Trouble forwarding uTorrent ports

I am having trouble forwarding port 32401 for uTorrent although happy to use any port number. I have other forwarding NAT rules in place to the same machine without any issues.

My setup:
I have a MikroTik RB750Gr3 hEX
ADSL modem set to bridged mode plugged into Ether1

MikroTik logs onto internet using PPPoE, I have a static IP address from ISP of 115.1.1.1 (sample address)
I have a VPN client running on this computer as well which gives me a public IP address of 96.44.1.1 (sample address). I have tried switching off the VPN client with no change

I am trying to forward port 32401 to 192.168.1.35. Both 80 and 3389 currently are forwarded to that same machine and it works fine.
http://www.canyouseeme.org/ shows port is open

I tried using the Torch tool and watch for traffic on that port but it showed no activity.

My current NAT rules are:

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=srcnat action=masquerade out-interface-list=WAN 

 2    chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=32400 protocol=tcp dst-port=32400 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.35 to-ports=32401 protocol=tcp dst-port=32401 log=no log-prefix="" 
 
 4    chain=dstnat action=dst-nat to-addresses=192.168.1.35 to-ports=32401 protocol=udp dst-port=32401 log=no log-prefix="" 

 5 X  ;;; uTorrent Port Forward
      chain=dstnat action=dst-nat to-addresses=192.168.1.35 to-ports=32401 protocol=tcp dst-port=32401 log=yes log-prefix="uTorrent 1" 

 6 X  ;;; uTorrent Port Forward
      chain=dstnat action=dst-nat to-addresses=192.168.1.35 protocol=udp in-interface-list=WAN dst-port=51363 log=yes log-prefix="uTorrent 2" 

 7    chain=dstnat action=dst-nat to-addresses=192.168.1.35 to-ports=3389 protocol=tcp dst-port=3389 

 8    chain=dstnat action=dst-nat to-addresses=192.168.1.35 protocol=tcp dst-address=115.1.1.1 dst-port=80 

 9    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.35 out-interface-list=LAN dst-port=32400 log=no log-prefix="" 

10    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.35 out-interface-list=LAN dst-port=80 log=no log-prefix=""

Any help would be appreciated.

No need for manual port redirection.

1.- Delete all those dst-nats
2.- IP > uPnP

Tick:

• Enabled
• Show Dummy Rule

Click on [Interfaces] button.

Add ether1 as External
Add your LAN bridge as Internal

done.

Enable uPnP on your torrent/skype/whatever client, close it and re-launch.

Look at IP > Firewall > Nat, you should see the “mappings” being created dynamically:

Just to note. Enabled upnp also allows to open (redirect) whatever port to whatever device in inner network if a program from that device asks for it. Everyone should think twice about the consequences and risks of it before he does so.

If port 3389 works, then 32401 must work too, your rules are exactly the same, except for port number. If it really doesn’t work, then it doesn’t look like a problem with your config, at least the part you’ve shown us. So either you do something wrong somewhere else (e.g. in forward filter) or perhaps ISP could be blocking incoming connections (but it sounds unlikely if you have public address).

It’s not my ISP or VPN provider as this was working on an older Billion router that I replaced with the Mikrotik.

When you say it could be somewhere else, what areas would you suggest checking? This is my firewall filter list

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

10    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

Thanks again for you help.

I’m not really keen on setting up uPnP because of the security issues with it. I only want to open a certain number of ports that I control.

One thing I have noticed is that when using Torch it shows that all may requests going out seem to have a sequential port number put onto the src address but the correct one on the dst address.

Eg hitting my web server from within my network I can see the srcAddress as 192.168.1.15:59431 and dst Address as 115.1.1.1:80
if I hit it again it shows srcAddress as 192.168.1.15:59500 and dst Address as 115.1.1.1:80

Could that be the problem?

Actually ignore all of the above.

I went in and disabled all the NAT rules and re-enabled them and it seems to be working now.

Thanks for you help.

Hi, just shortly can i ask you, why you need forwarding utorrent. What benefit have you got? Just im wondring why you need forwarding utorrent

Thanks

To allow incomming connections. If nobody forwarded torrent ports, no torrent tranfers would happen … ever.

@mkx basically it means if i like to post my file for public download i have to do forward torrent

Thanks

@nichky: that’s right.