Hi,
I have been trying to do some port forwarding but it does not seem to be working. I remember doing this before and it worked but for some reason, now it will not.
Can somebody please help by looking through my config and seeing if there is anything wrong?
Thank you so much!
[username@MikroTik] > ip address pri
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 WAN
1 10.0.20.1/24 10.0.20.0 Management
2 10.0.30.1/24 10.0.30.0 Internet
3 D 90.196.151.83/32 2.127.238.201 ADSL
[mark@MikroTik] > int pri
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R Link_to_HP ether 1500 1598 4074 D4:CA:6D:B5:5C:B8
1 PoE ether 1500 1598 4074 D4:CA:6D:B5:5C:B6
2 Port4 ether 1500 1598 4074 D4:CA:6D:B5:5C:B9
3 Port5 ether 1500 1598 4074 D4:CA:6D:B5:5C:BA
4 R WAN ether 1500 1598 4074 D4:CA:6D:B5:5C:B7
5 R ADSL pppoe-out 1480
6 R Internet vlan 1500 1594 D4:CA:6D:B5:5C:B8
7 R Management vlan 1500 1594 D4:CA:6D:B5:5C:B8
[mark@MikroTik] > ip fi nat pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no log-prefix=""
2 chain=srcnat action=masquerade src-address=10.0.20.0/24 log=no log-prefix=""
3 chain=srcnat action=masquerade src-address=10.0.30.0/24 log=no log-prefix=""
4 ;;; CODMW2_1/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=1500 protocol=udp dst-address=90.196.151.83 in-interface=Internet dst-port=1500 log=no log-prefix=""
5 ;;; CODMW2_2/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3005 protocol=udp dst-address=90.196.151.83 in-interface=Internet dst-port=3005 log=no log-prefix=""
6 ;;; CODMW2_3/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3101 protocol=udp dst-address=90.196.151.83 in-interface=Internet dst-port=3101 log=no log-prefix=""
7 ;;; CODMW2_4/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=28960 protocol=udp dst-address=90.196.151.83 in-interface=Internet dst-port=28960 log=no log-prefix=""
8 ;;; CODMW2_5/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=27015 protocol=tcp dst-address=90.196.151.83 in-interface=Internet dst-port=27015 log=no log-prefix=""
9 ;;; Utorrent
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085 protocol=tcp in-interface=Internet dst-port=48085 log=no log-prefix=""
[mark@MikroTik] > ip fi fi pri
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 ;;; Utorrent
chain=forward action=accept protocol=tcp dst-port=48085 log=no log-prefix=""
2 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
3 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
4 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=PoE log=no log-prefix=""
5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
6 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
7 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
8 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=PoE log=no log-prefix=""
9 ;;; Allow Limited Pings
chain=input action=accept protocol=icmp limit=50/5s,2:packet log=no log-prefix=""
10 chain=output action=accept protocol=tcp content=530 Login Incorrect dst-limit=1/1m,9,dst-address/1m log=no log-prefix=""
11 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login Incorrect log=no log-prefix=""
12 ;;; Drop Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
13 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=2>
log=no log-prefix=""
14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22
log=no log-prefix=""
15 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22
log=no log-prefix=""
16 ;;; SSH Create Blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix=""
17 ;;; SSH
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""
18 ;;; Drop Invalid Connections
chain=input,forward action=drop connection-state=invalid log=no log-prefix=""
19 ;;; Drop Excess Pings
chain=input action=drop protocol=icmp log=no log-prefix=""
20 ;;; Drop FTP Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21 log=no log-prefix=""
21 ;;; Drop SSH Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
22 ;;; Drop Everything Else
chain=input action=drop log=no log-prefix=""
[username@MikroTik] >
10.0.30.13 is the IP of the PC that I want to forward the ports to.
Any help would be very appreciated, thank you.
Re: Port forwarding issue
Remove rule 4 from your firewall. Rule 8 is the correct one.
Re: Port forwarding issue
You sure about that? Rule 4 is in the input chain and wont have any affect on port forwarding.Remove rule 4 from your firewall. Rule 8 is the correct one.
Re: Port forwarding issue
You're right I overlooked that. It should remain.You sure about that? Rule 4 is in the input chain and wont have any affect on port forwarding.Remove rule 4 from your firewall. Rule 8 is the correct one.
Well, then I don't see anything wrong with the configuration. Maybe there is filtering further upstream?
Re: Port forwarding issue
It appears you dstnat rule has an in interface of internet but the public ip is on interface ADSL. I suggest you change the in interface to ADSL.
Re: Port forwarding issue
Well, now that I check again, the interface naming is not consistent at all.
This certainly needs to be reviewed by the author.
This certainly needs to be reviewed by the author.
Re: Port forwarding issue
Hi all, thank you so much for all of the responses!
To clarify, "ADSL" is the name I have given the "pppoe-client".
The "Internet" interface, is one of two VLANs that sits on another port that connects to my switch. My PC connects to a port untagged to this VLAN and a masquerade rule allows it to get online.
So given the above, would my nat rule's still need to be sat on the adsl interface? Or would it not be correct as I have done so on the vlan interface (Internet) as this is what my PC is connecting via?
Thanks again!
To clarify, "ADSL" is the name I have given the "pppoe-client".
The "Internet" interface, is one of two VLANs that sits on another port that connects to my switch. My PC connects to a port untagged to this VLAN and a masquerade rule allows it to get online.
So given the above, would my nat rule's still need to be sat on the adsl interface? Or would it not be correct as I have done so on the vlan interface (Internet) as this is what my PC is connecting via?
Thanks again!
Re: Port forwarding issue
In-interface for dst-nat should be the interface that the ip address you have listed is assigned to. So when you out on the internet trying to access an internal server on that port you would use the public ip and the port. The interface you hit from the internet should be the one in the dst-nat in-interface as that is the interface you coming in on.
