Struggling to port forward Ports 8443, 8444, 8888

KnifingPanda · July 13, 2022, 8:50am

Hi guys, I’m new here, and kind of new to Mikrotiks.

I need to port forward the following ports 8443, 8444 and 8888, now I have successfully set up port forwarding for other ports on my mikrotiks, but these three ports are refusing to open.

Quick network layout is like this, we have an internet facing mikrotik that directly connects to our fibre connection from the ISP and then we have another mikrotik behind the internet facing mikrotik to handle DHCP, and all the IP address ranges that we need for our wireless infrastructure.

I’m attaching the configurations for both Mikrotiks, Mikrotik A is the ISP facing Mikrotik and Mikrotik B is the one DHCP and IP address handler.

If I could have any help or advice, that would save my ass big time, need these ports open before the end of the week.

Mikrotik A configuration

# jul/13/2022 10:37:20 by RouterOS 6.49.6
# software id = 8WR9-VN51
#
# model = CCR1009-7G-1C-1S+
# serial number = <CENSORED>
/interface bridge
add admin-mac=0A:D8:FF:DC:96:1A auto-mac=no name=HeroMonitoring
/interface ethernet
set [ find default-name=combo1 ] name=combo1_HEROTEL
set [ find default-name=ether3 ] disabled=yes name=ether3_Office_Link
set [ find default-name=ether5 ] comment=\
    "Herotel Airfibre to Defensor Airfibre (MASTER)" name=ether5_Herotel
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-full,100M-full,1000M-full,2500M-full,5000M-full,10000M-full l2mtu=1700
/interface pppoe-client
add add-default-route=yes disabled=no interface=combo1_HEROTEL name=\
    HerotelInternet password=ntel123 user=A4652
/interface vlan
add interface=combo1_HEROTEL name="vlan909 - HeroMonitoring" vlan-id=909
add interface=ether5_Herotel name="vlan909 - HeroMonitoringAF" vlan-id=909
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=HeroMonitoring interface="vlan909 - HeroMonitoring"
add bridge=HeroMonitoring interface="vlan909 - HeroMonitoringAF"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.1.254/24 interface=ether5_Herotel network=192.168.1.0
/ip dns
set servers=1.1.1.1
/ip dns static
add address=1.1.1.1 name=DNS1
add address=8.8.8.8 name=DNS2
add address=8.8.4.4 name=DNS3
/ip firewall filter
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.253
add action=dst-nat chain=dstnat dst-port=1723 protocol=tcp to-addresses=\
    192.168.1.253 to-ports=1723
add action=dst-nat chain=dstnat dst-port=888 protocol=tcp to-addresses=\
    192.168.1.253 to-ports=888
add action=dst-nat chain=dstnat dst-port=1994 protocol=tcp to-addresses=\
    192.168.1.253 to-ports=3389
add action=dst-nat chain=dstnat protocol=gre to-addresses=192.168.1.253
add action=masquerade chain=srcnat comment="This rule will change all incoming t\
    raffic to your server, to the gateway ip on the router." dst-address=\
    10.100.100.249
add action=src-nat chain=srcnat out-interface=HerotelInternet to-addresses=\
    196.250.216.133
add action=dst-nat chain=dstnat comment="Oryx 8888" dst-port=8888 protocol=tcp \
    to-addresses=192.168.1.253 to-ports=8888
add action=dst-nat chain=dstnat comment="Oryx 8444" dst-port=8444 protocol=tcp \
    to-addresses=192.168.1.253 to-ports=8444
add action=dst-nat chain=dstnat comment="Oryx 8443" dst-port=8443 protocol=tcp \
    to-addresses=192.168.1.253 to-ports=8443
/ip route
add distance=1 gateway=HerotelInternet
add distance=2 gateway=192.168.1.253
/ip service
set telnet port=223
set ssh port=222
set www-ssl disabled=no
/ip ssh
set forwarding-enabled=local
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=SignalHill_Defensor
/tool romon
set enabled=yes
/tool sniffer
set file-name=defensor.pcap filter-interface=ether5_Herotel filter-port=8443 \
    memory-limit=1000KiB
[admin@SignalHill_Defensor] >

