that are already brain dead… hint: Its a waste of time especially for a beginner.