Re: Port forwarding issue
So going on your last message, which was brilliantly explaines (thank you so much!), I have amended a port forward rule fro uTorrent to be as follows:
9 ;;; Utorrent
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085
protocol=tcp dst-address=90.196.151.83 in-interface=ADSL dst-port=48085
log=no log-prefix=""
The filter rule I have for this (not even sure I need this but have done so anyway), is:
1 ;;; Utorrent
chain=forward action=accept protocol=tcp dst-port=48085 log=no
log-prefix=""
Unfortunately, this is still not working.
Just to recap on my setup...
wall port to Draytek modem, modem to port 1 of Mikrotik. Port 2 of Mikrotik to HP switch, this connection carries 2 VLANs. My PC connects to a switch port that is untagged to VLAN 30 (named "Internet").
On the Mikrotik, I have a DHCP server with a 10.0.30.0/24 address pool assigned and the gateway is specified in network as 10.0.30.1. This DHCP server is assigned to the above mentioned VLAN. Maybe not important but I thought it may provide additional context.
I am still trying to understand all these NAT rules, I am slowly getting used to it but I do not fully understand what each part does, which is why I am very appreciative of the responses so far!
Thanks again
9 ;;; Utorrent
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085
protocol=tcp dst-address=90.196.151.83 in-interface=ADSL dst-port=48085
log=no log-prefix=""
The filter rule I have for this (not even sure I need this but have done so anyway), is:
1 ;;; Utorrent
chain=forward action=accept protocol=tcp dst-port=48085 log=no
log-prefix=""
Unfortunately, this is still not working.
Just to recap on my setup...
wall port to Draytek modem, modem to port 1 of Mikrotik. Port 2 of Mikrotik to HP switch, this connection carries 2 VLANs. My PC connects to a switch port that is untagged to VLAN 30 (named "Internet").
On the Mikrotik, I have a DHCP server with a 10.0.30.0/24 address pool assigned and the gateway is specified in network as 10.0.30.1. This DHCP server is assigned to the above mentioned VLAN. Maybe not important but I thought it may provide additional context.
I am still trying to understand all these NAT rules, I am slowly getting used to it but I do not fully understand what each part does, which is why I am very appreciative of the responses so far!
Thanks again
Re: Port forwarding issue
The second thing you need to look at is you src-nat or masquerade rules.
As I can see it you have 2 internet connections WAN and ADSL. you then have your to LAN connections.
for SRC-nat or masquerade to work properly you need to match traffic to the connection.
so on your masquerade you would normally have src-address=10.0.30.0/24 for example. you would need to create a second masquerade with the out-interface as your ADSL. obviously it src-address depends on what traffic you are wanting to pass through this connection.
If you are going to use src-nat you would need to add to-address= enter the external interface ip.
having 2 internet connections you may need to tweek you ip routes and possible add mangle rules.
As I can see it you have 2 internet connections WAN and ADSL. you then have your to LAN connections.
for SRC-nat or masquerade to work properly you need to match traffic to the connection.
so on your masquerade you would normally have src-address=10.0.30.0/24 for example. you would need to create a second masquerade with the out-interface as your ADSL. obviously it src-address depends on what traffic you are wanting to pass through this connection.
If you are going to use src-nat you would need to add to-address= enter the external interface ip.
having 2 internet connections you may need to tweek you ip routes and possible add mangle rules.
Last edited by dgnevans on Mon Aug 21, 2017 1:05 am, edited 1 time in total.
Re: Port forwarding issue
Ah, there is actually only one internet connection, it is an adsl connection. The WAN interface is simply the name that I have specified for the physical port, whereas the ADSL interface is the name that I have specified for the pppoe-client that sits on the WAN port.
So IP>Firewall>Nat shows as follows:
[mark@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no
log-prefix=""
2 chain=srcnat action=masquerade src-address=10.0.20.0/24 log=no
log-prefix=""
3 chain=srcnat action=masquerade src-address=10.0.30.0/24 log=no
log-prefix=""
4 ;;; CODMW2_1/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=1500
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=1500 log=no log-prefix=""
5 ;;; CODMW2_2/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3005
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=3005 log=no log-prefix=""
6 ;;; CODMW2_3/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3101
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=3101 log=no log-prefix=""
7 ;;; CODMW2_4/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=28960
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=28960 log=no log-prefix=""
8 ;;; CODMW2_5/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=27015
protocol=tcp dst-address=90.196.151.84 in-interface=Internet
dst-port=27015 log=no log-prefix=""
9 ;;; Utorrent
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085
protocol=tcp dst-address=90.196.151.84 in-interface=ADSL dst-port=48085
log=no log-prefix=""
Would rule 0 and 3 be the correct ones? this does seem to work as I have an IP on my PC (10.0.30.13) and I have internet access.
I am probably not making much sense as besides from being a bit of a rookie, I am also half asleep!
I will check back tomorrow but thank you for all of your help and I hope we can get to the bottom of this! I am going to rate all posts as positive as you have been very helpful!
So IP>Firewall>Nat shows as follows:
[mark@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no
log-prefix=""
2 chain=srcnat action=masquerade src-address=10.0.20.0/24 log=no
log-prefix=""
3 chain=srcnat action=masquerade src-address=10.0.30.0/24 log=no
log-prefix=""
4 ;;; CODMW2_1/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=1500
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=1500 log=no log-prefix=""
5 ;;; CODMW2_2/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3005
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=3005 log=no log-prefix=""
6 ;;; CODMW2_3/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3101
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=3101 log=no log-prefix=""
7 ;;; CODMW2_4/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=28960
protocol=udp dst-address=90.196.151.84 in-interface=Internet
dst-port=28960 log=no log-prefix=""
8 ;;; CODMW2_5/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=27015
protocol=tcp dst-address=90.196.151.84 in-interface=Internet
dst-port=27015 log=no log-prefix=""
9 ;;; Utorrent
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085
protocol=tcp dst-address=90.196.151.84 in-interface=ADSL dst-port=48085
log=no log-prefix=""
Would rule 0 and 3 be the correct ones? this does seem to work as I have an IP on my PC (10.0.30.13) and I have internet access.
