Community discussions

MikroTik App
 
bropper
just joined
Topic Author
Posts: 6
Joined: Mon Apr 02, 2018 2:20 pm

Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Mon Apr 02, 2018 3:12 pm

Hi everybody,

First off I have been trying to use this equipment for almost two years but sadly I am pretty bad in networking. Hope some gurus can help me out here. Originally I wanted this to serve as a wireless access bridge (gave up on that) but now I am trying to do the most simple plain vanilla of setups. That is the CRS125 is to act as a Wireless Router similar to those off the shelf Netgear types.

Currently I have the ISP ----> ISP provided modem ----> Mikrotik which serves as the DHCP server & has two wlans (one for internal and the other for guests, but currently unused)

I have followed this guide mainly:- http://www.icafemenu.com/how-to-port-fo ... router.htm
I have also looked thru the forums and other links.

The main problems I have is that within the network I cannot ping or access the other devices (but I understand this is prob a hairpin NAT issue) but even when I am on another network (I have two fixed IPs and internet subscriptions) I am unable to SSH into the server attached to the Mikrotik even with Port Forwarding.

My guess is that perhaps because the modem has the Public IP and whereas the Mikrotik does not have the Public IP.
So where my Public IP is say 138.199.181.222
My ether1-gateway is 138.199.180.1
This is because I set the Address Acquisiton under QuickSet as automatic. Should I be using Static or PPOE?

Within the network all my devices are 192.168.88.X and I have set them to static IPs to prevent them from changing.

Appreciate any insights on how to troubleshoot this.

Thanks!
 
Sob
Forum Guru
Forum Guru
Posts: 6246
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Tue Apr 03, 2018 3:04 am

You can do port forwarding only with public address, because that's what you can connect to from internet. If it's on your modem and not on router, you need to do something with modem first. Either switch modem to some transparent (bridge) mode that would allow your router to get public address. If it's not possible, then you need to configure modem to forward ports to your router, either just selected ones, or everything (usually called DMZ). And then you can forward what you need further in LAN.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
bropper
just joined
Topic Author
Posts: 6
Joined: Mon Apr 02, 2018 2:20 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Sun Apr 08, 2018 5:12 pm

Hi appreciate the help.

Checked with my ISP and they say my Fiber modem does not have an interface, it does not have any DHCP server as well and there is no way to set it into bridge mode. Everything should be controlled by the router.

If this is the case, what is the best way to troubleshoot the port forwarding? I believe the IP is on the router but perhaps not the right interface/port?
 
Sob
Forum Guru
Forum Guru
Posts: 6246
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Sun Apr 08, 2018 6:05 pm

Don't believe, be sure. If you check some online service like whatismyip.com, is the same IP address on your router? If so, it should work (only the linked guide is not compatible with hairpin NAT, but you can solve it later).

Add your dstnat rule, ask Google for "online port scan", choose some you like and use it to test your rule (enter your public address and used port). Ideally it should tell you that the port is open. But even if it doesn't, check packet counter of your rule if it increases when you do the test, at least that should happen (it could mean that either packets are not passing through router, or the internal device doesn't accept them).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Sun Apr 08, 2018 6:12 pm

In that case you should not have any issue. Export config from yout router, post it here. We will help.
I have bigger routing table.
 
bropper
just joined
Topic Author
Posts: 6
Joined: Mon Apr 02, 2018 2:20 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Mon Apr 09, 2018 1:36 pm

Is there any private details I need to hide after I export details from the router? Thanks!
 
JB172
Member
Member
Posts: 306
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Mon Apr 09, 2018 1:38 pm

Is there any private details I need to hide after I export details from the router? Thanks!
Make an
export hide-sensitive
 
bropper
just joined
Topic Author
Posts: 6
Joined: Mon Apr 02, 2018 2:20 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Mon Apr 09, 2018 2:12 pm

