Community discussions

 
gasipetak
just joined
Topic Author
Posts: 3
Joined: Thu Sep 05, 2019 1:41 pm

Port forwarding connection refused

Thu Sep 05, 2019 2:14 pm

Hello,
I have configure NAT to forward port 8080 to my ip server and when i check from an external connection, it say ERR_Connection_Refused, but I can access the server with my IP Public in my LAN
I have also disable the firewall on my server but no issue. This is the configuration export :
$@....] > /export hide-sensitive        
# sep/05/2019 13:15:52 by RouterOS 6.45.3
# software id = IY2F-C1KS
#
# model = 951Ui-2HnD
# serial number = 717*******1B
/interface bridge
add admin-mac=4C:5E:******** auto-mac=no comment=defconf fast-forward=no \
    name=bridge-local
add fast-forward=no name=lo0
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 \
    mrru=1600 name=pppoe-out1 use-peer-dns=yes user=*********@moov.mg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-171ACA \
    wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/snmp community
set [ find default=yes ] addresses=196.192.32.242/32,41.188.35.92/32 name=\
    dts-customer
/system logging action
set 0 memory-lines=2000 memory-stop-on-full=yes
set 1 disk-stop-on-full=yes
set 3 bsd-syslog=yes remote=10.200.200.32 syslog-facility=local0
add bsd-syslog=yes name=MYTELSyslogAuth remote=41.188.17.5 remote-port=51466 \
    target=remote
add bsd-syslog=yes name=MYTELSyslogFW remote=41.188.17.5 remote-port=51467 \
    target=remote
add disk-file-name=FirewallHits disk-lines-per-file=300 disk-stop-on-full=yes \
    name=FirewallHits target=disk
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2-master
add bridge=bridge-local comment=defconf interface=wlan1
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
/ip firewall connection tracking
set tcp-established-timeout=1h
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set accept-redirects=yes rp-filter=loose tcp-syncookies=yes
/interface list member
add interface=bridge-local list=mactel
add interface=bridge-local list=mac-winbox
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge-local network=\
    192.168.2.0
add address=***.126.***.68 interface=lo0 network=***.126.***.68
/ip dns
set servers=196.192.32.5,41.188.9.130
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=8.8.8.8 comment="Factory Rules by MYTEL: " list=Google_DNS
add address=8.8.4.4 comment="Factory Rules by MYTEL: " list=Google_DNS
add address=41.188.35.92 comment="Factory Rules by MYTEL: " list=\
    MYTEL_Orchestrator
add address=41.207.37.254 comment="Factory Rules by MYTEL: " list=\
    MYTEL_Orchestrator
add address=196.192.32.187 comment="Factory Rules by MYTEL: " list=\
    MYTEL_Orchestrator
add address=41.207.32.82 comment="Factory Rules by MYTEL: " list=\
    MYTEL_Orchestrator
add address=41.188.0.0/18 comment="Factory Rules by MYTEL: " list=as37054
add address=41.207.32.0/19 comment="Factory Rules by MYTEL: " list=as37054
add address=196.192.32.0/20 comment="Factory Rules by MYTEL: " list=as37054
add address=197.149.0.0/18 comment="Factory Rules by MYTEL: " list=as37054
add address=***.126.0.0/17 comment="Factory Rules by MYTEL: " list=as37054
add address=196.192.32.5 comment="Factory Rules by MYTEL: " list=MYTEL_DNS
add address=41.188.9.130 comment="Factory Rules by MYTEL: " list=MYTEL_DNS
add address=196.192.32.7 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=41.188.33.6 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=17.253.34.125 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=17.253.34.253 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=17.253.82.125 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=17.253.82.253 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=17.253.84.125 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=41.204.120.137 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=51.140.127.197 comment="Factory Rules by MYTEL: " list=MYTEL_NTP
add address=192.168.88.0/24 comment="Factory Rules by MYTEL: " list=Local_LAN
add address=192.168.0.0/16 comment="Factory Rules by MYTEL: " list=Local_LAN
add address=216.239.32.0/19 comment="Factory Rules by MYTEL: " list=whitelist
add address=172.217.0.0/16 comment="Factory Rules by MYTEL: " list=whitelist
add address=172.253.0.0/16 comment="Factory Rules by MYTEL: " list=whitelist
add address=173.194.0.0/16 comment="Factory Rules by MYTEL: " list=whitelist
add address=216.73.80.0/20 comment="Factory Rules by MYTEL: " list=whitelist
add address=216.58.192.0/19 comment="Factory Rules by MYTEL: " list=whitelist
/ip firewall filter
add action=accept chain=input comment="Factory Rules by MYTEL: " \
    src-address-list=MYTEL_Orchestrator
add action=accept chain=input comment="Factory Rules by MYTEL: " \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment=\
    "Factory Rules by MYTEL: FastTrack Established / Related Forward" \
    connection-state=established,related
add action=accept chain=forward comment="Factory Rules by MYTEL: " \
    connection-state=established,related