I am probably not making much sense as besides from being a bit of a rookie, I am also half asleep!
I will check back tomorrow but thank you for all of your help and I hope we can get to the bottom of this! I am going to rate all posts as positive as you have been very helpful!
Re: Port forwarding issue
Instead of the first 4 for srcnat/masquerade rules I would put in.
This will cover both your vlans.
There is no need to srcnat 192.168 traffic as that is not from your internal network.
I would then log any dropped traffic on your firewall to make sure that your traffic is indeed not being dropped for some reason. If you dst-nat is working your should see the counters going up.
Code: Select all
add action=masquerade chain=srcnat comment="Masq WAN ADSL" dst-address=0.0.0.0/0 out-interface=ADSL src-address=10.0.16.0/20 There is no need to srcnat 192.168 traffic as that is not from your internal network.
I would then log any dropped traffic on your firewall to make sure that your traffic is indeed not being dropped for some reason. If you dst-nat is working your should see the counters going up.
Re: Port forwarding issue
Hi, I finally got round to looking at this again. As suggested, I changed the "in-interface" as follows:
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085 protocol=tcp dst-address=90.196.151.84 in-interface=ADSL dst-port=48085 log=no
log-prefix=""
It would still not work but when I changed the corresponding filter rule's chain to input instead of forward, it worked! (which is strange as I thought this would have to be a forward chain)
1 ;;; Utorrent
chain=input action=accept protocol=tcp dst-port=48085 log=no log-prefix=""
canyouseeme.org displays the following result now:
Success: I can see your service on 90.196.151.84 on port (48085)
Your ISP is not blocking port 48085
However, none of my other port forwards are working despite applying the same changes, curious.
I just wanted to thank you again for all of your help!
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085 protocol=tcp dst-address=90.196.151.84 in-interface=ADSL dst-port=48085 log=no
log-prefix=""
It would still not work but when I changed the corresponding filter rule's chain to input instead of forward, it worked! (which is strange as I thought this would have to be a forward chain)
1 ;;; Utorrent
chain=input action=accept protocol=tcp dst-port=48085 log=no log-prefix=""
canyouseeme.org displays the following result now:
Success: I can see your service on 90.196.151.84 on port (48085)
Your ISP is not blocking port 48085
However, none of my other port forwards are working despite applying the same changes, curious.
I just wanted to thank you again for all of your help!
Re: Port forwarding issue
1) If your dstnat rule has dst-address=<address>, it doesn't need in-interface=<interface>. It doesn't hurt, but it's not really good for anything either. You need only one of these conditions.
2) Forwarded ports go to forward chain, not to input. There's no way how accepting port 48085 in input chain could help. It could get there, if dstnat rule would not match the packet for some reason (it would come to different address or via different interface). But even then it would not help, because you most likely don't run anything on router on port 48085. And if you do, it's not torrent client.
3) If your WAN interface is "ADSL", then filter rule 8 in your original post should have in-interface=ADSL. That rule is supposed to drop all incoming connections from WAN, unless they are dstnatted. So as it's now, you're allowing pretty much anything in forward chain. And rule 1 to allow torrent port is useless.
4) Filter rules 9 and 19 are useless, because all icmp is already accepted by rule 2.
5) Filter rule 18 is wrong, it doesn't work for both input and forward, it's unused chain named "input,forward".
6) Filter rules 12 and 21 are same.
7) Do you really need to access router's FTP from outside? Or do you need it at all?
8) In original post you had public address ending with .83, now you have .84. Do you have dynamic address, or more than one address?
2) Forwarded ports go to forward chain, not to input. There's no way how accepting port 48085 in input chain could help. It could get there, if dstnat rule would not match the packet for some reason (it would come to different address or via different interface). But even then it would not help, because you most likely don't run anything on router on port 48085. And if you do, it's not torrent client.
3) If your WAN interface is "ADSL", then filter rule 8 in your original post should have in-interface=ADSL. That rule is supposed to drop all incoming connections from WAN, unless they are dstnatted. So as it's now, you're allowing pretty much anything in forward chain. And rule 1 to allow torrent port is useless.
4) Filter rules 9 and 19 are useless, because all icmp is already accepted by rule 2.
5) Filter rule 18 is wrong, it doesn't work for both input and forward, it's unused chain named "input,forward".
6) Filter rules 12 and 21 are same.
7) Do you really need to access router's FTP from outside? Or do you need it at all?
8) In original post you had public address ending with .83, now you have .84. Do you have dynamic address, or more than one address?
Re: Port forwarding issue
Hi, thank you for your message, let me address each point...
1) If your dstnat rule has dst-address=<address>, it doesn't need in-interface=<interface>. It doesn't hurt, but it's not really good for anything either. You need only one of these conditions.
This is good to know thank you.
2) Forwarded ports go to forward chain, not to input. There's no way how accepting port 48085 in input chain could help. It could get there, if dstnat rule would not match the packet for some reason (it would come to different address or via different interface). But even then it would not help, because you most likely don't run anything on router on port 48085. And if you do, it's not torrent client.
I do have a torrent client listening on port 48085. I also thought that it would need to go to the forward chain but the only things I changed to get this port to report back as open on a port scan, is to change the interface to "ADSL" and then in the filter rule, the chain from "forward" to "input". If the in-interface is not needed and the chain being set to input would not help, is there any way you can explain why it is now working when these were the only changes made?
