Some port forwarding works, others dont

Sniipe · October 16, 2013, 3:45pm

I recently bought the RB951G-2HND. I’ve routerOS 6.4 installed.
I have a public IP which I added and it seems to work ok for some rules but not for others.

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=\
    ether1-gateway
add action=dst-nat chain=dstnat comment=Torrents dst-port=6881 protocol=udp \
    to-addresses=192.168.88.248 to-ports=6881
add action=dst-nat chain=dstnat comment=Torrents dst-port=6881 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=6881
add action=dst-nat chain=dstnat comment="synology tcp" dst-port=5100 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment="winbox TCP" dst-port=8291 protocol=tcp \
    to-addresses=192.168.88.1 to-ports=8291
add action=dst-nat chain=dstnat comment="web cfg tcp" dst-port=8080 protocol=tcp \
    to-addresses=192.168.88.1 to-ports=8080
add action=dst-nat chain=dstnat comment=synology udc" dst-port=5100 protocol=udp \
    to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment="Winbox udp" dst-port=8291 protocol=udp \
    to-addresses=192.168.88.1 to-ports=8291
add action=dst-nat chain=dstnat comment="web cfg udp" dst-port=8080 protocol=udp \
    to-addresses=192.168.88.1 to-ports=8080

My torrents and synology ones seem to work which reside on ...248. The rest don’t work which are on ...1 … I wonder does that help figure out the problem? ie The webcfg login page and the winbox application

www has been changed from 80 to 8080

/ip service
set www port=8080

By the way there are other lines in the NAT which are visible on the winbox but are not outputted using: /ip firewall nat export

jandafields · October 17, 2013, 11:09pm

winbox and www ports don’t need nat, unless you are sending that traffic to ANOTHER DIFFERENT device.

just set the winbox and www ports in services, and no nat rues.

Make sure you have input rules to allow those ports for winbox and www!

Sniipe · October 18, 2013, 9:59pm

I have removed the NAT rules.
In my IP Service List I have:
Winbox 8291
www 8080

In my Firewall/Filter rules I noticed I have: ( I assume this is what you mean by “Make sure you have input rules to allow those ports for winbox and www!”)
Allow winbox, accept, input, tcp, 8291
Allow web admin, accept, input, tcp, 8080

On my internal network I can get to http://publicIP:8080 however externally I cannot.
I am also unable to connect to the winbox externally.

Sniipe · November 8, 2013, 4:14pm

I am still perplexed. I can gain access to two of my web servers (externally) using http://publicIP:5100 for my synology and http://publicIP:99 for my webcamera. However I’m still struggling to gain access to my mikrotik either by winbox.exe using publicIP:8291 or by its web interface on http://publicIP:8080.

Any ideas?

Rudios · November 10, 2013, 12:13pm

Are there any firewall filter rules in your input chain blocking traffic?

Sniipe · December 10, 2013, 2:54pm

These are the firewall filter rules:

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow web admin" dst-port=8080 protocol=tcp

Could that second last line be blocking my access to the winbox externally?

I resolved an issue I had with a game (League of legends) which required ports 5000-5500 on UDP.
Those numbers overlapped my synology port 5100, once I disabled the synology port League of Legends worked.

I’ve now got my synology on port on 18181 which I don’t think will interfere with any other application. I added port forwarding

/ip firewall nat add chain=dstnat protocol=tcp dst-port=18181 action=dst-nat to-addresses=192.168.88.248 to-ports=18181

with no WAN address and this worked out for me.

My next step is to get the winbox working remotely. 8291 is the port. I see it in my config as being in the IP Firewall filter (as above) and in the IP Service List.
I moved it up the filter and it worked!! Delighted.
2) why did it work?

My final issue is that I purchased another RB951G-2HND which is working fine as a network access point. However I cannot get its LAN ports working. The wifi works fine, but I fear I switched off its Ethernet ports.

The way I set it up originally was that the two routers are connected via ethernet cable. So port 1 on the Access point is occupied with the connection to the rest of the network, but I’d like to be able to use the other points as a sort of a standard switch.

EDIT: to add, this is what the interface looks like.

[admin@MikroTik-Downstairs] > /interface export
# feb/10/1970 06:11:04 by RouterOS 6.4
# software id = RP84-ZL94
#
/interface bridge
add admin-mac=D4:CA:6D:BE:3F:31 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge name=\
    Teemo ssid=Teemo wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=FakePassword \
    wpa2-pre-shared-key=FakePassword
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=Teemo

Teemo is the SSID

Thanks.

Sniipe · December 15, 2013, 11:34pm

any help would be appreciated, thanks

Sob · December 16, 2013, 7:52am

Rules are processed sequentially and the first matching rule for packet is used. When you had drop rule at the top, it blocked everything coming from ether1-gateway and your allow rules never had a chance to be used (except for packets from other interfaces, but those would pass anyway, because by default everything is allowed and you had no further drop rule for other interfaces).