Community discussions

MikroTik App
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

DST-NAT not opening port

Wed Apr 14, 2021 3:34 am

Hi - I'm trying to open a couple of ports and have looked at the forum / documentation here, followed the previous advice, but the port is still not open. I'm on a MikroTik hEX S and I know my ISP is not blocking the ports since it worked on my old Ubiquiti router. I'm trying to open (to start) port 32400 and testing it via both the Plex UI, a 4G connection, and an external port-scanner...all of them say that the port is still closed. Any ideas?

Here's my config:
# apr/13/2021 17:31:55 by RouterOS 6.48.1
# software id = E5TS-FVUZ
#
# model = RB760iGS
# serial number = AE370C704F06
/interface bridge
add admin-mac=48:8F:5A:D9:36:A5 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.101 mac-address=18:74:2E:D8:F5:0C
add address=192.168.1.201 mac-address=00:11:32:10:AA:9A
add address=192.168.1.242 mac-address=A8:A1:59:3F:AA:0B
add address=192.168.1.243 mac-address=A8:A1:59:3F:A1:1F
add address=192.168.1.126 mac-address=10:98:C3:BC:DF:8B
add address=192.168.1.148 mac-address=00:0C:29:28:BC:6B
add address=192.168.1.150 mac-address=C8:34:8E:60:E5:D1
add address=192.168.1.151 mac-address=B8:31:B5:31:9A:33
add address=192.168.1.152 mac-address=A4:5E:60:B9:45:F1
add address=192.168.1.200 mac-address=00:11:32:6D:17:99
add address=192.168.1.210 mac-address=00:0C:29:62:51:D7
add address=192.168.1.125 mac-address=98:09:CF:8F:6C:BA
add address=192.168.1.100 mac-address=50:14:79:1E:47:76
add address=192.168.1.153 mac-address=4C:ED:FB:BF:10:BB
add address=192.168.1.5 mac-address=00:0C:29:40:E7:75
add address=192.168.1.215 client-id=1:0:11:32:e1:d5:8 mac-address=\
    00:11:32:E1:D5:08 server=defconf
add address=192.168.1.64 client-id=\
    ff:8a:54:d0:44:0:2:0:0:ab:11:95:a0:47:56:6c:49:c3:14 mac-address=\
    DC:A6:32:49:07:48 server=defconf
add address=192.168.1.77 client-id=\
    ff:10:4e:b6:48:0:2:0:0:ab:11:95:a0:47:56:6c:49:c3:14 mac-address=\
    DC:A6:32:49:07:4A server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp \
    to-addresses=192.168.1.210 to-ports=32400
add action=dst-nat chain=dstnat comment=Jellyfin dst-port=8920 protocol=tcp \
    to-addresses=192.168.1.210
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set time-zone=-08:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6858
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST-NAT not opening port

Wed Apr 14, 2021 2:35 pm

(1) WHY? should be bridge!
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0

(2) DOUBLE WHY?
Did you remove the most important default firewall rule in the input chain, the one that protects your router from hacking............. aka remove from internet until fixed!!!
add action=drop chain=input in-interface-list=!LAN

(3) Both your Dst nat rules are missing the in-interface................
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp \
in-interface-list=WAN to-addresses=192.168.1.210
add action=dst-nat chain=dstnat comment=Jellyfin dst-port=8920 protocol=tcp \
in-interface-list=WAN to-addresses=192.168.1.210
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

Re: DST-NAT not opening port

Thu Apr 15, 2021 3:29 am

Thanks for the info - I've fixed the issues you mentioned (thanks for pointing out the additional issues, I appreciate it) and the ports are open but external traffic doesn't seem to be routing there properly. Internal traffic is routed just fine, but external requests don't make it (tested via a phone on cellular with WiFi off)...any ideas?

