Community discussions

 
Admin529a3
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 2:07 am

Port Forwarding for the beginner

Sat Aug 19, 2017 2:17 am

I am the IT here at my office and I got tossed into this Mikrotik CCR1009 router I love it because I have the ability of full control however I am not brushed up on the scripting and port forwarding is the
big thing with most routers. I would like to port forward scripting for the following

1. Internal IP to Internal IP from the same machine in other words I am on machine ip 192.168.100.12 and the server is running on the same IP and machine, I need to forward the following ports
a. 4550
b. 5550
c. 6550
d. 5551
e. 8866

Here is the scripts I have tried
/ip firewall nat
add chain=dstnat dst-address=66.214.32.62 protocol=tcp dst-port=4550 \ action=dst-nat to-address=192.168.100.12
add chain=srcnat out-interface=WAN action=masquerade

The Script loads and saves without errors however it does not let me access the server at port 4550 on ip 192.168.100.12
any ideas
thank you
Rob
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Port Forwarding for the beginner

Sat Aug 19, 2017 2:48 am

What are your firewall filter rules?

Open a New Terminal and issue:
/export
Then copy and paste the output here.

Your port forwarding is apparently fine.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
Admin529a3
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 2:07 am

Re: Port Forwarding for the beginner

Sat Aug 19, 2017 3:54 am

Issue:
I have a server sitting on IP 192.168.100.12 and using several ports> 4550 5550,6550 5551 8866
and the machine I am using to access said server is the same machine that the server is running on
192.168./100.12
QUESTIONS ON PORT FORWARDING TO JAY.png
see this attachment for the details it explains it better ignore Jay he is my regular tech that happens to be on vacaion rite now

Thank you for anything you can assist with
Rob
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Port Forwarding for the beginner

Mon Aug 21, 2017 5:27 pm

The best solution would be to use DNS to access the services on the host, and resolve the name to the public IP address for outside clients, and to the internal IP address for inside clients (including the host itself).

If you do that, then the traffic between the service and client running on the same machine will not even waste time leaving the machine and coming back to it with the addresses natted.
Using an external device (such as the Mikrotik) will work, but it requires that the host needlessly send packets out onto the network to get bounced off of the Mikrotik.

But to make the Mikrotik do what you want, you need to setup hairpin NAT.
There are many, many threads on here about hairpin NAT, so feel free to google up some links and see how that works.
In a nutshell, the Mikrotik needs to do srcnat (usually masquerade) on packets going out the LAN interface whose original source IP address is also part of the same network.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Admin529a3
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 2:07 am

Re: Port Forwarding for the beginner

Mon Aug 21, 2017 5:47 pm

Is this something like your refering to as far as a Hairpin script

*************************************************** BEGIN **********************************************
/ip firewall nat
add chain=srcnat src-address={WAN IP}66.214.32.62 \ dst-address={LAN IP}192.168.100.24 protocol=tcp dst-port={LOCAL PORT}4550\ out-interface=LAN action=masquerade
*************************************************** END ************************************************

Unlike most here I am a very visual person and prefer to see the actual script the terminology means very little to me I dunno that is just me,
In other words I know someone by their face not their name, all these fancy words natted and resolve are foreign to me.

Otherwise above I left an example I had here on hairpins

and this will allow me to connect when I am within the network and the port forward is intended on letting traffic in from the outside thru the firewall and onto a port sitting on a LAN IP
Thank you very much
Rob
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Port Forwarding for the beginner

Mon Aug 21, 2017 6:06 pm

Using DNS:
Use hostname Mybox.example.com instead of the literal IP address 192.168.100.24 / 66.214.32.62

If you're inside the network, and were to type "ping mybox.example.com" then you should ping 192.168.100.24
If you're outside the network, then "ping mybox.example.com" would ping 66.214.32.62

Using Hairpin:
/ip firewall nat
add chain=srcnat out-interface=LAN src-address=192.168.100.0/24 action=masquerade
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Admin529a3
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 2:07 am

Re: Port Forwarding for the beginner

Sat Aug 26, 2017 3:39 pm

Thank you very much
I do appreciate it I tried that and it worked

Gratis
Rob
 
Bestinwifi
just joined
Posts: 5
Joined: Mon Aug 13, 2018 9:13 pm

Re: Port Forwarding for the beginner

Wed Aug 15, 2018 12:21 am

Hello the I'm new to mikrotik I'm trying to set up port forwarding on my cctv here my script if that helps

/export
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.3.0.1/24 comment=defconf interface=bridge network=10.3.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.3.0.10 client-id=1:4c:bd:8f:fe:39:1a mac-address=4C:BD:8F:FE:39:1A server=dhcp1
/ip dhcp-server network
add address=10.3.0.0/24 gateway=10.3.0.1 netmask=24
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=\
Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface="BT Modem"
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="BT Modem"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3999 in-interface=bridge protocol=tcp to-addresses=10.3.0.10 to-ports=80
Last edited by Bestinwifi on Wed Aug 22, 2018 1:02 am, edited 2 times in total.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Port Forwarding for the beginner

Thu Aug 16, 2018 11:59 am

Bestinwifi: please change your IPSec secret, you published enough details for someone to try brute forcing VPN accounts on your router... already edited your SN/soft id.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum

Who is online

Users browsing this forum: No registered users and 18 guests