uTorrent UDP/TCP PF on Port 5900

r3sin · January 13, 2015, 3:56pm

Good Morning All,

I am currently running 6.24 and I have been trying and trying to get this port forwarding squared away. I have searched up and down and tried everything known to man to get this stuff working. All I can think of is that my fw is blocking it some how. Here is my fw print out. I am trying to forward 5900 UDP/TCP to an internal IP of 192.168.29.229 I have tried all the suggested methods and still think my FW is borking it.

ip firewall export
# jan/13/2015 15:53:51 by RouterOS 6.24
# software id = WI6S-NMRP
#
/ip firewall address-list
add address=122.0.0.0/8 list=src_reject
add address=61.0.0.0/8 list=src_reject
add address=5.0.0.0/8 list=src_reject
add address=123.0.0.0/8 list=src_reject
add address=192.168.128.0/20 list=ALLOWED_PRIVATE_NETS
add address=10.7.0.0/20 list=ALLOWED_PRIVATE_NETS
add address=172.24.0.0/24 list=ALLOWED_PRIVATE_NETS
add address=172.16.0.0/16 list=ALLOWED_PRIVATE_NETS
add address=224.0.0.5 list=ALLOWED_PRIVATE_NETS
add address=115.88.95.53 comment=cortana.homelinux.net list=\
    Host_Trusted_remotes
add address=127.0.0.1 list=QOS_HIGH_PRIORITY
add address=224.0.0.5 list=QOS_NETD_PRIORITY
add address=127.0.0.2 list=QOS_NORMAL_PRIORITY
add address=192.168.88.249 list=QOS_NORMAL_PRIORITY
add address=23.76.0.0/16 comment="Amazon and Target" list=HMA_VPN_OUT
add address=72.246.103.24 list=HMA_VPN_OUT
add address=114.108.0.0/16 list=HMA_VPN_OUT
add address=176.32.0.0/16 list=HMA_VPN_OUT
add address=192.168.88.2-192.168.88.254 list=LOCAL_VPN_NET
add address=192.168.89.0/24 list=LOCAL_VPN_NET
add address=216.127.0.0/16 list=HMA_VPN_OUT
add address=173.194.117.0/24 list=HMA_VPN_OUT
add address=173.194.126.0/24 list=HMA_VPN_OUT
/ip firewall filter
add action=drop chain=input comment="SRC Reject DROP" log=yes log-prefix
=\
    "SRC_REJECT:  " src-address-list=src_reject
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="Accept ESTABLISHED" connection-state=establishe
d
add chain=input comment="Accept Related" connection-state=related
add action=jump chain=input comment="Process GRE Input" in-interface=\
    !ether1-gateway jump-target=proc_gre_in src-address=!192.168.88.0/24
add chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="Catch-All DROP" in-interface=\
    ether1-gateway
add chain=forward comment="Forward ALL THE THINGS!"
add chain=forward comment="default configuration" connection-state=\
    established disabled=yes
add chain=forward comment="default configuration" connection-state=relat
ed \
    disabled=yes
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=yes
add action=jump chain=output dst-address=!192.168.88.0/24 dst-address-li
st=\
    ALLOWED_PRIVATE_NETS jump-target=proc_gre_out out-interface=\
    !ether1-gateway src-address-list=ALLOWED_PRIVATE_NETS
add chain=output comment="Accept Output"
add chain=proc_gre_in dst-port=500 in-interface=!ether1-gateway protocol
=udp \
    src-address=172.16.0.0/16
add chain=proc_gre_in in-interface=!ether1-gateway protocol=gre src-addr
ess=\
    172.16.0.0/16
add chain=proc_gre_in in-interface=!ether1-gateway protocol=ipsec-esp \
    src-address=172.16.0.0/16
add chain=proc_gre_in in-interface=!ether1-gateway protocol=ipsec-ah \
    src-address=172.16.0.0/16
add chain=proc_gre_in in-interface=!ether1-gateway protocol=icmp src-add
ress=\
    172.16.0.0/16
add action=drop chain=proc_gre_in in-interface=!ether1-gateway log=yes \
    log-prefix="FW-DROP_GRE_IN:  " src-address=172.16.0.0/16
add chain=proc_gre_in in-interface=!ether1-gateway src-address=!172.16.0
.0/16 \
    src-address-list=ALLOWED_PRIVATE_NETS
add action=return chain=proc_gre_in
add chain=proc_gre_out dst-address=172.16.0.0/16 dst-port=500 out-interf
ace=\
    !ether1-gateway protocol=udp
add chain=proc_gre_out dst-address=172.16.0.0/16 out-interface=\
    !ether1-gateway protocol=gre
add chain=proc_gre_out dst-address=172.16.0.0/16 out-interface=\
    !ether1-gateway protocol=ipsec-esp
add chain=proc_gre_out dst-address=172.16.0.0/16 out-interface=\
    !ether1-gateway protocol=ipsec-ah
add chain=proc_gre_out dst-address=172.16.0.0/16 out-interface=\
    !ether1-gateway protocol=icmp
add action=drop chain=proc_gre_out dst-address=172.16.0.0/16 log=yes \
    log-prefix="FW-DROP_GRE_IN:  " out-interface=!ether1-gateway
add chain=proc_gre_out dst-address=!172.16.0.0/16 dst-address-list=\
    ALLOWED_PRIVATE_NETS out-interface=!ether1-gateway
add action=return chain=proc_gre_out
/ip firewall mangle
add action=change-mss chain=forward dst-address-list=ALLOWED_PRIVATE_NET
S \
    new-mss=1418 protocol=tcp tcp-flags=syn tcp-mss=!0-1350
add action=change-mss chain=forward dst-address-list=ALLOWED_PRIVATE_NET
S \
    new-mss=1418 protocol=tcp tcp-flags=syn tcp-mss=!0-1350
add action=mark-routing chain=prerouting comment=HMA_VPN_TRAFFIC disable
d=yes \
    dst-address-list=HMA_VPN_OUT log=yes new-routing-mark=VPN_TRAFFIC_OU
T \
    src-address-list=LOCAL_VPN_NET
add action=mark-routing chain=prerouting comment=HMA_VPN_TRAFFIC \
    dst-address-list=HMA_VPN_OUT log=yes new-routing-mark=TEST_VPN \
    src-address-list=LOCAL_VPN_NET
add action=mark-connection chain=forward comment="INPUT - QOS_NETD - Mar
k" \
    in-interface=bridge-local new-connection-mark=NETD src-address-list=
\
    QOS_NETD_PRIORITY
add action=mark-connection chain=forward comment="INPUT - QOS_NETD - Mar
k" \
    dst-address-list=QOS_NETD_PRIORITY in-interface=bridge-local \
    new-connection-mark=NETD
add action=mark-connection chain=forward comment="OUTPUT - QOS_NETD - Ma
rk" \
    dst-address-list=QOS_NETD_PRIORITY new-connection-mark=NETD \
    out-interface=bridge-local
add action=mark-connection chain=forward comment="OUTPUT - QOS_NETD - Ma
rk" \
    new-connection-mark=NETD out-interface=bridge-local src-address-list
=\
    QOS_NETD_PRIORITY
add action=mark-connection chain=forward comment="INPUT - QOS_HIGH - Mar
k" \
    in-interface=bridge-local new-connection-mark=HIGH src-address-list=
\
    QOS_HIGH_PRIORITY
add action=mark-connection chain=forward comment="INPUT - QOS_HIGH - Mar
k" \
    dst-address-list=QOS_HIGH_PRIORITY in-interface=bridge-local \
    new-connection-mark=HIGH
add action=mark-connection chain=forward comment="OUTPUT - QOS_HIGH - Ma
rk" \
    dst-address-list=QOS_HIGH_PRIORITY new-connection-mark=HIGH \
    out-interface=bridge-local
add action=mark-connection chain=forward comment="OUTPUT - QOS_HIGH - Ma
rk" \
    new-connection-mark=HIGH out-interface=bridge-local src-address-list
=\
    QOS_HIGH_PRIORITY
add action=mark-connection chain=forward comment="INPUT - QOS_NORM - Mar
k" \
    in-interface=bridge-local new-connection-mark=NORMAL src-address-lis
t=\
    QOS_NORMAL_PRIORITY
add action=mark-connection chain=forward comment="INPUT - QOS_NORM - Mar
k" \
    dst-address-list=QOS_NORMAL_PRIORITY in-interface=bridge-local \
    new-connection-mark=NORMAL
add action=mark-connection chain=forward comment="OUTPUT - QOS_NORM - Ma
rk" \
    dst-address-list=QOS_NORMAL_PRIORITY new-connection-mark=NORMAL \
    out-interface=bridge-local
add action=mark-connection chain=forward comment="OUTPUT - QOS_NORM - Ma
rk" \
    new-connection-mark=NORMAL out-interface=bridge-local src-address-li
st=\
    QOS_NORMAL_PRIORITY
add action=mark-packet chain=forward comment="QOS_NETD - Queue" \
    connection-mark=NETD new-packet-mark=NETD passthrough=no
add action=mark-packet chain=forward comment="QOS_HIGH - Queue" \
    connection-mark=HIGH new-packet-mark=HIGH passthrough=no
add action=mark-packet chain=forward comment="QOS_NORM - Queue" \
    connection-mark=NORMAL new-packet-mark=NORMAL passthrough=no
add action=mark-routing chain=prerouting dst-address-list=Tunnel \
    new-routing-mark=tunnel
/ip firewall nat
add action=masquerade chain=srcnat comment="Hide My Ass VPN" out-interfa
ce=\
    HMAovpn-Client
add action=dst-nat chain=dstnat dst-address=XXX.XXX.XXX.XXX dst-port=5900
 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.248
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=
yes \
    out-interface=HMAovpn-Client src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway

