Why doesn't the port open?

Hello. Help me, please!
I want to open a port for my virtual machine whose ip is 192.168.88.100 with port 7777 for UDP. Locally the server works, everything is fine. I write my external ip, then the port is closed, etc.

Device: Hap ac2
Settings default
RouterOS v7.7 (stable)
Address Acquisition: PPPoE
ISP: IP in stock

The settings I made:
ip
firewall
nat add
chain=dstnat
Dst. Address= my isp ip
protocol= 17 (udp)
dst-port=7777
In. Interface List= WAN
action=dst-nat
to-address=192.168.88.100 (ip virtual machine)
to-port=7777

config
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0

Thank you in advance for your response

add this and try again:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge

I added.
Port 7777 is closed on my ip

Your ISP may filter game ports. Ask them, is it, or not.

For start, your “my isp ip” is public (not 10.x.x.x, 100.64-127.x.x, 172.16-31.x.x, 192.168.x.x) and directly on your router (you can see it in IP->Addresses), correct?

They said that all the ports are open and set up the router

https://bayfiles.com/ra28y6Z9y9/1_png
https://bayfiles.com/qa2cy0Z8y9/2_png

Sorry, by that title “Why doesn’t the port open?”
Gain this reply: “You have try to turn the knob or use the key?”
:laughing:

Really, is that where you went…?

Shocking, I thought it would have been,
… if its open we must drink it soon, otherwise it will go bad. :wink:

OR

The port is closed due to an explosion at the docks…

Very excellent response from "guru". I am not a sysadmin, and I am entitled to make a mistake. I was looking for information on how to solve my question, so I come to the forum when I can no longer solve it at all. For me it is a dark forest in the light of day.

My answer to rextended is the same as yours.
Спасибо!

You took it from the wrong point of view, it was just a joke to defuse, given the title it came naturally to me.
Too much seriousness in life kills earlier.

Don't take me seriously just because it says "Forum Guru"...
Trust the guru :laughing:

Okay, I hear you). It's just that the language barrier makes it hard to take jokes. :unamused:

Is it also language barrier that makes you answer only half of questions? :slight_smile: Now we know that if it start with 91, it’s public address. But we still don’t know it your router actually has this address. Once again, look in IP->Addresses, is this address there?

Is it also language barrier that makes you answer only half of questions?
Sorry.

IP → Addresses, is this address there? Yes

https://bayfiles.com/26d42fZ1ye/Screenshot_at_2023_02_21_20_52_14_png

Yes, it’s correct and it should work. Even if it wouldn’t work completely, you should at least see some incoming packets, counters for dstnat rule (columns Bytes and Packets) should increase. How do you test it?

I connect to the server, or use sites where you can check any ports.
Can you please tell me if I have the right NAT?
https://bayfiles.com/ra28y6Z9y9/1_png

Not from a screenshot, it can hide some things. But based on your description in first post it should be ok. To be sure, try to run this in Terminal:

/export file=myconfig

and then post content of created myconfig.rsc here in code tags.

Finally Sob you are getting the hang of helping, next time ask for the config on the first post ;-PP



 by RouterOS 7.7
# model = RBD52G-5HacD2HnD-TC
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=XXXX wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=XXXX wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=XXXXXK
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=forum out-interface=bridge
add action=dst-nat chain=dstnat comment="Open port 7777 for CT101" \
    dst-address=91.92.2.111 dst-port=7777 in-interface-list=WAN protocol=\
    udp to-addresses=192.168.88.101 to-ports=7777  #192.168.88.101 correct for Virtual Machine
/ip hotspot service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:XXX::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=MY IPv6::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=XXXX/XXXXX
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN