Yet another port forward issue

RouterOS Beginner Basics
1

Hi guys!

I was browsing similar topics but none of them helped me. I’m trying to setup simple port forward and looks like everything is by the book, but it doesn’t work :frowning:

Here is the info:
RB751U-2HnD, v6.46.8

I have ADSL modem that was set in bridge mode so Mikrotik does the PPPoE connection, dynamic public IP.
ether1 is a cable from ADSL modem and ports 2,3,4,5 are in bridge.
I have NAT setup on that interface, internet works fine. I have port forward for my PC for ports 44866-44868


/ip firewall nat print   
Flags: X - disabled, I - invalid, D - dynamic 
 
0    ;;; NAT for ADSL
      chain=srcnat action=masquerade out-interface=ADSL log=no log-prefix="" 

 1    ;;; PC
      chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=44866-44868 protocol=tcp in-interface=ADSL 
      dst-port=44866-44868 log=yes log-prefix="" 



/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; ping
      chain=input action=accept protocol=icmp src-address-list=whitelist log=no log-prefix="" 

 1    ;;; FTP
      chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=20 log=no log-prefix="" 

 2    ;;; FTP
      chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=21 log=no log-prefix="" 

 3    ;;; SSH
      chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=22 log=no log-prefix="" 

 4    ;;; DNS
      chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=53 log=no log-prefix="" 

 5    ;;; DNS
      chain=input action=accept protocol=udp src-address-list=whitelist dst-port=53 log=no log-prefix="" 

 6    ;;; Web
      chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=8080 log=no log-prefix="" 

 7    ;;; WinBox
      chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=8291 log=no log-prefix="" 

 8    ;;; input / new / drop
      chain=input action=drop connection-state=new log=no log-prefix=""

As you can see its only the input chain for the router itself and on the whitelist is my LAN subnet 10.10.10.0/24

When I try with open port checker tool it showed that port is closed (and yes I have application running on that port, I even changed between to application just to be sure).
I enabled the logging and I see 3 TCP (SYN) packages, counters move up as well, but that’s it.

dstnat: in:ADSL out:(unknown 0), proto TCP (SYN), 198.199.98.246:55844->MY_PUBLIC_IP:44866, len 60
dstnat: in:ADSL out:(unknown 0), proto TCP (SYN), 198.199.98.246:55849->MY_PUBLIC_IP:44866, len 60
dstnat: in:ADSL out:(unknown 0), proto TCP (SYN), 198.199.98.246:55854->MY_PUBLIC_IP:44866, len 60

I tested if I remove whitelist requirements for 8080 port tool show that its open (I’m using online tools, not local port scanners).

I also tried to add different forward rules in filters but nothing helped.

I would appreciate some help. Thnx!

2

Please post your config so we can see …
/export hide-sensitive file=anynameyouwish

3

from your post, it seems you don’t have full grasp on firewall chains and seems you have deviated from the default firewall config, so:

Input = To router
Forward = Through router
Output = From router itself

Port forwarding works in the “Forward” chain.

if you run the below in terminal window, it will add a rule at the top of firewall rule set that allows all port forwarding you have configured. Your port forward rule looks ok, though you can omit the “to-ports” part as there are no port translation

/ip firewall filter add action=accept chain=forward comment=“Test DST Nat” connection-nat-state=dstnat in-interface=ADSL place-before=0

4

I know that all of my input rules are for the router itself since I wanted access on those router’s ports/services from my subnet and I could easily add external IP on the white list.
I probably don’t understand what if there is no filter forward rules, shouldn’t that mean that everything is “open”? Like if you don’t set any filter input rules the router services are accessible?
The “problem” is that I had this setup working 2-3 years ago since I was using bridged adsl modem, then I had to move to “regular” setup and then just adjusted mikrotik settings to be dhcp client.
Now I just “re-enabled” the old config and everything works except port forward.