Any help would be much appreciated…I have tried everything it seems so it HAS to be my fw. Help

loweschmidt · January 14, 2015, 10:36am

I have tried all the suggested methods and still think my FW is borking it.

What have you tried more specifically ?

I am running transmission in a FreeNAS jail and this rule worked fine for me.

/ip firewall nat add chain=dstnat dst-address=<external IP> protocol=tcp dst-port=5900 \
    action=dst-nat to-addresses=<internal IP> to-ports=5900

You might need to repeat it for UDP as well, or maybe you can use some sort of shorthand. I am fairly new to MikroTiks.

r3sin · January 14, 2015, 1:58pm

Well, well, well. It was easier than I thought and patience played a part. I deleted all my previous attempts at getting it to work and just enabled UPnP and waited. I watched on the NAT side of the firewall as the dynamic rules started to fill in. I noticed the 17 and 6 forwarding to the port in question for uTorrent and just copied them and voila.

Here they are:

add action=dst-nat chain=dstnat dst-address=175.113.19.204 dst-port=37711 \
    protocol=tcp to-addresses=192.168.88.248 to-ports=37711
add action=dst-nat chain=dstnat dst-address=175.113.19.204 dst-port=37711 \
    protocol=udp to-addresses=192.168.88.248 to-ports=37711

However! I was doing this exact same rule but using port 5900 and it wouldn’t work…maybe that’s a bad port to use?