add action=accept chain=input comment="Factory Rules by MYTEL: " dst-port=8291 \
    protocol=tcp src-address-list=Local_LAN
add action=drop chain=forward comment=\
    "Factory Rules by MYTEL: drop port-scan address list to our infrastructure" \
    src-address-list=PortScan
add action=drop chain=input comment="Factory Rules by MYTEL: " \
    src-address-list=PortScan
add action=drop chain=input comment=\
    "Factory Rules by MYTEL: BTest Allowed only from MYTEL" dst-port=2000 \
    protocol=tcp src-address-list=!MYTEL_Orchestrator
add action=drop chain=input comment="Factory Rules by MYTEL: " dst-port=21 \
    protocol=tcp src-address-list=!as37054
add action=drop chain=input comment="Factory Rules by MYTEL: " dst-port=8291 \
    protocol=tcp src-address-list=!as37054
add action=drop chain=input comment="Factory Rules by MYTEL: " dst-port=\
    8728-8729 protocol=tcp src-address-list=!as37054
add action=drop chain=forward comment="Factory Rules by MYTEL: drop TELNA port" \
    dst-port=23 protocol=tcp
add action=jump chain=input comment="Factory Rules by MYTEL: " jump-target=\
    LogChain src-address-list=PortScan
add action=add-src-to-address-list address-list=PortScanLAN \
    address-list-timeout=8w4d chain=input comment=\
    "Factory Rules by MYTEL: Block LAN Abusive Attemps" dst-port=23 protocol=\
    tcp src-address-list=Local_LAN
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment=\
    "Factory Rules by MYTEL: Trap External Abusive Users" dst-port=23 protocol=\
    tcp src-address-list=!Local_LAN
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment=\
    "Factory Rules by MYTEL: Trap External Abusive Users" connection-state=new \
    dst-port=8291 protocol=tcp src-address-list=!Local_LAN
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment=\
    "Factory Rules by MYTEL: Trap External Abusive Users" dst-port=22 protocol=\
    tcp src-address-list=!Local_LAN
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment=\
    "Factory Rules by MYTEL: Trap External Abusive Users" dst-port=445 \
    protocol=tcp src-address-list=!Local_LAN
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=22 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=23 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=25 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=123 \
    protocol=udp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=445 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=3389 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=2323 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=3129 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=8080 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=5900 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=6789 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=23231 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by MYTEL: " dst-port=37777 \
    protocol=tcp
add action=drop chain=LogChain comment="Factory Rules by MYTEL: " \
    src-address-list=PortScan
add action=drop chain=forward comment=\
    "Factory Rules by MYTEL: drop SMTP port - Use 465 or 587 instead" dst-port=\
    25 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by MYTEL: block all DNS sessions not going to MYTEL" \
    dst-address-list=!MYTEL_DNS dst-port=53 protocol=udp
add action=drop chain=forward comment="Factory Rules by MYTEL: " \
    dst-address-list=!MYTEL_NTP dst-port=123 protocol=udp
add action=drop chain=forward comment=\
    "Factory Rules by MYTEL: drop windows ports" port=135-139 protocol=tcp
add action=drop chain=forward comment="Factory Rules by MYTEL: block Mirai bot" \
    dst-port=2323 protocol=tcp
add action=drop chain=forward comment="Factory Rules by MYTEL: block Mirai bot" \
    dst-port=6789 protocol=tcp
add action=drop chain=input comment=\
    "Factory Rules by MYTEL: drop Bruteforcers - WinBox" dst-port=8291 \
    protocol=tcp src-address-list=Blacklist_Bruteforcers
add action=drop chain=forward comment="Factory Rules by MYTEL: block Mirai bot" \
    dst-port=23231 protocol=tcp
add action=drop chain=input comment=\
    "Factory Rules by MYTEL: drop ftp brute forcers" dst-port=21 protocol=tcp \
    src-address-list=Blacklist_Bruteforcers
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment="Factory Rules by MYTEL: SYN/FIN scan" protocol=\
    tcp src-address-list=!Local_LAN tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment="Factory Rules by MYTEL: SYN/RST scan" protocol=\
    tcp src-address-list=!Local_LAN tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment="Factory Rules by MYTEL: FIN/PSH/URG scan" \
    protocol=tcp src-address-list=!Local_LAN tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment="Factory Rules by MYTEL: ALL/ALL scan" protocol=\
    tcp src-address-list=!Local_LAN tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PortScan address-list-timeout=\
    8w4d chain=input comment="Factory Rules by MYTEL: NMAP NULL scan" protocol=\
    tcp src-address-list=!Local_LAN tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=output comment="Factory Rules by MYTEL: " content=\
