Understanding why Minecraft Server won't connect

Hello all! I am new to RouterOS with only a little bit of networking knowledge (Cisco I-IV is blurry from college). Can someone please help me to understand why I am unable to connect to my Minecraft Server. Getting this figured out will be critical to my migration to RouterOS for other servers. I was able to get port forwarding setup for HTTP, HTTPS, and other services. For some reason I cannot connect to my MC server from LAN or WAN. I am running the MC server on a separate device (192.168.50.4) then my main device (192.168.50.5)

Server Device - 192.168.50.4
Minecraft Server Port - 25550

I am connecting through subdomain minecraft.test.com. This is using a CNAME rule to my dynamic dns service, and a srv record to point to the correct port. I can ping my DDNS and get the correct public IP.
CNAME Record

SRV Record

It says I can reach the port from my server device

Firewall Rules

NAT Rules - I see that my other rules are using “In. Interface List” instead of “In. Interface”

Let me know if you need any more information.

Well…try to refer to Interface address lists like the other (apparently working ones) ?? Why do you select “ether1” and not “WAN” ? You tried and it doesn’t work ?

You reference “ether1” for these Minecraft rules but that might be wrong. If you are using PPPoE for example to your ISP this probably will not work. This needs to be correct to start with.

Not too many people will reply without a export of relevant config, not just some screenshots.


EDIT : For some reason I cannot connect to my MC server from LAN or WAN. I am running the MC server on a separate device (192.168.50.4) then my main device (192.168.50.5)
You want to start with making a small drawing what you have constructed. What is “a separate device” ? Router ? Switch ?

https://forum.mikrotik.com/viewtopic.php?t=179343

1. I tried switching the interface over to WAN and still nothing. Although it says the port is open on my Server through public IP.
2. ETH1 is where my Mikrotik Router is connecting to my ISP. ETH4 is where my Server connects to my Router, see the diagram below I created
3. what relavant configs are needed? Can you provide the commands for pulling that data. Thank you friend

I read through almost all of that all day at work today. I guess I dont quite understand.. Sorry for being very novice at this. I am wanting to get better at networking!

From what I read on that link I will need to setup Hairpin NAT. I need to use this command

add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24

In conjunction with this command (Dynamic WAN IP - Firewall Addresses List and IP Cloud) with my DDNS service (duckdns)

dst-address-list=updatedCloudIP
add chain=dstnat action=dst-nat dst-address-list=updatedCloudIP address protocol=tcp dst-port=25550to-addresses=192.168.50.4

Am I going to have to use the above Dynamic WAN IP NAT rule for every server? If so what do my other port forwards work correctly? I made my other port forward rules using Quick Set>Port Mapping then adding in the information needed. The ports opened using this method are working fine, but the Minecraft server did not behave the same way.

Sorry this is a huge jumble, just learning how this works very slowly.

Correct hairpin nat!
Avoid quickset.
Yes every port forwarding rule has to be complete and having different ports will not interfere with each other.

Thank you for the guidance! My server is now accessible from outside my network! I have a couple more questions -

1. I cannot access my MC server from the local IP of the server (192.168.50.4), The device I am accessing from is 192.168.50.5

2. Do I need this NAT rule? I cant remember how it got there..
   

Without seeing the full config will not comment.
However,

Port Forwarding requires a number of things

1. single port forwarding rule in the forward chain
   add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat

2. If you have hairpin nat, users from same subnet as server require access to server via DYNDNS name or IP (instead of the direct local LAN IP). Then you need to ADD an associated sourcenat rule.
   add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24

3. Properly formatted DST nat rules for static or dynamic WANIPs.

4. If WANIP is dynamic and hairpin nat is involved one has to mimic the static case, as you have done with making the DYNDNS name an address list entry and using dst-address-list= in the dstnat rule.

