verify port forward

parsec · April 2, 2014, 12:01pm

can some one please verify that I have set portforward properly as I don’t see any traffic passing

thank you

normis · April 2, 2014, 12:05pm

Looks fine, but make sure your gateway doesn’t have firewall on it (by default it does)

parsec · April 2, 2014, 12:16pm

Could you please provide instructions were to look ?

normis · April 2, 2014, 12:22pm

the menu called “IP → Firewall → Filter”

parsec · April 2, 2014, 5:31pm

Could you please provide and example as how it should be setup
Thank you

rextended · April 2, 2014, 5:38pm

paste

/export compact

on new termial and put the results the forum (hide passwords and usernames, if any)

parsec · April 2, 2014, 6:00pm

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.11 (c) 1999-2014 http://www.mikrotik.com/[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
/export compact

jan/01/1970 23:26:45 by RouterOS 6.11

software id = 1T7J-BNTK

/interface bridge
add admin-mac=D4:CA:6D:BB:FD:35 auto-mac=no l2mtu=1598 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-above country=“united states” disabled=no distance=indoors
frequency=2462 l2mtu=2290 mode=ap-bridge ssid=* wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=1Gbps
set [ find default-name=ether2 ] name=ether2-master-local speed=1Gbps
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip neighbor discovery
set wlan1 discover=no

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment=“default configuration” interface=wlan1
network=192.168.88.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.254 always-broadcast=yes client-id=1:0:10:99:31:b8:38
mac-address=00:10:99:31:B8:38 server=default
add address=192.168.88.239 client-id=1:0:80:87:c2:65:ea mac-address=
00:80:87:C2:65:EA server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add chain=input comment=“default configuration” connection-limit=100,0
dst-address-list=192.168.88.254 dst-address-type=“” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat connection-type=“” dst-address=192.168.88.254
dst-port=5060 in-interface=ether1-gateway protocol=udp to-addresses=
192.168.88.254 to-ports=5060
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=5061
in-interface=ether1-gateway protocol=udp src-port=“” to-addresses=
192.168.88.254 to-ports=5061
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=5004
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=5004
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=5012
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=5012
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=10002
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=10002
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=5200
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=5200
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=10004
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=10004
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=10005
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=10005
add action=dst-nat chain=dstnat dst-address=192.168.88.253 dst-port=5080
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=5200
add action=dst-nat chain=dstnat connection-type=sip dst-address=
192.168.88.254 dst-port=23 in-interface=ether1-gateway protocol=tcp
to-addresses=192.168.88.254 to-ports=23
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=5063
in-interface=ether1-gateway protocol=udp src-port=“” to-addresses=
192.168.88.254 to-ports=5063
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=5062
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=5062
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=12060
protocol=udp to-addresses=192.168.88.254 to-ports=12060
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=32741
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=32741
/ip proxy
set parent-proxy=0.0.0.0
/ip service
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system leds
set 0 interface=wlan1
/tool graphing interface
add allow-address=192.138.88.254/32
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool sniffer
set filter-stream=yes

parsec · April 10, 2014, 4:37pm

Could you please provide advise how to remove firewall on the gateway, as for my confg should I be able to see traffic/
thank you

normis · April 11, 2014, 7:38am

Your firewall is not blocking anything, but your NAT rules are not correct. Many rules have identical “TO” and “DST” addresses like this:
add action=dst-nat chain=dstnat dst-address=192.168.88.254 dst-port=5200
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=5200You can’t redirect a device to itself.

And this will also not work, since devices that are in the same network (LAN) will communicate directly, and router will not do any NAT for them:
add action=dst-nat chain=dstnat dst-address=192.168.88.253 dst-port=5080
in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254
to-ports=5200How is your network set up, and what are you trying to do?

parsec · April 11, 2014, 10:49am

Thank you
All I need to do is open ports 5060 5061 5004 5012 5062 5063 5080 5200 10002 10004 10005 12060 32741 for this IP 192.168.88.254

normis · April 11, 2014, 10:51am

By “open ports” you mean “forward requests from public network to a specific machine on the LAN” ?

in this case, like this:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway
protocol=tcp to-addresses=10.3.0.190 to-ports=2001
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1-gateway
protocol=tcp to-addresses=10.3.0.190 to-ports=21which translates into “if somebody requests TCP port 80 on the router public IP address, redirect him to the TCP port 2001 on the machine 10.3.0.190 inside LAN”

parsec · April 11, 2014, 7:04pm

add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5061 in-interface=ether1-gateway protocol=udp src-port=“” to-addresses=192.168.88.254 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5004 in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254 to-ports=5004
add action=dst-nat chain=dstnat dst-port=5012 in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.254 to-ports=5012
is this how should be if yes I still don’t see any bytes packets on those ports only on the 5060?
Thank you for your time