Updated config below:
# apr/14/2021 17:25:10 by RouterOS 6.48.1
# software id = E5TS-FVUZ
#
# model = RB760iGS
# serial number = AE370C704F06
/interface bridge
add admin-mac=48:8F:5A:D9:36:A5 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.101 mac-address=18:74:2E:D8:F5:0C
add address=192.168.1.201 mac-address=00:11:32:10:AA:9A
add address=192.168.1.242 mac-address=A8:A1:59:3F:AA:0B
add address=192.168.1.243 mac-address=A8:A1:59:3F:A1:1F
add address=192.168.1.126 mac-address=10:98:C3:BC:DF:8B
add address=192.168.1.148 mac-address=00:0C:29:28:BC:6B
add address=192.168.1.150 mac-address=C8:34:8E:60:E5:D1
add address=192.168.1.151 mac-address=B8:31:B5:31:9A:33
add address=192.168.1.152 mac-address=A4:5E:60:B9:45:F1
add address=192.168.1.200 mac-address=00:11:32:6D:17:99
add address=192.168.1.210 mac-address=00:0C:29:62:51:D7
add address=192.168.1.125 mac-address=98:09:CF:8F:6C:BA
add address=192.168.1.100 mac-address=50:14:79:1E:47:76
add address=192.168.1.153 mac-address=4C:ED:FB:BF:10:BB
add address=192.168.1.5 mac-address=00:0C:29:40:E7:75
add address=192.168.1.215 client-id=1:0:11:32:e1:d5:8 mac-address=\
    00:11:32:E1:D5:08 server=defconf
add address=192.168.1.64 client-id=\
    ff:8a:54:d0:44:0:2:0:0:ab:11:95:a0:47:56:6c:49:c3:14 mac-address=\
    DC:A6:32:49:07:48 server=defconf
add address=192.168.1.77 client-id=\
    ff:10:4e:b6:48:0:2:0:0:ab:11:95:a0:47:56:6c:49:c3:14 mac-address=\
    DC:A6:32:49:07:4A server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.210 to-ports=\
    32400
add action=dst-nat chain=dstnat comment=Jellyfin dst-port=8920 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.210 to-ports=\
    8920
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set time-zone=-08:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6858
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST-NAT not opening port

Thu Apr 15, 2021 3:52 am

This line should also normally include dns-server=192.168.1.1

Set this line to NONE (mac-server access is not a secure method and should be avoided). mac-winbox is fine!
/tool mac-server
set allowed-interface-list=LAN

I am not seeing any of the IP route settings????

(try turning UPNP off and testing connectivity).

Do you mean
a. you can directly access a Server by its LAN address
b. external folks, like myself cannot access the server from my external WANIP given your server inforamation?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

Re: DST-NAT not opening port

Thu Apr 15, 2021 4:42 am

Meaning I can access the server locally using the internal IP address but external access does not increment the Packet Counters and does not connect. Port scanning, however, does show the ports as open...so it looks like the packet is being dropped or not routed correctly. Any ideas?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6858
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST-NAT not opening port

Thu Apr 15, 2021 4:57 am

Already noted,
Dont see your Route settings?
Try turning Upnp off.
Set the dns server in the dhcp network settings.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

Re: DST-NAT not opening port

Fri Apr 16, 2021 2:45 am

I don't have any routing rules setup specifically...I've never had a problem and internal traffic works fine; that and the DST-NAT specifies the destination IP address through the bridge. What do I need to add to the routing table?

I turned UPNP off

I added the router (192.168.1.1) and CloudFlare (1.1.1.1) as DNS servers in the DHCP network settings
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6858
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST-NAT not opening port

Fri Apr 16, 2021 5:41 am

So somehow you can reach the internet now with NO entries in IP Routes??
There must be some entries if you can successfully reach the net etc..

The only other thing that comes to mind is your in a double NAT scenario where the actual WANIP you get from the ISP is a private IP and not a public IP?"??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

Re: DST-NAT not opening port

Fri Apr 16, 2021 8:38 am

My full config (minus sensitive) is below. My router is directly connected to my modem and has a public IP (verified by checking the DHCP Client IP against external requests source IPs).

My routing table has 3 routes:
1) DAS Dst Address: 0.0.0.0/0 Gateway (external IP here) reachable ether1 Distance 1 Routing Mark null Pref. Source null
2) DAC Dst Address: (external IP here)/23 Gateway ether1 reachable Distance 0 Routing Mark null Pref. Source (external IP here)
3) DAC Dst Address 192.168.1.0/24 Gatewaybridge reachable[/b] Distance 0 Routing Mark null Pref. Source192.168.1.1
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

Re: DST-NAT not opening port

Fri Apr 16, 2021 8:38 am

My full config (minus sensitive) is below. My router is directly connected to my modem and has a public IP (verified by checking the DHCP Client IP against external requests source IPs).

