[SOLVED] Port Forwarding issue - some works, some doesn't.

MrGmint · March 27, 2020, 7:59am

Hi, I’m a newbie here.
Just bought a mikrotik and I’ve setup the basics (PPPOE ISP), it’s working, LAN, DHCP, DNS, google, all good.

I have a problem when port forwarding certain ports on my NAT firewall rule..
Some ports can be opened when I use the open port checker site, but most cannot. These are the configurations…

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="S20 Yeastar" dst-port=8118 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150 to-ports=8118
add action=dst-nat chain=dstnat dst-port=5060 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat dst-port=9850 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150 to-ports=9850
add action=dst-nat chain=dstnat dst-port=9850 protocol=udp src-port="" to-addresses=192.168.1.150 to-ports=9850
add action=dst-nat chain=dstnat dst-port=6023 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=6023

add action=dst-nat chain=dstnat comment="NAS Server" dst-port=8081-8110 protocol=tcp src-port="" to-addresses=192.168.1.17 to-ports=8081-8110
add action=dst-nat chain=dstnat dst-port=8888 in-interface=pppoe-out1 protocol=tcp src-port="" to-addresses=192.168.1.17 to-ports=8888
add action=dst-nat chain=dstnat dst-port=9988 protocol=tcp src-port="" to-addresses=192.168.1.17 to-ports=9988
add action=dst-nat chain=dstnat dst-port=5900-5930 protocol=tcp src-port="" to-addresses=192.168.1.17 to-ports=5900-5930
add action=dst-nat chain=dstnat dst-port=1723 protocol=tcp src-port="" to-addresses=192.168.1.17 to-ports=1723
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp src-port="" to-addresses=192.168.1.17 to-ports=1194

So pretty much, the one on the “S20 Yeastar” doesn’t work (5060, 9850) (with the exception of 8118)
while ports on “NAS Server” works (8081, 8888, 9988).

Things I’ve tried:

Forwarded 9850 to different IP, or the NAS Server IP even, didn’t work.
Removed/Added the “in-interface=pppoe-out1”, doens’t work either way for S20. WORKED either way for the NAS IP.
Added a whole new rule with new port to a whole new IP, nothing…
port checker is from yougetmesignal, tried the downloaded app as well - it’s worse..
Checks on all common ports went through (except 80 as I’ve changed web ports to non-default as most people suggests)

In short, I did the exact same ruling for S20 and NAS, but why one works and other doesn’t?

Appreciate any kind of help.
Jim

Sob · March 27, 2020, 5:30pm

If port should show as open, target device must be actually listening on it. Are you sure it’s the case? Plus udp ports are tricky, because if device listens on it, but doesn’t send any response for incoming packets, you can’t tell the difference from blocked port (where firewall silently drops packets).

There’s simple test, use Tools->Torch on LAN interface where you have target device, and watch if you see packets for it from internet. If you do, port forwarding is ok. If device doesn’t send anything back, it’s its fault.

anav · March 27, 2020, 6:46pm

(1) Fix this
add action=masquerade chain=srcnat
to this
add action=masquerade chain=srcnat out-interface-list=WAN

(2) To-ports not required if the same as the destination port.

(3) If the to-address is the same you can combine ports on the dst-port line, separated by a comma,
Some errors in your posts fixed below and shortened up.
From
add action=dst-nat chain=dstnat comment=“S20 Yeastar” dst-port=8118 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150 to-ports=8118
add action=dst-nat chain=dstnat dst-port=5060 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat dst-port=9850 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150 to-ports=9850
add action=dst-nat chain=dstnat dst-port=9850 {missing in-interface} protocol=udp src-port=“” to-addresses=192.168.1.150 to-ports=9850
add action=dst-nat chain=dstnat dst-port=6023 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=6023
add action=dst-nat chain=dstnat comment=“NAS Server” {missing in-interface} dst-port=8081-8110 protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=8081-8110
add action=dst-nat chain=dstnat dst-port=8888 in-interface=pppoe-out1 protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=8888
add action=dst-nat chain=dstnat dst-port=9988 {missing in-interface} protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=9988
add action=dst-nat chain=dstnat dst-port=5900-5930 {missing in-interface} protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=5900-5930
add action=dst-nat chain=dstnat dst-port=1723{missing in-interface} protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=1723
add action=dst-nat chain=dstnat dst-port=1194 {missing in-interface} protocol=udp src-port=“” to-addresses=192.168.1.17 to-ports=1194

