Community discussions

 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Please help with port forwarding!

Wed Apr 12, 2017 2:28 pm

Recently bought a Mikrotik Router and now I have some questions related to port forwarding.
I am using LMT 4g router Huawei E3272 with this router https://www.router.lv/product/172/lv/

I have set up 4g as per instructions I found on internet (dhcp client on lte interface and masquarade).

Now I am trying to forward incoming ports but with no success.
Please look at my configuration and help to resolve the issue:
1.JPG
2.JPG
3.JPG
You do not have the required permissions to view the files attached to this post.
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Wed Apr 12, 2017 2:42 pm

interfaces.JPG
firewall.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 02, 2006 11:47 am
Location: Croatia

Re: Please help with port forwarding!

Wed Apr 12, 2017 3:17 pm

There is no point in looking into your config without knowing what was your intention.
So, the question is: What would like to do?

Forward what (ip:port) where (ip:port)...

regards
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Wed Apr 12, 2017 3:42 pm

Sorry, forgot to state that.
My goal is to forward port 80 from LTE interface to 192.168.88.254 in local network.
The LTE modem has a dynamic IP address that is changed each time it is restarted.
 
sash7
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Mar 20, 2016 10:39 pm

Re: Please help with port forwarding!

Wed Apr 12, 2017 6:10 pm

it's not clear what you have in forward chain.
add accept rule for connection-nat-state=dstnat, or write rule with right address and ports.
 
sid5632
Member
Member
Posts: 353
Joined: Fri Feb 17, 2017 6:05 pm

Re: Please help with port forwarding!

Wed Apr 12, 2017 8:47 pm

Sorry, forgot to state that.
My goal is to forward port 80 from LTE interface to 192.168.88.254 in local network.
Stop posting images as they don't show all the detail and take up masses of screen space.
Open a terminal and issue the commands "/ip firewall nat export" and "/ip firewall filter export" and report the output.
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Thu Apr 13, 2017 2:15 pm

Thank You for the hint, sid5632! I was going to ask whether there is an easy way to export and share the configuration.
Here is what I have configured:
[admin@MikroTik] > /ip firewall nat export
# apr/13/2017 14:01:52 by RouterOS 6.34.4
# software id = 3FPY-TT1R
#
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
add action=dst-nat chain=dstnat dst-port=80 in-interface=lte1 log=yes \
protocol=tcp to-addresses=192.168.88.254 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=lte1 log=yes \
protocol=tcp to-addresses=192.168.88.254 to-ports=22
[admin@MikroTik] >
[admin@MikroTik] > /ip firewall filter export
# apr/13/2017 14:12:35 by RouterOS 6.34.4
# software id = 3FPY-TT1R
#
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related
# in/out-interface matcher not possible when interface (ether1) is slave - use m
ster instead (bridge-lan)
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related,new
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
# in/out-interface matcher not possible when interface (ether1) is slave - use m
ster instead (bridge-lan)
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add chain=forward connection-nat-state=dstnat log=yes
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Thu Apr 13, 2017 2:16 pm

Thank You for the advise, sash7. I added the rule but it did not help. Please see my configuration one post above!
 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: Please help with port forwarding!

Thu Apr 13, 2017 3:51 pm

How are you testing the port forward?
Sure the 192.168.88.254 isn't your router, but the server running both SSH and Web?
What do you see when you browse to http://192.168.88.254?
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Thu Apr 13, 2017 4:05 pm

Yes, http://192.168.88.254 is a local server running SSH and WEB.
In local network when I enter http://192.168.88.254 the root web page is displayed. I can also access the SSH from local network.

When testing from 'outside' e.g. Internet I am using no-ip.com to handle dynamic IP change. Router is sending updates to no-ip.com to keep the ip associated wit the domain updated. To test I go to my no-ip domain and try to reach it via web browser or SSH. I have done this kind of scenario with another router (basic tp-link) and the setup is working on that thus I think this is only a matter of correct configuration to get it working on Mikrotik router.