3) If your WAN interface is "ADSL", then filter rule 8 in your original post should have in-interface=ADSL. That rule is supposed to drop all incoming connections from WAN, unless they are dstnatted. So as it's now, you're allowing pretty much anything in forward chain. And rule 1 to allow torrent port is useless.
"WAN" is no more than a name for the physical port that my pppoe-client (ADSL) sits on. Again with rule 1 though, the above mentioned change to this rule, allowed the port to show as open on a port scan (it also now shows as open on torrent client as well as the private tracker now reporting it as open), if this rule is useless then I am at a loss to explain why it now works when it did not before.
4) Filter rules 9 and 19 are useless, because all icmp is already accepted by rule 2.
Would I be better off removing these rules or removing the rule to allow all ICMP traffic, my thinking is that limiting this would be better?
5) Filter rule 18 is wrong, it doesn't work for both input and forward, it's unused chain named "input,forward".
Should this be changed to two rules, one for each chain (forward and input)?
6) Filter rules 12 and 21 are same.
Ah! I shall remove the duplicate!
7) Do you really need to access router's FTP from outside? Or do you need it at all?
Although I definitely do not "need" this, I will at some point want to tinker with this for learning purposes.
In original post you had public address ending with .83, now you have .84. Do you have dynamic address, or more than one address?
Ah, I should point out that I changed this value just to not have my IP visible, I should have just put <public IP>, my apologies for the confusion.
That was extremely helpful, thank you. I find it amazing when people can just look at these lists and understand it all! I am still trying to learn this stuff so I really can not thank you enough for the constructive help.
1) If your dstnat rule has dst-address=<address>, it doesn't need in-interface=<interface>. It doesn't hurt, but it's not really good for anything either. You need only one of these conditions.
This is good to know thank you.
2) Forwarded ports go to forward chain, not to input. There's no way how accepting port 48085 in input chain could help. It could get there, if dstnat rule would not match the packet for some reason (it would come to different address or via different interface). But even then it would not help, because you most likely don't run anything on router on port 48085. And if you do, it's not torrent client.
I do have a torrent client listening on port 48085. I also thought that it would need to go to the forward chain but the only things I changed to get this port to report back as open on a port scan, is to change the interface to "ADSL" and then in the filter rule, the chain from "forward" to "input". If the in-interface is not needed and the chain being set to input would not help, is there any way you can explain why it is now working when these were the only changes made?
3) If your WAN interface is "ADSL", then filter rule 8 in your original post should have in-interface=ADSL. That rule is supposed to drop all incoming connections from WAN, unless they are dstnatted. So as it's now, you're allowing pretty much anything in forward chain. And rule 1 to allow torrent port is useless.
"WAN" is no more than a name for the physical port that my pppoe-client (ADSL) sits on. Again with rule 1 though, the above mentioned change to this rule, allowed the port to show as open on a port scan (it also now shows as open on torrent client as well as the private tracker now reporting it as open), if this rule is useless then I am at a loss to explain why it now works when it did not before.
4) Filter rules 9 and 19 are useless, because all icmp is already accepted by rule 2.
Would I be better off removing these rules or removing the rule to allow all ICMP traffic, my thinking is that limiting this would be better?
5) Filter rule 18 is wrong, it doesn't work for both input and forward, it's unused chain named "input,forward".
Should this be changed to two rules, one for each chain (forward and input)?
6) Filter rules 12 and 21 are same.
Ah! I shall remove the duplicate!
7) Do you really need to access router's FTP from outside? Or do you need it at all?
Although I definitely do not "need" this, I will at some point want to tinker with this for learning purposes.
In original post you had public address ending with .83, now you have .84. Do you have dynamic address, or more than one address?Ah, I should point out that I changed this value just to not have my IP visible, I should have just put <public IP>, my apologies for the confusion.
That was extremely helpful, thank you. I find it amazing when people can just look at these lists and understand it all! I am still trying to learn this stuff so I really can not thank you enough for the constructive help.
Re: Port forwarding issue
2) Once a packet goes to input chain, it's not leaving the router, it ends there. If it reaches computer behind router, it went through forward chain (it's easy in your case, because you don't really block much there). Even if it looks like accepting port in input chain helped to get it through, it's not possible. It started working because original dstnat rule had in-interface=Internet (not your WAN interface) and you changed it to in-interface=ADSL (the right one).
3) By WAN here I meant interface connected to internet, not your physical interface named "WAN".
4) It's up to you. There isn't any official "the only right way".
5) Just to chain=input, you already block invalid in chain=forward by rule 7.
7) I'd suggest to keep it only accessible from inside, it's enough for learning. The less you open to whole world, the better.
And if other forwarded ports still didn't decide to work, it would be better to post your current config, because it's becoming hard to follow all changes. There's a nice command for it:
3) By WAN here I meant interface connected to internet, not your physical interface named "WAN".
4) It's up to you. There isn't any official "the only right way".
5) Just to chain=input, you already block invalid in chain=forward by rule 7.
7) I'd suggest to keep it only accessible from inside, it's enough for learning. The less you open to whole world, the better.
And if other forwarded ports still didn't decide to work, it would be better to post your current config, because it's becoming hard to follow all changes. There's a nice command for it:
Code: Select all
/export hide-sensitiveRe: Port forwarding issue
Ah that makes sense the way you have explained it, thank you very much. It is amazing to get so much friendly help!
Here is the config as requested *thanks for the "hide/sensitive" tip!