Mikrotik B Configuration

# jul/13/2022 10:49:48 by RouterOS 6.49.6
# software id = X1C2-JH6I
#
# model = CCR1009-8G-1S-1S+
# serial number = <CENSORED>
/interface ethernet
set [ find default-name=ether1 ] mac-address=E4:8D:8C:0F:E1:0B name="ether1 - Vodacom"
set [ find default-name=ether2 ] mac-address=E4:8D:8C:0F:E1:0C name="ether2 - Towers"
set [ find default-name=ether3 ] mac-address=E4:8D:8C:0F:E1:0D name="ether3 - LAN"
set [ find default-name=ether4 ] mac-address=E4:8D:8C:0F:E1:0E
set [ find default-name=ether5 ] mac-address=E4:8D:8C:0F:E1:0F name="ether5 - HeroTel"
set [ find default-name=ether6 ] mac-address=E4:8D:8C:0F:E1:10
set [ find default-name=ether7 ] mac-address=E4:8D:8C:0F:E1:11
set [ find default-name=ether8 ] mac-address=E4:8D:8C:0F:E1:12
set [ find default-name=sfp-sfpplus1 ] mac-address=E4:8D:8C:0F:E1:09
set [ find default-name=sfp1 ] mac-address=E4:8D:8C:0F:E1:0A
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.5-10.100.100.95,10.100.100.105-10.100.100.199
add name=VPN_Pool ranges=10.100.100.120-10.100.100.140
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface="ether3 - LAN" name=dhcp1
/ppp profile
add dns-server=1.1.1.1,8.8.8.8 local-address=VPN_Pool name=PPTP_VPN rate-limit="" remote-address=VPN_Pool
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romo\
    n,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.0.0.253/24 interface="ether1 - Vodacom" network=10.0.0.0
add address=10.10.11.1/24 interface="ether2 - Towers" network=10.10.11.0
add address=10.10.12.1/24 interface="ether2 - Towers" network=10.10.12.0
add address=10.10.15.1/24 interface="ether2 - Towers" network=10.10.15.0
add address=10.100.100.249/24 interface="ether3 - LAN" network=10.100.100.0
add address=192.168.1.253/24 interface="ether5 - HeroTel" network=192.168.1.0
/ip dhcp-server config
set store-leases-disk=1d5m
/ip dhcp-server network
add address=10.100.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.100.100.249
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether5 - HeroTel"
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=10.100.100.254 to-ports=3389
add action=dst-nat chain=dstnat dst-port=1723 protocol=tcp to-addresses=10.100.100.249 to-ports=1723
add action=dst-nat chain=dstnat dst-port=888 protocol=tcp to-addresses=10.100.100.1 to-ports=888
add action=dst-nat chain=dstnat protocol=gre to-addresses=10.100.100.249
add action=dst-nat chain=dstnat comment="Oryx 8888" dst-port=8888 protocol=tcp to-addresses=10.100.100.250 \
    to-ports=8888
add action=dst-nat chain=dstnat comment="Oryx 8444" dst-port=8444 protocol=tcp to-addresses=10.100.100.250 \
    to-ports=8444
add action=dst-nat chain=dstnat comment="Oryx 8443" dst-port=8443 protocol=tcp to-addresses=10.100.100.250 \
    to-ports=8443
/ip route
add distance=1 gateway=192.168.1.254
add disabled=yes distance=2 gateway=10.0.0.254
/ip service
set www-ssl disabled=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

Znevna · July 13, 2022, 9:39am

What a messed up config.
The one that set this up isn’t answering the phone anymore?
Router B does a little more than DHCP and “IP address handler” whatever that is. Probably you shouldn’t be doing NAT on that one?
The DST-NAT rules are incomplete too.
Check the manual: https://help.mikrotik.com/docs/display/ROS/NAT#NAT-DestinationNAT