Community discussions

 
webbsolution
newbie
Topic Author
Posts: 36
Joined: Tue Apr 28, 2015 6:14 am

port forwarding confusion

Sat Nov 25, 2017 11:45 pm

Sorry in advance for the neophyte nature of my questions -

Internal IP of my desktop in question is 192.168.88.12X (windows 10 - Fiewall totally disabled (Domain - everything) Cable modem FW also is off)

I cant seem to forward ports. I tried the following resources

http://www.icafemenu.com/how-to-port-fo ... router.htm

https://www.youtube.com/watch?v=VXodO1-Bq_c

Neither of these worked for any of the ports I tried to pass through.

Interestingly - i have 2 rules that work - one is on 443 and one is on 5000
the reference to 443 is in the filter rules (TCp port 443 - Action- accept ) - if I hit canyouseeme.org it says its open - if I disable the filter - its closed. So ok that seems like something works to me...

The reference to port 5000 is on NAT tab (TCP port 5000 To Adress is 192.168.88.139) NOTE this address is from a computer that no longer exists. If I change the to address to 192.168.88.12X the port is no longer reachable from Canyouseme.org.

I was basically just looking to make sure I wasnt blocking some gaming ports in an effort to tune my connection for online gaming. So I was most interested in ports -

TCP: 3074,27015-27030,27036-27037
UDP: 3074,4380,27000-27031,27036
So I setup the first rule for 3074 -- Ip/ Firewall/ Nat + (TCP - Port 3074 - Action DST-NAT) I the walk throughs didnt suggest a dest IP so I left that blank - but I experimented and adding a destination IP didnt help either.

is it possible that my assumption that canyouseeme.org cant see the port means its not open is wrong ?
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: port forwarding confusion

Sun Nov 26, 2017 3:15 pm

You can test ports via numerous methods (yougetsignal, portforward as websites, and nmap/zenmap as applications)

Regarding your OS, whats your network described as? Public, work or private? Sometimes, you need to set ports in windows firewall also, even if it says its disabled. I had couple of issues, where only disabling firewall via group policy really disabled firewall.
I have bigger routing table.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: port forwarding confusion

Sun Nov 26, 2017 3:51 pm

Sorry in advance for the neophyte nature of my questions -

Internal IP of my desktop in question is 192.168.88.12X (windows 10 - Fiewall totally disabled (Domain - everything) Cable modem FW also is off)

I cant seem to forward ports. I tried the following resources

http://www.icafemenu.com/how-to-port-fo ... router.htm

https://www.youtube.com/watch?v=VXodO1-Bq_c

Neither of these worked for any of the ports I tried to pass through.

Interestingly - i have 2 rules that work - one is on 443 and one is on 5000
the reference to 443 is in the filter rules (TCp port 443 - Action- accept ) - if I hit canyouseeme.org it says its open - if I disable the filter - its closed. So ok that seems like something works to me...

The reference to port 5000 is on NAT tab (TCP port 5000 To Adress is 192.168.88.139) NOTE this address is from a computer that no longer exists. If I change the to address to 192.168.88.12X the port is no longer reachable from Canyouseme.org.

I was basically just looking to make sure I wasnt blocking some gaming ports in an effort to tune my connection for online gaming. So I was most interested in ports -

TCP: 3074,27015-27030,27036-27037
UDP: 3074,4380,27000-27031,27036
So I setup the first rule for 3074 -- Ip/ Firewall/ Nat + (TCP - Port 3074 - Action DST-NAT) I the walk throughs didnt suggest a dest IP so I left that blank - but I experimented and adding a destination IP didnt help either.

is it possible that my assumption that canyouseeme.org cant see the port means its not open is wrong ?
Without export we can't say anything.
/ip firewall export hide-sensitive
 
webbsolution
newbie
Topic Author
Posts: 36
Joined: Tue Apr 28, 2015 6:14 am

Re: port forwarding confusion

Sun Nov 26, 2017 5:58 pm

Thank you for your help -

[admin@MikroTik] > /ip firewall export hide-sensitive
# nov/26/2017 11:52:04 by RouterOS 6.40.4
# software id = 45FL-UCT7
#
# model = 2011UiAS-2HnD
# serial number = 5E6F05A0B63C
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add action=accept chain=forward comment="default configuration" \
connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=\
invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=\
ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1-gateway \
protocol=tcp to-ports=3074
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1-gateway \
protocol=udp to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1-gateway \
protocol=udp to-ports=4380
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=\
ether1-gateway protocol=tcp to-ports=27015-27030
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=\
ether1-gateway protocol=tcp to-ports=27036-27037
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=\
ether1-gateway protocol=udp to-ports=27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1-gateway \
protocol=udp to-ports=27036
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.88.125 to-ports=80
add action=dst-nat chain=dstnat dst-port=1900 in-interface=ether1-gateway \
protocol=udp to-addresses=192.168.88.139 to-ports=1900
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.88.139 to-ports=5000-5001
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.88.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
[admin@MikroTik] >
 
SPKA16
newbie
Posts: 25
Joined: Fri Aug 05, 2016 8:41 pm

Re: port forwarding confusion

Sun Nov 26, 2017 7:25 pm

These work, the last three, cause they have a destination --> to-addresses.