# aug/23/2017 09:34:34 by RouterOS 6.34.4
# software id = 40HN-L777
#
/interface ethernet
set [ find default-name=ether3 ] name=Link_to_HP
set [ find default-name=ether1 ] name=PoE
set [ find default-name=ether4 ] name=Port4
set [ find default-name=ether5 ] name=Port5
set [ find default-name=ether2 ] name=WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN name=ADSL use-peer-dns=\
yes user=omittedforsecurity@skydsl
/ip neighbor discovery
set PoE discover=no
/interface vlan
add interface=Link_to_HP name=Internet vlan-id=30
add interface=Link_to_HP name=Management vlan-id=20
/ip dhcp-client option
add code=60 name="Option 60" value="omittedforsecurity\
omittedforsecurity"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Internet ranges=10.0.30.10-10.0.30.254
add name=Management ranges=10.0.20.10-10.0.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=PoE name=defconf
add address-pool=Management disabled=no interface=Management name=\
management_range
add address-pool=Internet disabled=no interface=Internet name=internet_range
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw \
time-zone=+00:00
/ip address
add address=192.168.88.1/24 comment=defconf interface=WAN network=\
192.168.88.0
add address=10.0.20.1/24 interface=Management network=10.0.20.0
add address=10.0.30.1/24 interface=Internet network=10.0.30.0
/ip dhcp-client
add dhcp-options="Option 60,Option 61,hostname" disabled=no interface=WAN
/ip dhcp-server network
add address=10.0.20.0/24 comment=management gateway=10.0.20.1
add address=10.0.30.0/24 comment=internet gateway=10.0.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=Utorrent dst-port=48085 protocol=tcp
add chain=input dst-port=1500 protocol=udp
add chain=input dst-port=3005 protocol=udp
add chain=input dst-port=3101 protocol=udp
add chain=input dst-port=28960 protocol=udp
add chain=input dst-port=27015 protocol=tcp
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=PoE
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=PoE
add chain=input comment="Allow Limited Pings" limit=50/5s,2:packet protocol=\
icmp
add chain=output content="530 Login Incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login Incorrect" \
protocol=tcp
add action=drop chain=input comment="Drop Brute Forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="SSH Create Blacklist" \
connection-state=new dst-port=22 protocol=tcp
add chain=input comment=SSH dst-port=22 protocol=tcp
add action=drop chain=input,forward comment="Drop Invalid Connections" \
connection-state=invalid
add action=drop chain=input comment="Drop Excess Pings" protocol=icmp
add action=drop chain=input comment="Drop FTP Brute Forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="Drop SSH Brute Forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="Drop Everything Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ADSL
add action=masquerade chain=srcnat src-address=10.0.20.0/24
add action=masquerade chain=srcnat src-address=10.0.30.0/24
add action=dst-nat chain=dstnat comment=CODMW2_1/5 dst-address=90.196.151.84 \
dst-port=1500 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=1500
add action=dst-nat chain=dstnat comment=CODMW2_2/5 dst-address=90.196.151.84 \
dst-port=3005 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=3005
add action=dst-nat chain=dstnat comment=CODMW2_3/5 dst-address=90.196.151.84 \
dst-port=3101 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=3101
add action=dst-nat chain=dstnat comment=CODMW2_4/5 dst-address=90.196.151.84 \
dst-port=28960 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=28960
add action=dst-nat chain=dstnat comment=CODMW2_5/5 dst-address=90.196.151.84 \
dst-port=27015 in-interface=ADSL protocol=tcp to-addresses=10.0.30.13 \
to-ports=27015
add action=dst-nat chain=dstnat comment=Utorrent dst-address=90.196.151.84 \
dst-port=48085 in-interface=ADSL protocol=tcp to-addresses=10.0.30.13 \
to-ports=48085
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=Europe/London
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ADSL disabled=yes display-time=5s
set PoE disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set Link_to_HP disabled=yes display-time=5s
set Port4 disabled=yes display-time=5s
set Port5 disabled=yes display-time=5s
set Internet disabled=yes display-time=5s
set Management disabled=yes display-time=5s
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=WAN
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=WAN
/tool user-manager database
set db-path=user-manager
Here is the config as requested *thanks for the "hide/sensitive" tip!
# aug/23/2017 09:34:34 by RouterOS 6.34.4
# software id = 40HN-L777
#
/interface ethernet
set [ find default-name=ether3 ] name=Link_to_HP
set [ find default-name=ether1 ] name=PoE
set [ find default-name=ether4 ] name=Port4
set [ find default-name=ether5 ] name=Port5
set [ find default-name=ether2 ] name=WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN name=ADSL use-peer-dns=\
yes user=omittedforsecurity@skydsl
/ip neighbor discovery
set PoE discover=no
/interface vlan
add interface=Link_to_HP name=Internet vlan-id=30
add interface=Link_to_HP name=Management vlan-id=20
/ip dhcp-client option
add code=60 name="Option 60" value="omittedforsecurity\
omittedforsecurity"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Internet ranges=10.0.30.10-10.0.30.254
add name=Management ranges=10.0.20.10-10.0.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=PoE name=defconf
add address-pool=Management disabled=no interface=Management name=\
management_range
add address-pool=Internet disabled=no interface=Internet name=internet_range
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw \
time-zone=+00:00
/ip address
add address=192.168.88.1/24 comment=defconf interface=WAN network=\
192.168.88.0
add address=10.0.20.1/24 interface=Management network=10.0.20.0
add address=10.0.30.1/24 interface=Internet network=10.0.30.0
/ip dhcp-client
add dhcp-options="Option 60,Option 61,hostname" disabled=no interface=WAN
/ip dhcp-server network
add address=10.0.20.0/24 comment=management gateway=10.0.20.1
add address=10.0.30.0/24 comment=internet gateway=10.0.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=Utorrent dst-port=48085 protocol=tcp
add chain=input dst-port=1500 protocol=udp
add chain=input dst-port=3005 protocol=udp
add chain=input dst-port=3101 protocol=udp
add chain=input dst-port=28960 protocol=udp
add chain=input dst-port=27015 protocol=tcp
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=PoE