Please help to resolve!
 
sash7
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Mar 20, 2016 10:39 pm

Re: Please help with port forwarding!

Thu Apr 13, 2017 4:52 pm

little mess in forward chain. Try temporary to disable all rules in forward and test again (use safe mode) . nat rules is ok
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Thu Apr 13, 2017 8:39 pm

Thank You for suggestion sash7!
Tried it but unfortunately did not help.
I am getting ERR_CONNECTION_TIMED_OUT when connecting from outside internet.

I wonder how can I debug this further? Maybe there are some issues with interface configuration?
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Tue Apr 18, 2017 12:18 pm

Please help to resolve this issue! At least point to right direction to look at.
Thx in andvance!
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please help with port forwarding!

Tue Apr 18, 2017 8:46 pm

Stupid question, do you have public IP address? When you resolve your no-ip hostname, do you see the same IP address in router's IP->Addresses?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Please help with port forwarding!

Wed Apr 19, 2017 3:51 am

Has this worked with other routers? ISPs in my region block inbound ports 80 and 22 to protect their residential customers from being hacked. Only way to get these ports unblocked by our ISPs is to subscribe to a business internet plan for an extra 20% per month.

Run Tools > Torch
It'll show if the packets are even making it to your router.
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Wed Apr 19, 2017 11:08 am

Thank You for the question Sob!
IP->Addresses shows IP that is assigned to router by LTE modem (there is a dhcp client on lte interface). It is always set to 192.168.1.100 . This IP is not equal the public IP.
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Wed Apr 19, 2017 11:25 am

Has this worked with other routers? ISPs in my region block inbound ports 80 and 22 to protect their residential customers from being hacked. Only way to get these ports unblocked by our ISPs is to subscribe to a business internet plan for an extra 20% per month.

Run Tools > Torch
It'll show if the packets are even making it to your router.
Yes, this configuration works with a TP-Link router.

Thank You for the hint regarding Torch tool. Actually I do not see incoming connections on lte interface on ports 22 or 80. Does that mean that nothing reaches the router?
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please help with port forwarding!

Wed Apr 19, 2017 1:48 pm

If public address is on modem, you must find a way how to tell it to forward ports to router. Without it, all connections end up on modem and have no chance to reach router.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Wed Apr 19, 2017 3:12 pm

Thank You for the advice, Sob! I am also reading other topics and it seems to be the problem indeed. Unfortunately the configuration interface for this router is very limited and does not offer such option.
The interesting thing is that this works out of the box with a tp-link router and default software (which is shit in any other aspect)
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Please help with port forwarding!

Wed Apr 19, 2017 4:18 pm

>In your dst-nat rules remove the in-interface as lte1
>Go to IP>Cloud and enable it, allow it to update and copy the host name.
>Go to IP>Firewall>Address-Lists and create a new address list called dynamic-IP and enter the host name into the address field, recent rOS will resolve the host name dynamically and create an entry with a "D" before it
>Go to your dst-nat rule and click into "advanced" and use the "destination address list" drop down and set it to the "dynamic-IP" address list you have created.

It sounds as though the IP is not a public facing (and a lot of mobile carriers do carrier level NAT) however this may work for you.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
KrisjanisGross
just joined
Topic Author
Posts: 13
Joined: Wed Apr 12, 2017 2:21 pm

Re: Please help with port forwarding!

Wed Apr 19, 2017 9:06 pm

Thx for the advise Steveocee! Unfortunately it did not help in my case.
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please help with port forwarding!

Thu Apr 20, 2017 1:45 am

My personal experience with LTE modems is zero, but from what I read in the past (unfortunately I didn't pay much attention to that), those things have different modes of operation. One is what you have now, where modem acts as router with dhcp server, and your real router is only in modem's LAN. But there should/could be other(s) that would give public address directly to your router. It probably depends on exact modem model, so try to find something about that.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 30 guests