Code: Select all

add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.125 to-ports=80
add action=dst-nat chain=dstnat dst-port=1900 in-interface=ether1-gateway protocol=udp to-addresses=192.168.88.139 to-ports=1900
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.139 to-ports=5000-5001
All the others are incomplete, they don't have a to-addresses specified

Code: Select all

add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1-gateway protocol=tcp to-ports=3074
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1-gateway protocol=udp to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1-gateway protocol=udp to-ports=4380
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=ether1-gateway protocol=tcp to-ports=27015-27030
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=ether1-gateway protocol=tcp to-ports=27036-27037
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1-gateway protocol=udp to-ports=27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1-gateway protocol=udp to-ports=27036
 
webbsolution
newbie
Topic Author
Posts: 36
Joined: Tue Apr 28, 2015 6:14 am

Re: port forwarding confusion

Sun Nov 26, 2017 7:46 pm

but this "add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.125 to-ports=80"
Does not work - 192.168.88.125 is a real address - but I cant check for an open port on 80 wiht this rule ...

This "add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.139 to-ports=5000-5001" Works but only if I point the port to a phantom IP that is NOT in use...if I point that rule to an actual PC (192.168.88.125) it fails too.

I also reset the router and tried from a factory reset which does some initial setup (DHCP / Bridged Wlan and LAN etc) and I was still unable to open any ports. I have since restored back to the settings exposed here for simplicity.

There are no other firewalls on the network...win10 FW is off -

Lets just focus on this one rule - I changed it to add in the suggested to address -

add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.88.125 to-ports=3074

Now if I go to Canyou seeme.org - it reports the port is closed - However if I look at the NAT rule just after checking I can see 60 bytes and 1 packets on the rule line - so that means that traffic is coming in but getting dropped regardless of the rule?
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: port forwarding confusion

Sun Nov 26, 2017 8:29 pm

This means that traffic is hitting rule correctly, but probably host is droping it.
I have bigger routing table.
 
SPKA16
newbie
Posts: 25
Joined: Fri Aug 05, 2016 8:41 pm

Re: port forwarding confusion

Sun Nov 26, 2017 8:33 pm

but this "add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.125 to-ports=80"
Does not work - 192.168.88.125 is a real address - but I cant check for an open port on 80 wiht this rule ...
How you check this? Does 192.168.88.125 actually have a webserver (or something else) running on port 80? Maybe its the firewall on the machine? The gateway of 125 is the router?
I guess it is a Synology so it should just work fine if the gateway is correct, and only port 5000 is needed.
This "add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.139 to-ports=5000-5001" Works but only if I point the port to a phantom IP that is NOT in use...if I point that rule to an actual PC (192.168.88.125) it fails too.
That does not make sense.. There shouldn't be two to-ports=5000-5001 when only one dst-port is configured. That might does the trick

Also when testing myself with a DST-NAT to a phantom IP get this result:
http://canyouseeme.org/ --> Error: I could not see your service on xx.xx.xx.xx on port (8080) Reason: No route to host

This should then also be the message on your DST-NAT on port 3074? When a port is closed (not configured at all, so blocked) i get the reason: time out.

For the 3074 rule, since you you do get a hit on this NAT the rule is good.
Your firewall rules look default so they should accept all in the DST-NAT but for testing you might want to add:
add action=accept chain=forward dst-port=3074 in-interface=ether1-gateway protocol=tcp
and place it on top.

If is still fails then the endpoint is not configured for this port, or has firewall on it, or doesn't know a route back (gateway incorrect?)
 
webbsolution
newbie
Topic Author
Posts: 36
Joined: Tue Apr 28, 2015 6:14 am

Re: port forwarding confusion

Mon Nov 27, 2017 5:09 am

Yes when I turn on the web server -80 passes through and CANyouSeeme validates it -

port 5000 is working because ...it should - I had the wrong Ip in mind when I said that was a phantom IP - 139 is indeed a synology NAS - itis online which is why the rule works.

3074 and the other ranges referenced in the first post might not validate through canyouseeme as I would expect so maybe my assumption is wrong and the rules are working.

Who is online

Users browsing this forum: No registered users and 38 guests