5. The generic sourcenat rule for dynamic WAN does not change!!!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Without seeding the config not sure what you have done wrong LOL. However you should have this rule in place as one of the sourcenat rules.
add chain=srcnat action=masquerade dst-address=192.168.50.0/24 src-address=192.168.50.0/24

The rule I didn’t know if I needed is #0
Found the correct command for printing out my NAT configuration - here it is

[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=srcnat action=masquerade src-address=192.168.50.0/24 dst-address=192.168.50.0/24 

 2    ;;; Plex
      chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=32400 protocol=tcp in-interface-list=WAN 
      dst-port=32400 

 3    ;;; Plex
      chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=32400 protocol=udp in-interface-list=WAN 
      dst-port=32400 

 4    ;;; Plex
      chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=32435 protocol=tcp in-interface-list=WAN 
      dst-port=32435 

 5    ;;; Plex
      chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=32435 protocol=udp in-interface-list=WAN 
      dst-port=32435 

 6    ;;; UNRAID VPN
      chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=51820 protocol=udp in-interface-list=WAN 
      dst-port=51820 

 7    ;;; Minecraft TCP
      chain=dstnat action=dst-nat to-addresses=192.168.50.4 to-ports=25550 protocol=tcp dst-address-list=WAN IP 
      dst-port=25550 log=no log-prefix="" 

 8    ;;; Minecraft UDP
      chain=dstnat action=dst-nat to-addresses=192.168.50.4 to-ports=25550 protocol=udp dst-address-list=WAN IP 
      dst-port=25550 log=no log-prefix="" 

 9    ;;; HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=8181 protocol=tcp dst-address-list=WAN IP 
      dst-port=80 log=no log-prefix="" 

10    ;;; HTTPS
      chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=4433 protocol=tcp dst-address-list=WAN IP 
      dst-port=443 log=no log-prefix=""

192.168.50.3 - Unraid Server
192.168.50.4 - MC Server (Game Server)
192.169.50.5 - Personal windows device

I am able to connect to the server via my subdomain minecraft.test.com, but I cannot connect via 192.168.50.4

Dont quite understand but you have the correct hairpin nat rule.

YOur dstnat rules sucketh…
chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=32400 protocol=tcp in-interface-list=WAN
dst-port=32400

This is the wrong format? Are you sure you read the article?
For hairpin nat any interface=WAN is wrong, the traffic is not coming in from the WAN and thus right off the bat is logically wrong.

Please read again… https://forum.mikrotik.com/viewtopic.php?t=179343

Pay attention to; 1B

You have many options [ I prefer B (ii) ]
B (i), (ii), (iii), and 2.

I need to redo those rules. Those are the rules I created with quick set > port mapping. I think my question has been answered as far as Minecraft is considered. Thank you for the help!

Just need to setup hairpin nat and then use Dynamic WAN IP - firewall address list and IP Cloud

@Masparrow: Why would you open up any ports TO THE ROUTER, for a server on the LAN requirement??

Hello everyone,

I’ve been following this thread with great interest as I’m encountering a similar issue with my Minecraft server setup, especially after reading about the challenges and steps taken here. Despite following similar steps for port forwarding and setting up DNS records, I’m still unable to connect to my server both from LAN and WAN, much like the original post describes.

I noticed the original setup involved using a separate device for the server (192.168.50.4) and a specific port (25550), along with a CNAME rule for the subdomain and an SRV record pointing to the correct port. I’ve done something similar, but I’m wondering if there might be an overlooked detail in the firewall or NAT rules that could be the culprit. Could there be a specific rule that’s commonly missed but crucial for Minecraft servers?

Any insights or further elaboration on the firewall and NAT configuration steps would be immensely helpful. I’m trying to ensure I haven’t missed any critical setup steps that were successful for others. Thanks in advance for any guidance!

Its all there, so it must be a config error on your part.

Hi everyone,

I’ve recently migrated to RouterOS and am facing difficulties connecting to my Minecraft server, both from LAN and WAN. Despite successful port forwarding for HTTP and HTTPS services, my Minecraft server remains inaccessible.

Here’s the setup:

Minecraft server IP: 192.168.50.4
Minecraft server port: 25550
Domain: minecraft.test.com (resolved via CNAME to my DDNS with a correct public IP)
Device trying to connect from: 192.168.50.7

I’ve set up a CNAME rule pointing to my dynamic DNS service, and an SRV record to redirect to the Minecraft server port. Despite this, I can’t establish a connection to the server.

Could anyone guide me on what settings or configurations in RouterOS might be preventing access to my Minecraft server? Any insights or suggestions would be greatly appreciated.