My routing table has 3 routes:
1) DAS Dst Address: 0.0.0.0/0 Gateway (external IP here) reachable ether1 Distance 1 Routing Mark null Pref. Source null
2) DAC Dst Address: (external IP here)/23 Gateway ether1 reachable Distance 0 Routing Mark null Pref. Source (external IP here)
3) DAC Dst Address 192.168.1.0/24 Gatewaybridge reachable[/b] Distance 0 Routing Mark null Pref. Source192.168.1.1

# apr/14/2021 17:25:10 by RouterOS 6.48.1
# software id = E5TS-FVUZ
#
# model = RB760iGS
# serial number = AE370C704F06
/interface bridge
add admin-mac=48:8F:5A:D9:36:A5 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.101 mac-address=18:74:2E:D8:F5:0C
add address=192.168.1.201 mac-address=00:11:32:10:AA:9A
add address=192.168.1.242 mac-address=A8:A1:59:3F:AA:0B
add address=192.168.1.243 mac-address=A8:A1:59:3F:A1:1F
add address=192.168.1.126 mac-address=10:98:C3:BC:DF:8B
add address=192.168.1.148 mac-address=00:0C:29:28:BC:6B
add address=192.168.1.150 mac-address=C8:34:8E:60:E5:D1
add address=192.168.1.151 mac-address=B8:31:B5:31:9A:33
add address=192.168.1.152 mac-address=A4:5E:60:B9:45:F1
add address=192.168.1.200 mac-address=00:11:32:6D:17:99
add address=192.168.1.210 mac-address=00:0C:29:62:51:D7
add address=192.168.1.125 mac-address=98:09:CF:8F:6C:BA
add address=192.168.1.100 mac-address=50:14:79:1E:47:76
add address=192.168.1.153 mac-address=4C:ED:FB:BF:10:BB
add address=192.168.1.5 mac-address=00:0C:29:40:E7:75
add address=192.168.1.215 client-id=1:0:11:32:e1:d5:8 mac-address=\
    00:11:32:E1:D5:08 server=defconf
add address=192.168.1.64 client-id=\
    ff:8a:54:d0:44:0:2:0:0:ab:11:95:a0:47:56:6c:49:c3:14 mac-address=\
    DC:A6:32:49:07:48 server=defconf
add address=192.168.1.77 client-id=\
    ff:10:4e:b6:48:0:2:0:0:ab:11:95:a0:47:56:6c:49:c3:14 mac-address=\
    DC:A6:32:49:07:4A server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.210 to-ports=\
    32400
add action=dst-nat chain=dstnat comment=Jellyfin dst-port=8920 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.210 to-ports=\
    8920
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set time-zone=-08:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6858
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST-NAT not opening port

Fri Apr 16, 2021 2:30 pm

I cannot fathom why an external attempt from the WAN does not work.
Assuming you mean from an external WANIP and not someone on the lan using the external WANIP (which is a loopback hairpin nat scenario).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

Re: DST-NAT not opening port

Fri Apr 16, 2021 11:51 pm

Correct - I'm using a phone on 4G (WiFi fully disabled) to both port-scan and connect. The port-scanner shows that the ports are open but no connections are established and no counters are incremented in the router dashboard, showing that no packets are flowing through my dst-nat rules...I'm at a loss
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6858
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST-NAT not opening port

Sat Apr 17, 2021 2:26 am

Sadly the only thing I can suggest is reinstall firmware lets say the latest long term version..........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
jonmill
just joined
Topic Author
Posts: 8
Joined: Wed Apr 14, 2021 3:26 am

Re: DST-NAT not opening port

Thu Apr 22, 2021 12:32 am

That's unfortunate...does anyone else have any ideas?

Thanks for your help anav!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6858
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DST-NAT not opening port

Thu Apr 22, 2021 2:18 am

Suggest you get a friend to try and connect to your server and while doing so run packet sniffer in the tools.
Use the IP address of the server for example for the attempts.
Also try the same exercise running packet sniffer but this time using the WAN interface as the filter (but ensure no one else is using the internet (as quiet as possible).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: No registered users and 39 guests