Trying (and failing) at port forwarding.

RouterOS Beginner Basics
1

I’m trying to set up port forwarding for a media server/browser app between my phone and my desktop. (Emby, in case you’re wondering.)

I’ve used the following command based on advice I’ve seen in the forums for a dynamic IP:

/ip firewall nat add chain=dstnat dst-port=8096 action=dst-nat protocol=tcp dst-address-type=local to-addresses=192.168.88.253 to-ports=8096

Unfortunately, when I try to check for the open port at http://www.canyouseeme.org/, I get a timeout - as in, the port isn’t open.

I’m wondering if my firewall rules (that I also found around here somewhere a couple months back when I first got this router) are interfering with the attempt to forward port 8096?

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Disallow weird packets
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 1    ;;; Allow LAN access to the router itself
      chain=input action=accept connection-state=new in-interface=bridge-local log=no log-prefix="" 

 2    ;;;  ^^ that originated from LAN
      chain=input action=accept connection-state=established log=no log-prefix="" 

 3    ;;;  ^^ that originated from LAN
      chain=input action=accept connection-state=related log=no log-prefix="" 

 4    ;;; Allow ping ICMP from anywhere
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 5    ;;; Disallow anything else
      chain=input action=drop log=no log-prefix="" 

 6    ;;; Disallow weird packets
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7    ;;; Allow LAN access to move through the router
      chain=forward action=accept connection-state=new in-interface=bridge-local log=no log-prefix="" 

 8    ;;;  ^^ that originated from LAN
      chain=forward action=accept connection-state=established log=no log-prefix="" 

 9    ;;;  ^^ that originated from LAN
      chain=forward action=accept connection-state=related log=no log-prefix="" 

10    ;;; Disallow anything else
      chain=forward action=drop log=no log-prefix=""

Can someone point out what I’m doing wrong here?

2

Accept port 8096 in forward chain.

3

Do I create a new rule? Do I alter one of the existing rules? There are five rules there that say chain=forward. Could you be more specific?

4

Yes, create a new rule with action accept on those ports.

5



This advice is useless, because DST-NAT occurs before ‘forward’ chain firewall rules.
Look at packet flow diagram:
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Remove this part of your DST-NAT rule:

dst-address-type=local

HTH,

6

That hasn’t changed anything. Port 8096 is still closed to the outside world.

As it stands, the NAT rule now looks like

chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=8096 protocol=tcp dst-port=8096 log=no log-prefix=""

And my firewall rules are unchanged.

7

I am having the same problem. Dynamic IP and just cannot get port forwarding to work at all. Extremely frustrating.

8

I should add to all this that every port seems to be closed based on what I see at http://www.yougetsignal.com/tools/open-ports/

Port 80, Port 8080, Port 110… Using their Common Port scan, everything is closed to the outside world.

9

This is a great advise, since it won’t work without an accepted forward. If you look at the diagram, you will see that because[/] dst-nat occurs before routing, the packet gets new dest address and then is considered a forward packet during the route decision phase, and follows the forward path, including the forward filter chain

Another point to clarify to the TS is that the accept rule should be before any other forward rules in the chain, otherwise it will have no effect

10

I dropped the following in at #7

 chain=forward action=accept protocol=tcp dst-address-list=192.168.88.253 src-port=8096 dst-port=8096 log=no log-prefix=""

It doesn’t work.

11

Unfortunately, you are wrong.

No, packet is directly send to host specified in DST-NAT ‘to-addresses’ parameter.
I have a plenty of routers in customers’ offices and lot of DST-NAT rules.
They work properly without ‘allow’ rule in ‘forward’ chain.

HTH,

12

@LearningCurve
Does DST-NAT rule’s counters increase when you check it with ‘yougetsignal.com’?
Maybe your ISP block access to this port?

HTH,

13

No. Nothing is getting through at all.

It’s not my isp. They don’t block anything.

14

Looks like firewall behaviour could be a question of opinion. Unfortunately my experience is that without explicit accepting rule in forward chain no packets are forwarded just because I have general drop on the end of each chain. Dst natted packets including. If the counters are not rising during the access test, there is firewall configuration error or just the packets didn’t reach the routers port from some reason. Many isps say something but do other things. Maybe they are not blocking anything, just do a nat too…

15

If you are testing a firewall rule, put it on the first position to see if it works or not.

16

I tried that with both the firewall rule and the NAT rule. No change.

I think there’s more going on here than just that. As I’ve said, every common port appears closed to the outside.

Is there maybe a different set of firewall rules I should be using, rather than the ones I have listed above?

17

Put ip firewall export here. What ros version are you running? Make a proof that isp is not blocking anything.

18

Be sure you have connection tracking enabled and running.

19

It is, but I don’t see where that’s getting me. I have a few things running right now, so there’s literally hundreds of connections to my PC (along with several each to my mobile and my wife’s laptop).

20

@LearningCurve
Use ‘Tools/Packet Sniffer’ to prove that packets from ‘yougetsignal.com’ arrive on your WAN interface.

HTH,