I added the rule but it’s still the same.
I tried this and similar options for forward chain since I was googling similar issues but nothing helped


Config is in the attachment, but I did remove some stuff from it like scripts, schedules, emails, usernames, etc

I have to mention it’s not the PC firewall or application, since if I put adsl modem back in regular mode (with port forward configured on it and connect PC directly to it) I see open port on canyouseeme.org
export.rsc (7.24 KB)

5

yes, the default action in “accept” but you posted bits and pieces,so was not sure what rules, etc is in place.
Will look at your config file a little large, but for now, can you post the results from command below while trying try access via port forwarding

/tool sniffer quick port=44866

6 
/tool sniffer quick port=44866
IN     TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                        
AD    6.705      1 <-                                            198.199.98.246:46736                178.220.198.49:44866               
br    6.705      2 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46736                10.10.10.10:44866                 
et    6.705      3 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46736                10.10.10.10:44866                 
AD    7.704      4 <-                                            198.199.98.246:46736                178.220.198.49:44866               
br    7.704      5 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46736                10.10.10.10:44866                 
et    7.704      6 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46736                10.10.10.10:44866                 
AD    7.706      7 <-                                            198.199.98.246:46739                178.220.198.49:44866               
br    7.706      8 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46739                10.10.10.10:44866                 
et    7.706      9 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46739                10.10.10.10:44866                 
AD    8.704     10 <-                                            198.199.98.246:46739                178.220.198.49:44866               
br    8.704     11 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46739                10.10.10.10:44866                 
et    8.704     12 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46739                10.10.10.10:44866                 
AD    8.708     13 <-                                            198.199.98.246:46744                178.220.198.49:44866               
br    8.708     14 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46744                10.10.10.10:44866                 
et    8.708     15 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46744                10.10.10.10:44866                 
AD    9.704     16 <-                                            198.199.98.246:46744                178.220.198.49:44866               
br    9.704     17 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46744                10.10.10.10:44866                 
et    9.704     18 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11        198.199.98.246:46744                10.10.10.10:44866

This is what I see when I test it with port checker tool

7

Until you open your mind to using both forward and input chain rules, there is not much point to advice.

As for the input rules, Unless the router is providing the services, the rules you have make no sense (DNS is the only one there that makes sense to me).
You only need on rule for admin access and list the IPs on your LAN allowed in a firewall access list.

You would be best scrapping all your rules and starting with the default config ones.

You setup access service particulars on the router on different pages anyways. (I also dont use the standard default ports for services to the router, if I use any besides winbox, ssh maybe the rest no way)
Tools macserver → macwinbox
System —>Users
IP —> Services

8

:smiley:
What are you talking about? I don’t need to open my mind, I need to open ports :slight_smile:
I set the filter froward rule, dst-nat rule and it doesn’t work…
(filter forward is not included in export config since I got here to post config then I saw post from CZFan, I tried it without success)


Sorry, I really don’t understand you… I should not use ftp, ssh, web and winbox just because you don’t use them?

9

Take it or leave it, as advice goes LOL. Cost nothing.
Both a KISS and Security principle, if you dont need it dont config it!
Winbox is all the access you need to the router (perhaps ssh as backup).
Its always best to post entire config, at least for me, others are much more adept at knowing the issue from less data.

10

Full config is uploaded.
Missing DynDNS scripts with my username and pass and scheduler that executes them are not relevant :slight_smile:
Sorry, I need to configure the router the way I need it, not the way you want it :wink:
I want ftp, I want ssh, etc…
And I still don’t see how this is relevant to my problem, heaving those input rules there (ftp, ssh, web, winbox) or not doesn’t make a difference for my problem :slight_smile:
If you can help please give usable advice :smiley:

11

From the info you posted, I don’t see any problems in config and the packets are being forwarded to 10.10.10.10, but seems the reply comes from a different IP (178.220.198.49), so not sure if there is 2 IPs on that pc/server or if it is following a different path in your network which will break the app you trying to access / forward

12

That’s my dynamic public IP address (IP that is assigned to ADSL interface when PPPoE get dialed out)

13

Had a look at the config…

(1) Where is the definition of the second WLAN?? WLAN-HG520c ??? (I only see definition of wlan1)