To
add action=dst-nat chain=dstnat comment=“S20 Yeastar” dst-port=8118,9850, in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat dst-port=5060 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=80 {port translation -ok}
add action=dst-nat chain=dstnat dst-port=9850,6023 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat comment=“NAS Server” in-interface=pppoe-out1 dst-port=1723,5900-5930,8081-8110,8888,9988 protocol=tcp to-addresses=192.168.1.17
add action=dst-nat chain=dstnat dst-port=1194 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.17

MrGmint · March 28, 2020, 2:42am

Hey thanks for the response,
I did as instructed. So I run Torch, and launch portchecker web and click [check] with a number of ports: *info, my router gateway ip is 192.168.1.50. NAS=:17, S20=:150 Here’s what shows up:

port 8118 (shows port is opened)
Eth. Protocol = 800(ip), Prot= blank Src=192.168.1.150:8118 Dst= 192.168.1.50:33476 Tx=0 Rx=0
(there are also bunch of other ports in the SRC when i clicked it, like 192.168.1.150:37506,57532,49679…etc with Dst.= 8.8.8.8:53
port 8888 (shows port is opened)
Eth. Protocol = 800(ip). Prot=blank Src=192.168.1.17:8888(napster-3) Dst=192.168.1.50:40716 Tx=0 Rx=0
port 9850 (shows port is closed)
Eth. Protocol = 800(ip). Prot=blank Src=192.168.1.150:9850 Dst=192.168.1.50:36270 **and other ports like 36267…36268.. Tx=0 Rx=0
also sometimes i see port 5060 turns up on the report without me clicking check
Eth Protocol = 800(ip). Prot=blank Src=192.168.1.150:5060(sip) Dst=122.49.225.45:2615 Tx=0 Rx=0

-I tried physically disconnecting the NAS(192.168.1.17), and clicked [check] several times, none from the NAS IP shows up on Torch.

Wrapping it up..with these readings, I don’t know what to interpret of it, Sob.

anav · March 28, 2020, 2:49am

Did you make the changes recommended??
If so repost the new config.

MrGmint · March 28, 2020, 3:04am

(1) Fix this
add action=masquerade chain=srcnat
to this
add action=masquerade chain=srcnat out-interface-list=WAN

(2) To-ports not required if the same as the destination port.

(3) If the to-address is the same you can combine ports on the dst-port line, separated by a comma,
Some errors in your posts fixed below and shortened up.
From
add action=dst-nat chain=dstnat comment=“S20 Yeastar” dst-port=8118 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150 to-ports=8118
add action=dst-nat chain=dstnat dst-port=5060 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat dst-port=9850 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150 to-ports=9850
add action=dst-nat chain=dstnat dst-port=9850 {missing in-interface} protocol=udp src-port=“” to-addresses=192.168.1.150 to-ports=9850
add action=dst-nat chain=dstnat dst-port=6023 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=6023
add action=dst-nat chain=dstnat comment=“NAS Server” {missing in-interface} dst-port=8081-8110 protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=8081-8110
add action=dst-nat chain=dstnat dst-port=8888 in-interface=pppoe-out1 protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=8888
add action=dst-nat chain=dstnat dst-port=9988 {missing in-interface} protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=9988
add action=dst-nat chain=dstnat dst-port=5900-5930 {missing in-interface} protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=5900-5930
add action=dst-nat chain=dstnat dst-port=1723{missing in-interface} protocol=tcp src-port=“” to-addresses=192.168.1.17 to-ports=1723
add action=dst-nat chain=dstnat dst-port=1194 {missing in-interface} protocol=udp src-port=“” to-addresses=192.168.1.17 to-ports=1194

To
add action=dst-nat chain=dstnat comment=“S20 Yeastar” dst-port=8118,9850, in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat dst-port=5060 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=80 {port translation -ok}
add action=dst-nat chain=dstnat dst-port=9850,6023 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat comment=“NAS Server” in-interface=pppoe-out1 dst-port=1723,5900-5930,8081-8110,8888,9988 protocol=tcp to-addresses=192.168.1.17
add action=dst-nat chain=dstnat dst-port=1194 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.17

Thanks for the reply,
I did the fix for (3), (2), thanks for the tip, helped me tidy up a bunch.