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=PoE
add chain=input comment="Allow Limited Pings" limit=50/5s,2:packet protocol=\
icmp
add chain=output content="530 Login Incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login Incorrect" \
protocol=tcp
add action=drop chain=input comment="Drop Brute Forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="SSH Create Blacklist" \
connection-state=new dst-port=22 protocol=tcp
add chain=input comment=SSH dst-port=22 protocol=tcp
add action=drop chain=input,forward comment="Drop Invalid Connections" \
connection-state=invalid
add action=drop chain=input comment="Drop Excess Pings" protocol=icmp
add action=drop chain=input comment="Drop FTP Brute Forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="Drop SSH Brute Forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="Drop Everything Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ADSL
add action=masquerade chain=srcnat src-address=10.0.20.0/24
add action=masquerade chain=srcnat src-address=10.0.30.0/24
add action=dst-nat chain=dstnat comment=CODMW2_1/5 dst-address=90.196.151.84 \
dst-port=1500 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=1500
add action=dst-nat chain=dstnat comment=CODMW2_2/5 dst-address=90.196.151.84 \
dst-port=3005 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=3005
add action=dst-nat chain=dstnat comment=CODMW2_3/5 dst-address=90.196.151.84 \
dst-port=3101 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=3101
add action=dst-nat chain=dstnat comment=CODMW2_4/5 dst-address=90.196.151.84 \
dst-port=28960 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 \
to-ports=28960
add action=dst-nat chain=dstnat comment=CODMW2_5/5 dst-address=90.196.151.84 \
dst-port=27015 in-interface=ADSL protocol=tcp to-addresses=10.0.30.13 \
to-ports=27015
add action=dst-nat chain=dstnat comment=Utorrent dst-address=90.196.151.84 \
dst-port=48085 in-interface=ADSL protocol=tcp to-addresses=10.0.30.13 \
to-ports=48085
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=Europe/London
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ADSL disabled=yes display-time=5s
set PoE disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set Link_to_HP disabled=yes display-time=5s
set Port4 disabled=yes display-time=5s
set Port5 disabled=yes display-time=5s
set Internet disabled=yes display-time=5s
set Management disabled=yes display-time=5s
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=WAN
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=WAN
/tool user-manager database
set db-path=user-manager
Re: Port forwarding issue
Ok, so you have only four filter rules for forward:
Two of them can drop something. One is for invalid packets, that's not what's blocking your forwarded ports. Second one drop everything that comes in via PoE interface and is not dstnatted. Since PoE is not your internet interface, this rule does not block any incoming connections from internet. Actually, this rule should have in-interface=ADSL, to protect your internal networks from unsolicited connections from outside. And even if you correct it, it still won't block forwarded ports.
The only other thing on your router that matters are dstnat rules:
When you look at them, they're all same, they only differ in protocol and port. If one works, there's no reason why others would not. So it suggests that problem is elsewhere.
For start, if you look at packet counters for each rule, do you see non-zero values? If so, packets are coming and rules are working. Next step is to checks if packets are passing correctly through router. They have to, but to be sure, either check interface "Internet" (where 10.0.30.13 is connected) using Tools->Torch if you see them, or add logging rules like these:
If you see counters increasing for both dstnat and mangle rules, then everything is fine on router and you must look for problem at 10.0.30.13. Probably a firewall there is blocking incoming connections for those ports.
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=PoEThe only other thing on your router that matters are dstnat rules:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment=CODMW2_1/5 dst-address=90.196.151.84 dst-port=1500 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 to-ports=1500
add action=dst-nat chain=dstnat comment=CODMW2_2/5 dst-address=90.196.151.84 dst-port=3005 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 to-ports=3005
add action=dst-nat chain=dstnat comment=CODMW2_3/5 dst-address=90.196.151.84 dst-port=3101 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 to-ports=3101
add action=dst-nat chain=dstnat comment=CODMW2_4/5 dst-address=90.196.151.84 dst-port=28960 in-interface=ADSL protocol=udp to-addresses=10.0.30.13 to-ports=28960
add action=dst-nat chain=dstnat comment=CODMW2_5/5 dst-address=90.196.151.84 dst-port=27015 in-interface=ADSL protocol=tcp to-addresses=10.0.30.13 to-ports=27015
add action=dst-nat chain=dstnat comment=Utorrent dst-address=90.196.151.84 dst-port=48085 in-interface=ADSL protocol=tcp to-addresses=10.0.30.13 to-ports=48085For start, if you look at packet counters for each rule, do you see non-zero values? If so, packets are coming and rules are working. Next step is to checks if packets are passing correctly through router. They have to, but to be sure, either check interface "Internet" (where 10.0.30.13 is connected) using Tools->Torch if you see them, or add logging rules like these:
Code: Select all
/ip firewall mangle
add action=accept chain=postrouting dst-address=10.0.30.13 dst-port=1500 protocol=udp
add action=accept chain=postrouting dst-address=10.0.30.13 dst-port=3005 protocol=udp
...Re: Port forwarding issue
Hi again, thank you for your comment, this has helped me understand this a little more. So I have corrected the forward rule which stipulates to drop all not dstnated so that the interface is correct. I have also cleaned up the filter rules a bit...
[/i]
My public IP has changed so I have amended the NAT rules to reflect this, I will look into a better solution for that once I have a better handle on this stuff. I have left some NAT rules unchanged for now as I believe just concentrating on why one specific rule is not working, will help me understand this better. So my NAT rules are now as follows:
[/i]
From the above, rule 8 is working as an open port check tool reports success. However, rule 7 (which is the one I want to concentrate on) is not, despite being set the same way as rule 8.
