I am quite confused over this.
I have a fingerprint attendance device which is unable to connect to a cloud server using port 9001 when it is behind Mikrotik.
Connecting the device directly to the modem (modem → attendance device) successfully connects to the cloud server.
At first I thought it might be port forward issues:
Since you know the problem area, why ask?? Why else would you ONLY provide the firewall rules???
If you do not then post complete config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Q1. Do you get a public IP
Q2. Is it static or dynamic
Q3. Is the server only for external users
Q4. If also for internal users how do they access the server ( by direct LAN IP address)?
It is a device, not a server. Employees would have their attendance taken by fingerprint and the attendance machine will send the data to a server using port 9001.
I thought it might be port forwarding issue. Then I bring this device to my workplace which has the same setup modem → mikrotik → attendance device. However the mikrotik at my workplace does not need to set any port forwarding and the device is able to connect to the server successfully.
So I don’t consider this as port forwarding issue. all.txt.rsc (7.1 KB)
The address of your subnet is incorrectly assigned.
From: /ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
TO: /ip address
add address=192.168.1.1/24 interface=bridge-LAN network=192.168.1.0
Simplify firewall!
First make this address list /ip firewall address-list { by setting DHCP static leases }
add address=192.168.1.AB list**=Authorized** comment=“admin desktop”
add address=102.168.1.CD list=Authorized comment=“admin laptop”
add address=102.168.1.EF list=Authorized comment=“admin smartphone/ipad” /ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked disabled=yes
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input comment=“DNS services UDP” dst-port=53
protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“DNS services TCP” dst-port=53
protocol=udp in-interface-list=LAN
add action=drop chain=input comment=“Drop All Else” { make this the last rule you enter of all the rules }
+++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked disabled=yes
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid disabled=yes
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop All Else”
Note: If you are going to pass on NTP settings to devices from router, add port 123 to the UDP DNS rule in the input chain.
Port forwarding RUles…
First make a firewall list
/ip firewall address-list
add address=mynetname list=WANIP { use your dyndns cloud name } add action=dst-nat chain=dstnat dst-address=WANIP dst-port=9001 { dont need to-port if same as dst-port, its implied }
protocol=tcp to-addresses=192.168.1.37
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=9001
protocol=udp to-addresses=192.168.1.37
FINAL NOTE: It is NOT recommended to set tcp syn cookies to yes.