Except (1)
When I clicked the in [out-interface-list] the drop down only shows [all] . there isn’t any WAN or pppoeout1 or Ether…

so i chose [all] , and portforwarding issue remains.

Things I’ve tried.

changing srcnat rule [out-interface] drop down from blank to
pppoeout1= works
ether1-WAN = didn’t work (I have assigned the interface to ether-1 when I create ‘pppoe client’, on the interface>pppoe-out1>interfaces,)

As for the results, the issues remains the same.

anav · March 28, 2020, 3:27am

Fair enough then out-interface=pppoe-out1 it is then for the sourcenat rule.
Suggest you actually need to post the entire config because the issue is somewhere else likely.

/export hide-sensitive file=anynamewilldo

MrGmint · March 28, 2020, 3:52am

Sorry it took a while
Don’t know how to upload a .rsc file…
I will post in text form…

# mar/28/2020 10:32:45 by RouterOS 6.40.9
# software id = 693F-G6LN
#
# model = RB952Ui-5ac2nD
# serial number = abcdef
/interface bridge
add name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name=pppoe-out1 \
    service-name=ISP user=abcdef@xyz.net
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile2 \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no frequency=auto \
    mode=ap-bridge mtu=1480 security-profile=profile1 ssid="ABCDEFG"
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=## \
    default-forwarding=no disabled=no frequency=5805 mode=ap-bridge mtu=1480 \
    security-profile=profile2 ssid="ABCDEF"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-LAN lease-time=1m \
    name=dhcp1
/interface bridge nat
add action=accept chain=srcnat disabled=yes
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether5
add bridge=bridge-LAN interface=wlan1
add bridge=bridge-LAN interface=wlan2
/ip address
add address=192.168.1.50/24 interface=bridge-LAN network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge-LAN
/ip dhcp-server lease
add address=192.168.1.248 client-id=1:9c:d2:1e:27:32:b3 comment=\
    "Printer J3720" mac-address=9C:D2:1E:27:32:B3 server=dhcp1
add address=192.168.1.239 client-id=1:2c:6f:c9:49:c3:e0 comment=\
    "Printer J200" mac-address=2C:6F:C9:49:C3:E0 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4,208.67.222.222 gateway=\
    192.168.1.50
/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="S20 Yeastar" dst-port=8118,9850 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat dst-port=5060 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.1.150 to-ports=5060
add action=dst-nat chain=dstnat dst-port=9850,6023 in-interface=pppoe-out1 \
    protocol=udp src-port="" to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment="NAS Server" dst-port=\
    1723,5900,5930,8081-8110,8888,9988 in-interface=pppoe-out1 protocol=tcp \
    src-port="" to-addresses=192.168.1.17
add action=dst-nat chain=dstnat dst-port=1194 in-interface=pppoe-out1 \
    protocol=udp src-port="" to-addresses=192.168.1.17


[[These are other ports, but I don't post it originally for simplicity sake]]
add action=dst-nat chain=dstnat comment=DVR dst-port=34567-34570 \
    in-interface=pppoe-out1 protocol=tcp src-port="" to-addresses=\
    192.168.1.88 to-ports=34567-34570
add action=dst-nat chain=dstnat dst-port=34567-34570 in-interface=pppoe-out1 \
    protocol=udp src-port="" to-addresses=192.168.1.88 to-ports=34567-34570
add action=dst-nat chain=dstnat dst-port=34599 in-interface=pppoe-out1 \
    protocol=tcp src-port="" to-addresses=192.168.1.81 to-ports=34599
add action=dst-nat chain=dstnat dst-port=34599 in-interface=pppoe-out1 \
    protocol=udp src-port="" to-addresses=192.168.1.81 to-ports=34599
add action=dst-nat chain=dstnat dst-port=10000-12000 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.1.150 to-ports=10000-12000
add action=dst-nat chain=dstnat dst-port=40000-42000 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.1.150 to-ports=40000-42000
/ip service
set telnet disabled=yes
set www port=9989
set ssh port=222
set www-ssl disabled=no port=442
/ip upnp interfaces
add interface=bridge-LAN type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=
/system identity
set name=TIK-BP

anav · March 28, 2020, 3:59am

mar/28/2020 10:32:45 by RouterOS 6.40.9

Please update to latest firmware................. '

MrGmint · March 28, 2020, 4:02am

okay, done 6.46 now

problem still remains.. like the floaty feeling when you woke up because you went boat fishing the day before…

anav · March 28, 2020, 1:17pm

How bout you float the config here with the updated firmware showing LOL

MrGmint · March 28, 2020, 4:34pm

There’s no changes i believe, but sure thang ~ Will get back to you monday (router’s at office)

anav · March 28, 2020, 5:02pm

I would be very surprized that going from 6.40 to 6.46 didnt create some hiccups…
From a security viewpoint, its sad to see a business not keep their firmware up to date.
If you use winbox at work to access it, make sure its up to date as well.