I ran the torch tool while checking port 27015 and it gave the following output:
[/i]
So strangely it seems that traffic is passing but the port checker tool reports this to be closed (the traffic above is from the actual check). Modern Warfare 2 also reports a strict NAT type, suggesting that it also sees the port as closed. To try and eliminate a device issue, I have disabled the Windows firewall but I do not believe this to be device related.
I am at a bit of a loss because I can see nothing wrong with the rules that I have added, I have followed all of your wonderful suggestions and it still is not working. The frustrating part is when it works for one and not another, it is really difficult to see where the problem is. The Torch tool output from above has (half-life) in it, could this be a preconfigured port on the Mikrotik with some specific settings? As I have never configured anything related to half-life on this router.
Thank you again for all of your help and saint-like patience!
Edit: Could this be anything do with having separate VLANs? I have VLAN 30 which is named "Internet" and this sits on a link to my HP switch. I would not have thought so as I believe this stuff just applies to my WAN connection which is a pppoe-client that I have named "ADSL" which sits on the Ethernet port named "WAN". Again, I am just clutching at straws here
Edit 2: Sorry to be a broken record but I have just seen that the port forward I have set for uTorrent (rule, shows as closed when I do not have my torrent client open. When I open it then the port checker reports it is open. Is this normal behaviour for the port only to show as open if there is traffic on that port? I have also just tried changing the listening port on uTorrent to 27015 and running the port check tool again... it shows as open!
Strange then that it shows as closed when uTorrent is not running. Also strange that MW2 shows my NAT type as strict if the NAT rules are correct, as they seem to be. Could this have anything to do with any errors in my firewall rules relating to connection-state? Maybe if I add connection-state=new to the corresponding firewall rule for each NAT rule?
Thanks again!
Code: Select all
[mark@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 ;;; Utorrent
chain=forward action=accept protocol=tcp dst-port=48085 log=no log-prefix=""
2 ;;; MW2 Port
chain=forward action=accept protocol=tcp dst-port=27015 log=no log-prefix=""
3 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
4 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=PoE log=no log-prefix=""
5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
6 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
7 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
8 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ADSL log=no log-prefix=""
9 ;;; Allow Limited Pings
chain=input action=accept protocol=icmp limit=50/5s,2:packet log=no log-prefix=""
10 chain=output action=accept protocol=tcp content=530 Login Incorrect dst-limit=1/1m,9,dst-address/1m log=no log-prefix=""
11 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login Incorrect log=no
log-prefix=""
12 ;;; Drop Excess Pings
chain=input action=drop protocol=icmp log=no log-prefix=""
13 ;;; Drop Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22 log=no log-prefix=""
15 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22 log=no log-prefix=""
16 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22 log=no log-prefix=""
17 ;;; SSH Create Blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no
log-prefix=""
18 ;;; SSH
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""
19 ;;; Drop Invalid Connections
chain=input,forward action=drop connection-state=invalid log=no log-prefix=""
20 ;;; Drop FTP Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21 log=no log-prefix=""
21 ;;; Drop SSH Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
22 ;;; Drop Everything Else
chain=input action=drop log=no log-prefix=""My public IP has changed so I have amended the NAT rules to reflect this, I will look into a better solution for that once I have a better handle on this stuff. I have left some NAT rules unchanged for now as I believe just concentrating on why one specific rule is not working, will help me understand this better. So my NAT rules are now as follows:
Code: Select all
[mark@MikroTik] /ip firewall filter> .. nat pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ADSL log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=10.0.20.0/24 log=no log-prefix=""
2 chain=srcnat action=masquerade src-address=10.0.30.0/24 log=no log-prefix=""
3 ;;; CODMW2_1/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=1500 protocol=udp dst-address=90.196.151.84 in-interface=ADSL dst-port=1500 log=no
log-prefix=""
4 ;;; CODMW2_2/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3005 protocol=udp dst-address=90.196.151.84 in-interface=ADSL dst-port=3005 log=no
log-prefix=""
5 ;;; CODMW2_3/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=3101 protocol=udp dst-address=90.196.151.84 in-interface=ADSL dst-port=3101 log=no
log-prefix=""
6 ;;; CODMW2_4/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=28960 protocol=udp dst-address=90.196.151.84 in-interface=ADSL dst-port=28960 log=no
log-prefix=""
7 ;;; CODMW2_5/5
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=27015 protocol=tcp dst-address=176.248.237.61 in-interface=ADSL dst-port=27015 log=no
log-prefix=""
8 ;;; Utorrent
chain=dstnat action=dst-nat to-addresses=10.0.30.13 to-ports=48085 protocol=tcp dst-address=176.248.237.61 in-interface=ADSL dst-port=48085 log=no
log-prefix=""
From the above, rule 8 is working as an open port check tool reports success. However, rule 7 (which is the one I want to concentrate on) is not, despite being set the same way as rule 8.
I ran the torch tool while checking port 27015 and it gave the following output:
Code: Select all
[mark@MikroTik] /tool> torch interface=Internet port=27015
SRC-PORT DST-PORT TX RX TX-PACKETS RX-PACKETS
27015 (half-life) 58204 592bps 480bps 1 1
27015 (half-life) 58205 592bps 480bps 1 1
27015 (half-life) 58208 592bps 480bps 1 1
1776bps 1440bps 3 3
-- [Q quit|D dump|C-z continue]So strangely it seems that traffic is passing but the port checker tool reports this to be closed (the traffic above is from the actual check). Modern Warfare 2 also reports a strict NAT type, suggesting that it also sees the port as closed. To try and eliminate a device issue, I have disabled the Windows firewall but I do not believe this to be device related.
I am at a bit of a loss because I can see nothing wrong with the rules that I have added, I have followed all of your wonderful suggestions and it still is not working. The frustrating part is when it works for one and not another, it is really difficult to see where the problem is. The Torch tool output from above has (half-life) in it, could this be a preconfigured port on the Mikrotik with some specific settings? As I have never configured anything related to half-life on this router.