/ip address
add address=10.10.10.1/24 comment=LAN interface=bridge1 network=10.10.10.0 (so your bridge passes out LANIPs to all bridge ports)
add address=10.10.15.1/24 comment=WLAN disabled=yes interface=wlan1
network=10.10.15.0
add address=10.10.11.1/24 comment=WLAN-HG520c disabled=yes interface=ether1 \ Seems likes this should be a different ether port???
network=10.10.11.0
add address=10.10.12.1/24 comment=“VM LAN” disabled=yes interface=ether5**???**
network=10.10.12.0
add address=192.168.1.100 disabled=yes interface=ether1 network=192.168.1.0 (not sure what this is doing or not doing… pptp is supposed to be associated to ether1 ???

So the confusing part for me is that you want etherports 2,3,4,5 to be on the bridge and the bridge is handing out DHCPs 10.10.10 BUT then you have ether5 getting its own DHCP independent of the bridge. Is this on purpose?

Now I see wlan1 is your second ISP?? I am completely confused by your wirless setup so will profess my inability to comprehend. So cannot help with it.

What does this accomplish functionality wise as I dont use it but interested in the use case?
/ip service
set www address=10.10.10.0/24,192.168.0.0/24,192.168.1.0/24 port=8080

14

That sniffer output looks like packets are correctly sent to 10.10.10.10. It makes sense, there’s no reason why they wouldn’t, there’s nothing in your config to stop them. But there are no responses coming back from 10.10.10.10. So check on 10.10.10.10 what happens there. If it’s PC, then packet sniffer like Wireshark will show you everything.

@anav: I wouldn’t worry too much about things with disabled=yes.

15

+1


I have this in Wireshark:

32042	676.240061	198.199.98.246	10.10.10.10	TCP	74	44397 → 44866 [SYN] Seq=0 Win=14600 Len=0 MSS=1452 SACK_PERM=1 TSval=3598739619 TSecr=0 WS=256
32064	677.239593	198.199.98.246	10.10.10.10	TCP	74	[TCP Retransmission] 44397 → 44866 [SYN] Seq=0 Win=14600 Len=0 MSS=1452 SACK_PERM=1 TSval=3598739869 TSecr=0 WS=256
32065	677.240173	198.199.98.246	10.10.10.10	TCP	74	44398 → 44866 [SYN] Seq=0 Win=14600 Len=0 MSS=1452 SACK_PERM=1 TSval=3598739870 TSecr=0 WS=256
32128	678.241367	198.199.98.246	10.10.10.10	TCP	74	[TCP Retransmission] 44398 → 44866 [SYN] Seq=0 Win=14600 Len=0 MSS=1452 SACK_PERM=1 TSval=3598740120 TSecr=0 WS=256
32129	678.243459	198.199.98.246	10.10.10.10	TCP	74	44399 → 44866 [SYN] Seq=0 Win=14600 Len=0 MSS=1452 SACK_PERM=1 TSval=3598740120 TSecr=0 WS=256
32153	679.239231	198.199.98.246	10.10.10.10	TCP	74	[TCP Retransmission] 44399 → 44866 [SYN] Seq=0 Win=14600 Len=0 MSS=1452 SACK_PERM=1 TSval=3598740370 TSecr=0 WS=256

Mikrotik log from nat and filter:

nat_ dstnat: in:ADSL out:(unknown 0), proto TCP (SYN), 198.199.98.246:44397->109.93.242.XX:44866, len 60
filter_ forward: in:ADSL out:bridge1, proto TCP (SYN), 198.199.98.246:44397->10.10.10.10:44866, NAT 198.199.98.246:44397->(109.93.242.XX:44866->10.10.10.10:44866), len 60
filter_ forward: in:ADSL out:bridge1, proto TCP (SYN), 198.199.98.246:44397->10.10.10.10:44866, NAT 198.199.98.246:44397->(109.93.242.XX:44866->10.10.10.10:44866), len 60

198.199.98.246 - port checker tool
109.93.242.XX - my public IP

16

And how much are you sure that there’s something listening on 10.10.10.10:44866? I’d say it either isn’t, or it’s blocked by PC’s firewall, otherwise it would respond.