Sob · March 28, 2020, 9:20pm

About the test with Torch, the fact that you see traffic to forwarded ports on LAN interface means that port forwarding is working, because packets already passed through router. Only rx & tx can be confusing, because testing needs just single packet, so there’s non-zero number for a moment and it immediately drops to zero. You can use logging rules if you don’t want to miss any, e.g.:

/ip firewall mangle
add chain=postrouting dst-address=192.168.1.150 protocol=tcp dst-port=8118,9850 comment="request"
add chain=prerouting src-address=192.168.1.150 protocol=tcp src-port=8118,9850 comment="response"

These two ports are interesting, because you have common dstnat rule for both, so if one works, there’s no reason why the other wouldn’t. Except when target devices listens on one, but doesn’t listen on the other. So you can be sure that at least in this case it’s not the router (if you really don’t have anything in /ip firewall filter, which could selectively block it). Btw, not having anything in /ip firewall filter is usually not the best idea, you should at least block connections to router from internet.

It’s from botnets looking for vulnerable VoIP devices. So make sure that you really need that port accessible from internet, and if you do, configure the device properly.

@anav: Basic config survives upgrades without problems, even through several major versions. I personally upgraded several remote devices all the way from 2.9.x to 5.x. It required going through 3.x and 4.x because of license limitations, but just one upgrade for each. And everything survived. So 6.40 to 6.46 is nothing. You’d have to be really unlucky to run into some glitch with e.g. new bridge (I’m not sure right now if the change was in 6.40 or 6.41).

MrGmint · March 30, 2020, 2:13am

Here you go Anav, right out from the stove.
*everything still works (..and didn’t work) the same.

[user@TIK-BP] > export hide-sensitive 
# mar/30/2020 09:04:41 by RouterOS 6.46.4
# software id = 693F-G6LN
#
# model = RB952Ui-5ac2nD
# serial number = 924909DDA28B
/interface bridge
add name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether1-WAN
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2-PCMaint
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether3-IPPBX
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether4-DVR
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether5-Switch
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name=pppoe-out1 service-name=ISP user=111209000801@telkom.net
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile2 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-onlyn country=no_country_set disabled=no frequency=auto frequency-mode=manual-txpower mode=ap-bridge mtu=1480 \
    security-profile=profile1 ssid="MikroTik BP 2GHz"
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac country=no_country_set default-forwarding=no disabled=no frequency=5805 frequency-mode=manual-txpower mode=ap-bridge \
    mtu=1480 security-profile=profile2 ssid="BP Center"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-LAN lease-time=1h name=dhcp1
/interface bridge nat
add action=accept chain=srcnat disabled=yes
/interface bridge port
add bridge=bridge-LAN hw=no interface=ether2-PCMaint
add bridge=bridge-LAN hw=no interface=ether4-DVR
add bridge=bridge-LAN hw=no interface=ether5-Switch
add bridge=bridge-LAN interface=wlan1
add bridge=bridge-LAN interface=wlan2
add bridge=bridge-LAN interface=ether3-IPPBX
/ip address
add address=192.168.1.50/24 interface=bridge-LAN network=192.168.1.0
/ip dhcp-client
add interface=bridge-LAN
/ip dhcp-server lease
add address=192.168.1.11 client-id=1:9c:d2:1e:27:32:b3 comment="Printer J200 11" mac-address=9C:D2:1E:27:32:B3 server=dhcp1
add address=192.168.1.9 client-id=1:2c:6f:c9:49:c3:e0 comment="Printer J3720" mac-address=2C:6F:C9:49:C3:E0 server=dhcp1
add address=192.168.1.150 client-id=ff:49:f2:53:d5:0:1:0:1:25:5:e5:cc:f4:b5:49:f2:53:d5 comment="S20 Yeastar" mac-address=F4:B5:49:F2:53:D5 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4,208.67.222.222 gateway=192.168.1.50
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="S20 Yeastar" dst-port=8111,8118,9850 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat dst-port=5060,8111,9850,6023 in-interface=pppoe-out1 protocol=udp src-port="" to-addresses=192.168.1.150
add action=dst-nat chain=dstnat dst-port=10000-12000,40000-42000 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.150 to-ports=10000-12000
add action=dst-nat chain=dstnat comment="NAS Server" dst-port=1723,5900,5930,8081-8110,8888,9988 in-interface=pppoe-out1 protocol=tcp src-port="" to-addresses=192.168.1.17
add action=dst-nat chain=dstnat dst-port=1194 in-interface=pppoe-out1 protocol=udp src-port="" to-addresses=192.168.1.17
add action=dst-nat chain=dstnat comment=DVR disabled=yes dst-port=34567-34570,34599 in-interface=pppoe-out1 protocol=tcp src-port="" to-addresses=192.168.1.88
add action=dst-nat chain=dstnat disabled=yes dst-port=34567-34570,34599 in-interface=pppoe-out1 protocol=udp src-port="" to-addresses=192.168.1.88
/ip service
set telnet disabled=yes
set www port=9989
set ssh port=222
set www-ssl disabled=no port=442
/ip upnp interfaces
add interface=bridge-LAN type=internal
add interface=pppoe-out1 type=external