Thank you again for all of your help and saint-like patience!
Edit: Could this be anything do with having separate VLANs? I have VLAN 30 which is named "Internet" and this sits on a link to my HP switch. I would not have thought so as I believe this stuff just applies to my WAN connection which is a pppoe-client that I have named "ADSL" which sits on the Ethernet port named "WAN". Again, I am just clutching at straws here
Edit 2: Sorry to be a broken record but I have just seen that the port forward I have set for uTorrent (rule
, shows as closed when I do not have my torrent client open. When I open it then the port checker reports it is open. Is this normal behaviour for the port only to show as open if there is traffic on that port? I have also just tried changing the listening port on uTorrent to 27015 and running the port check tool again... it shows as open!Strange then that it shows as closed when uTorrent is not running. Also strange that MW2 shows my NAT type as strict if the NAT rules are correct, as they seem to be. Could this have anything to do with any errors in my firewall rules relating to connection-state? Maybe if I add connection-state=new to the corresponding firewall rule for each NAT rule?
Thanks again!
Re: Port forwarding issue [SOLVED]
Once more, your current filter rules for forward are:
1 accept Utorrent
2 accept MW2 Port
5 fastrack connections
6 accept established & related
7 drop invalid
8 drop all from WAN (your interface "ADSL") not DSTNATed
x accept everything (not an actual rule, but implicit default action)
You don't need rules 1 and 2, because those connections will be accepted by default at the end (rules are processes in order and when one matches, further one are skipped). Neither rule 7 nor 8 will block them, because they are not invalid and they are dstnated. It's not a problem, just useless.
Next, if your public address changes from time to time, then don't use it for firewall rules. Use dst-address-type=local (it means any address assigned directly to router) instead of dst-address=<address>. And small bonus tip, if you have dst-port=<port> and to-ports=<port>, where both numbers are the same, you don't need to enter to-ports=<port> at all, it will just use original.
Now about port 27015...
"half-life" is just a name for port, it doesn't mean anything. Well, it does mean that the port is usually used by it, like 80 is usually used by http. But it doesn't influence anything.
It's not because of VLANs, in your case they're just two networks with nothing special.
About open and closed ports, I suspect that you might be missing some key concepts. Take just single device with IP address. Closed ports means that there's no program running which listens on that port. Open port means that there is such program. So port appearing as closed when uTorrrent is not running is correct. Now add router which forwards ports to this device. What happens is that packet originally comes to router's address, but dstnat takes it and sends it elsewhere (to your PC/server). Possibly confusing part is that port forwarding is sometimes refered to as opening ports. So the port is open on router, but outside devices can't know about router's existence. So for port to appear open for them, it must be opened on router (dstnat rule) and also a program on internal device must have it open.
NAT rules implicitly work only for connection-state=new, you don't need to do anything there.
To move a little further (hopefully), try running "netstat -anb" on 10.0.30.13 (I assume it has Windows). Or "netstat -anb >netstat.txt" to get output saved in text file, which should be easier to work with. Then verify that you see all needed ports in listening state. There must be correct number (27015), correct protocol (tcp) and correct address (10.0.30.13, 0.0.0.0, or possibly even [::]). If you also see some in connected state, it means that something was able to successfully connect (and you'll also see remote address).
1 accept Utorrent
2 accept MW2 Port
5 fastrack connections
6 accept established & related
7 drop invalid
8 drop all from WAN (your interface "ADSL") not DSTNATed
x accept everything (not an actual rule, but implicit default action)
You don't need rules 1 and 2, because those connections will be accepted by default at the end (rules are processes in order and when one matches, further one are skipped). Neither rule 7 nor 8 will block them, because they are not invalid and they are dstnated. It's not a problem, just useless.
Next, if your public address changes from time to time, then don't use it for firewall rules. Use dst-address-type=local (it means any address assigned directly to router) instead of dst-address=<address>. And small bonus tip, if you have dst-port=<port> and to-ports=<port>, where both numbers are the same, you don't need to enter to-ports=<port> at all, it will just use original.
Now about port 27015...
"half-life" is just a name for port, it doesn't mean anything. Well, it does mean that the port is usually used by it, like 80 is usually used by http. But it doesn't influence anything.
It's not because of VLANs, in your case they're just two networks with nothing special.
About open and closed ports, I suspect that you might be missing some key concepts. Take just single device with IP address. Closed ports means that there's no program running which listens on that port. Open port means that there is such program. So port appearing as closed when uTorrrent is not running is correct. Now add router which forwards ports to this device. What happens is that packet originally comes to router's address, but dstnat takes it and sends it elsewhere (to your PC/server). Possibly confusing part is that port forwarding is sometimes refered to as opening ports. So the port is open on router, but outside devices can't know about router's existence. So for port to appear open for them, it must be opened on router (dstnat rule) and also a program on internal device must have it open.
NAT rules implicitly work only for connection-state=new, you don't need to do anything there.
To move a little further (hopefully), try running "netstat -anb" on 10.0.30.13 (I assume it has Windows). Or "netstat -anb >netstat.txt" to get output saved in text file, which should be easier to work with. Then verify that you see all needed ports in listening state. There must be correct number (27015), correct protocol (tcp) and correct address (10.0.30.13, 0.0.0.0, or possibly even [::]). If you also see some in connected state, it means that something was able to successfully connect (and you'll also see remote address).
Re: Port forwarding issue
Hi,
I just wanted to thank everybody for all of their replies. It has helped me understand firewalls and NAT rules quite a bit more and it is all working correctly now, thanks again.
I just wanted to thank everybody for all of their replies. It has helped me understand firewalls and NAT rules quite a bit more and it is all working correctly now, thanks again.
Who is online
Users browsing this forum: unhuzpt and 102 guests