# apr/09/2018 19:09:17 by RouterOS 6.41.3
# software id = BL3I-YX6P
#
# model = CRS125-24G-1S-2HnD
# serial number = 523B051454A9
/interface bridge
add admin-mac=E4:8D:8C:42:C3:4C auto-mac=no fast-forward=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=wirelesswifi wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-slave-local
set [ find default-name=ether7 ] name=ether7-slave-local
set [ find default-name=ether8 ] name=ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] name=ether10-slave-local
set [ find default-name=ether11 ] name=ether11-slave-local
set [ find default-name=ether12 ] name=ether12-slave-local
set [ find default-name=ether13 ] name=ether13-slave-local
set [ find default-name=ether14 ] name=ether14-slave-local
set [ find default-name=ether15 ] name=ether15-slave-local
set [ find default-name=ether16 ] name=ether16-slave-local
set [ find default-name=ether17 ] name=ether17-slave-local
set [ find default-name=ether18 ] name=ether18-slave-local
set [ find default-name=ether19 ] name=ether19-slave-local
set [ find default-name=ether20 ] name=ether20-slave-local
set [ find default-name=ether21 ] name=ether21-slave-local
set [ find default-name=ether22 ] name=ether22-slave-local
set [ find default-name=ether23 ] name=ether23-slave-local
set [ find default-name=ether24 ] name=ether24-slave-local
set [ find default-name=sfp1 ] name=sfp1-slave-local
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:42:C3:64 master-interface=wlan1 name=wlan2 security-profile=profile ssid=wirelesswifi_Guests
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local hw=no interface=wlan1
add bridge=bridge-local hw=no interface=wlan2
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether6-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge-local interface=ether11-slave-local
add bridge=bridge-local interface=ether12-slave-local
add bridge=bridge-local interface=ether13-slave-local
add bridge=bridge-local interface=ether14-slave-local
add bridge=bridge-local interface=ether15-slave-local
add bridge=bridge-local interface=ether16-slave-local
add bridge=bridge-local interface=ether17-slave-local
add bridge=bridge-local interface=ether18-slave-local
add bridge=bridge-local interface=ether19-slave-local
add bridge=bridge-local interface=ether20-slave-local
add bridge=bridge-local interface=ether21-slave-local
add bridge=bridge-local interface=ether22-slave-local
add bridge=bridge-local interface=ether23-slave-local
add bridge=bridge-local interface=ether24-slave-local
add bridge=bridge-local interface=sfp1-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-slave-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=ether11-slave-local list=discover
add interface=ether12-slave-local list=discover
add interface=ether13-slave-local list=discover
add interface=ether14-slave-local list=discover
add interface=ether15-slave-local list=discover
add interface=ether16-slave-local list=discover
add interface=ether17-slave-local list=discover
add interface=ether18-slave-local list=discover
add interface=ether19-slave-local list=discover
add interface=ether20-slave-local list=discover
add interface=ether21-slave-local list=discover
add interface=ether22-slave-local list=discover
add interface=ether23-slave-local list=discover
add interface=ether24-slave-local list=discover
add interface=sfp1-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=wlan2 list=discover
add interface=ether2-master-local list=mactel
add interface=wlan1 list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=wlan2 list=mactel
add interface=wlan1 list=mac-winbox
add interface=wlan2 list=mac-winbox
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2-master-local network=192.168.88.0
/ip arp
add address=192.168.88.89 comment="Computer Wireless" interface=bridge-local mac-address=00:28:F8:4E:03:81
add address=192.168.88.88 comment="Computer Ethernet" interface=bridge-local mac-address=1C:1B:0D:9B:19:B7
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=5809
add action=dst-nat chain=dstnat dst-port=1157 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=23
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.88.88 dst-port=23 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.88 to-ports=23
/system clock
set time-zone-name=[Hidden]
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Tue Apr 10, 2018 11:39 am

Hi,
just rearrange rules:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=5809
add action=dst-nat chain=dstnat dst-port=1157 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.88 to-ports=23
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.88.88 dst-port=23 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.88 to-ports=23
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
so your masquerade is below NAT rules.
I have bigger routing table.
 
bropper
just joined
Topic Author
Posts: 6
Joined: Mon Apr 02, 2018 2:20 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Tue Apr 10, 2018 8:15 pm

Do I do the rearrangement in the Terminal or is there a GUI method?
 
mkx
Forum Guru
Forum Guru
Posts: 4976
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Tue Apr 10, 2018 8:50 pm

In Webfig, used in proper browser (not something on some hemeroid gadget), it is possible to drag&drop rules.
BR,
Metod
 
bropper
just joined
Topic Author
Posts: 6
Joined: Mon Apr 02, 2018 2:20 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Tue Apr 24, 2018 1:56 pm

Hmm,

I have moved the masquerade below and it still doesn't work.

I have tried using http://www.t1shopper.com/tools/port-scan/#

To test for the port and there is no response.

Any other ideas?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5660
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Wed Apr 25, 2018 2:09 am

First off, I dont think the rules order matters, my srcnat rule is before my dstnat rules........ Hopefully someone can confirm.
The only question is what is the purpose of the FW rule below??

/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1876
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Wed Apr 25, 2018 3:05 am

@anav, it is the default drop rule in input chain, i.e. The last rule for packets that dit not match previous rules ends there and get dropped
MTCNA, MTCTCE, MTCRE & MTCINE
 
Sob
Forum Guru
Forum Guru
Posts: 6246
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Wed Apr 25, 2018 3:50 am

@anav: Order matters within same chain. But when you see multiple chains in same window (dstnat and srcnat in NAT, input and forward in Filter, etc..) you can have one before the other, other way around, interleaved, anything. Only same chain matters.

And regarding the current problem, I'd like to direct attention to my previous message. In all modesty, I think there were some good suggestions. So step one, check the IP address. Step two, test it from outside and check counters on dstnat rules.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5660
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Wed Apr 25, 2018 5:00 am

@anav, it is the default drop rule in input chain, i.e. The last rule for packets that dit not match previous rules ends there and get dropped
I figured as much but it doesnt look like what is standard..........
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

(got it, order in chain matters)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1876
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Wed Apr 25, 2018 6:49 pm

@anav, it is the default drop rule in input chain, i.e. The last rule for packets that dit not match previous rules ends there and get dropped
I figured as much but it doesnt look like what is standard..........
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


(got it, order in chain matters)

I don't think the bold above is standard but can be wrong, for me personally though, my default drop rule drops all, irrelevant if from WAN, LAN, VPN, etc as with security, majority of incidents is from inside
MTCNA, MTCTCE, MTCRE & MTCINE
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: Need help setting simple port forwarding to a server behind CRS-125-24G-1S-2HnD

Wed Apr 25, 2018 6:55 pm

@anav, it is the default drop rule in input chain, i.e. The last rule for packets that dit not match previous rules ends there and get dropped
I figured as much but it doesnt look like what is standard..........
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


(got it, order in chain matters)

I don't think the bold above is standard but can be wrong, for me personally though, my default drop rule drops all, irrelevant if from WAN, LAN, VPN, etc as with security, majority of incidents is from inside
Haha okay, point well taken, not sure where I got that, now that I think about it.
But do please, if you are brave enough, to show us your ........................ input drop rule!!

Who is online

Users browsing this forum: tdw and 61 guests