MrGmint · March 30, 2020, 4:04am

About the test with Torch, the fact that you see traffic to forwarded ports on LAN interface means that port forwarding is working, because packets already passed through router. Only rx & tx can be confusing, because testing needs just single packet, so there’s non-zero number for a moment and it immediately drops to zero. You can use logging rules if you don’t want to miss any, e.g.:
/ip firewall mangle
add chain=postrouting dst-address=192.168.1.150 protocol=tcp dst-port=8118,9850 comment="request"
add chain=prerouting src-address=192.168.1.150 protocol=tcp src-port=8118,9850 comment="response"
These two ports are interesting, because you have common dstnat rule for both, so if one works, there’s no reason why the other wouldn’t. Except when target devices listens on one, but doesn’t listen on the other. So you can be sure that at least in this case it’s not the router (if you really don’t have anything in /ip firewall filter, which could selectively block it). Btw, not having anything in /ip firewall filter is usually not the best idea, you should at least block connections to router from internet.

also sometimes i see port 5060 turns up on the report without me clicking check

It’s from botnets looking for vulnerable VoIP devices. So make sure that you really need that port accessible from internet, and if you do, configure the device properly.

…So I’ve applied the mangle rules, flipped on torch and open port checker.

the results are the same

on 8118, open port checks, on 9850, open port closes. Same effin’ readings on Torch…

Except when target devices listens on one, but doesn’t listen on the other. So you can be sure that at least in this case it’s not the router (if you really don’t have anything in /ip firewall filter, which could selectively block it).

On this listening port matter, I’ve checked on the device settings, there is nothing that blocks the listening port or any such things… I also tried changing the entire router (to TP Link) and set forwardings on 8118 and 9850, both went through…

I did try validate on the Torch

By going in the device, changing designated port 8111 (originally worked) to 8112. (it didnt work because it wasn’t set on mikrotik yet), then next, I add 8112 rule in mikrotik, and it worked
(port forward checks). naturally

anav · March 30, 2020, 12:33pm

Looks fine so far, what I don’t see are your firewall rules, input chain and forward chain, thus unable to comment further.

By the way here is what I asked for…
“How bout you float the config here with the updated firmware showing LOL”

This is what I DID NOT SAY
“How bout you float me an incomplete config and be sure to leave out the firewall rules”

Sob · March 31, 2020, 1:41am

The idea behing mangle rules is to use them instead of Torch, because there you can miss a packet, but mangle rules will log all.

MrGmint · March 31, 2020, 2:48am

OH YOUU DON’T SAY!
Here you go Nav,
Captured this, will post all anyways, the green ones are good, red’s bad. This what you looking for?

… And this is what’s on the TP-Link Router when all went through.

Note: If The “Internal Port” is changed to Blank (it won’t work either)

anav · March 31, 2020, 2:52am

What TP link router lol? Where is this in the food chain and whats its purpose??

I still dont see the complete config
/export hide-sensitive file=anynameyouwish