    "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist_Bruteforcers \
    address-list-timeout=3h chain=output comment="Factory Rules by MYTEL: " \
    content="530 Login incorrect" protocol=tcp
add action=add-src-to-address-list address-list=Blacklist_Bruteforcers \
    address-list-timeout=1w3d chain=input comment="Factory Rules by MYTEL: " \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    Blacklist_Bruteforcers_Etape3
add action=add-src-to-address-list address-list=Blacklist_Bruteforcers_Etape3 \
    address-list-timeout=1m chain=input comment="Factory Rules by MYTEL: " \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    Blacklist_Bruteforcers_Etape2
add action=add-src-to-address-list address-list=Blacklist_Bruteforcers_Etape2 \
    address-list-timeout=1m chain=input comment="Factory Rules by MYTEL: " \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    Blacklist_Bruteforcers_Etape1
add action=add-src-to-address-list address-list=Blacklist_Bruteforcers_Etape1 \
    address-list-timeout=1m chain=input comment="Factory Rules by MYTEL: " \
    connection-state=new dst-port=8291 protocol=tcp
/ip firewall nat
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=\
    ***.126.***.68
add action=dst-nat chain=dstnat comment="Factory Rules by MYTEL: " \
    dst-address-list=Google_DNS to-addresses=196.192.32.5
add action=masquerade chain=srcnat dst-address=192.168.2.4 protocol=tcp \
    src-address=192.168.2.0/24
add action=dst-nat chain=dstnat dst-address=***.126.***.68 dst-port=8080 protocol=\
    tcp to-addresses=192.168.2.4 to-ports=8080
/ip firewall raw
add action=accept chain=prerouting comment=\
    "Factory Rules by MYTEL: Whitelist traffic" src-address-list=whitelist
add action=accept chain=prerouting comment=\
    "Factory Rules by MYTEL: Whitelist traffic Local_LAN" src-address-list=\
    Local_LAN
add action=accept chain=prerouting comment=\
    "Factory Rules by MYTEL: Orchestrator traffic" src-address-list=\
    MYTEL_Orchestrator
add action=drop chain=prerouting comment=\
    "Factory Rules by MYTEL: Drop All Banned IPs" src-address-list=PortScan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip proxy
set cache-path=web-proxy1 max-cache-object-size=1KiB max-cache-size=1KiB \
    max-client-connections=1 max-server-connections=1 src-address=127.0.0.1
/ip route
add distance=1 gateway=pppoe-out1
/ip service
set telnet address=41.188.35.92/32 disabled=yes
set ftp address=41.188.35.92/32
set www disabled=yes
set ssh address=41.188.35.92/32 disabled=yes
set api address=\
    41.188.35.92/32,41.207.37.254/32,196.192.32.187/32,41.207.32.82/32
set winbox address="41.188.0.0/18,41.207.32.0/19,196.192.32.0/20,197.149.0.0/18,\
    ***.126.0.0/17,192.168.88.0/24,192.168.0.0/16,192.168.88.0/24"
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip traffic-flow
set enabled=yes interfaces=pppoe-out1,bridge-local
/ip traffic-flow target
add dst-address=41.188.35.92 port=9996 version=5
/radius
add address=41.188.35.124 service=login
/snmp
set contact=********* enabled=yes location=*********
/system clock
set time-zone-autodetect=no time-zone-name=Indian/Antananarivo
/system identity
set name=*********@moov.mg
/system leds
set 5 interface=wlan1
/system logging
set 0 topics=info,!firewall
set 1 action=disk
set 2 action=disk
set 3 action=disk
add topics=info
add action=MYTELSyslogFW topics=firewall
add action=MYTELSyslogAuth topics=account
/system note
set note="Telecom Malagasy, MYTEL - Authorized administrators only. Access is mo\
    nitored."
/system ntp client
set enabled=yes primary-ntp=196.192.32.7 secondary-ntp=196.192.32.7 \
    server-dns-names=ntp.dts.mg
/system scheduler
add interval=4w name=AutoUpgrade on-event=AutoUpgrade policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/01/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=AutoUpgrade owner=AlfredBot policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/sy\
    stem package update\r\
    \ncheck-for-updates once\r\
    \n:delay 15s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/user aaa
set accounting=no default-group=full use-radius=yes
$@...] >> 
 
 
gasipetak
just joined
Topic Author
Posts: 3
Joined: Thu Sep 05, 2019 1:41 pm

Re: Port forwarding connection refused

Tue Sep 10, 2019 8:55 am

nobody can help me... :(
 
Sob
Forum Guru
Forum Guru
Posts: 4545
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding connection refused

Fri Sep 13, 2019 5:37 am

I don't see anything wrong. What if you add this and try to connect, does it log anything?
/ip firewall mangle
add chain=prerouting connection-state=new dst-address=***.126.***.68 protocol=tcp dst-port=8080 action=log log-prefix="port8080"
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
gasipetak
just joined
Topic Author
Posts: 3
Joined: Thu Sep 05, 2019 1:41 pm

Re: Port forwarding connection refused

Fri Sep 13, 2019 1:33 pm

Thank you for your reply, but no change.
this is the log Image

Who is online

Users browsing this forum: No registered users and 16 guests