Trouble Forwarding Ports

FRGTech · Thu Sep 19, 2019 7:01 pm

Hi,
I'm trying and failing miserably at forwarding a couple ports on our router here at work. I need to forward 2 ports (8000,2121) to our server and have tried following many tutorials but nothing seems to work. Standard cable modem plugged in to eth1, server is on eth2 which is listed as a master port which I don't really understand. Unable to update router right now but may be able to late one night if that is required.

I tried to disable all the drop filters to see if something was getting caught there but that was no help. We don't have a static IP, but I verified my ip and am running portchecker.co/check to test my ports without any luck.

Please help.

/export hide-sensitive      
# sep/19/2019 11:43:10 by RouterOS 6.34.4
# software id = FQYD-RZAF
#
/interface bridge
add admin-mac=6C:3B:6B:49:3E:79 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=\
    indoors frequency=auto mode=ap-bridge ssid=FRG wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] master-port=ether2-master
set [ find default-name=ether7 ] master-port=ether2-master
set [ find default-name=ether8 ] master-port=ether2-master
set [ find default-name=ether9 ] master-port=ether2-master
set [ find default-name=ether10 ] master-port=ether2-master
set [ find default-name=ether11 ] master-port=ether2-master
set [ find default-name=ether12 ] master-port=ether2-master
set [ find default-name=ether13 ] master-port=ether2-master
set [ find default-name=ether14 ] master-port=ether2-master
set [ find default-name=ether15 ] master-port=ether2-master
set [ find default-name=ether16 ] master-port=ether2-master
set [ find default-name=ether17 ] master-port=ether2-master
set [ find default-name=ether18 ] master-port=ether2-master
set [ find default-name=ether19 ] master-port=ether2-master
set [ find default-name=ether20 ] master-port=ether2-master
set [ find default-name=ether21 ] master-port=ether2-master
set [ find default-name=ether22 ] master-port=ether2-master
set [ find default-name=ether23 ] master-port=ether2-master
set [ find default-name=ether24 ] master-port=ether2-master
set [ find default-name=sfp1 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys
/ip pool
add name=dhcp ranges=192.168.88.101-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.100 mac-address=08:94:EF:54:85:8E
add address=192.168.88.238 client-id=1:2c:4d:54:ea:77:a0 mac-address=2C:4D:54:EA:77:A0 server=\
    defconf
add address=192.168.88.249 client-id=1:6c:4b:90:7:f0:23 mac-address=6C:4B:90:07:F0:23 server=\
    defconf
add address=192.168.88.226 mac-address=9E:B8:27:EB:0B:99 server=defconf
add address=192.168.88.223 client-id=1:6c:4b:90:7:f6:e9 mac-address=6C:4B:90:07:F6:E9 server=\
    defconf
add address=192.168.88.243 always-broadcast=yes client-id=1:e0:3f:49:6d:6c:9b mac-address=\
    E0:3F:49:6D:6C:9B server=defconf
add address=192.168.88.228 client-id=1:e0:3f:49:6d:6e:f0 mac-address=E0:3F:49:6D:6E:F0 server=\
    defconf
add address=192.168.88.229 client-id=1:10:78:d2:97:b4:fd mac-address=10:78:D2:97:B4:FD server=\
    defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.1.1,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="WebAPI" dst-address=1.2.3.4 dst-port=8000 \
    protocol=tcp to-addresses=192.168.88.100 to-ports=8000
add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-port=2121 protocol=tcp to-addresses=\
    192.168.88.100 to-ports=8000
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1 src-address=\
    192.168.88.0/24
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
/tool traffic-monitor
add disabled=yes interface=ether2-master name=tmon1 threshold=0 traffic=received trigger=always

2frogs · Fri Sep 20, 2019 9:06 am

Have you set the cable modem to forward the ports to the mikrotik? I see references to a 192.168.1.1 address in a couple of locations that I am assuming is your cable router. If your mikrotik is getting DHCP from 192.168.1.1 and has an 192.168.1.xxx IP, you will have to forward those ports on the cable modem to that IP and then use that IP in the dst-address of your NAT rules on the mikrotik. Alternately, you might be able to put the cable modem in bridge mode and pass your public IP directly to the mikrotik.

Another note: It is a good idea to mask your actual public IP address when posting your config. You should change it to something like 1.2.3.4.

FRGTech · Sat Sep 21, 2019 6:27 pm

Thanks @2frogs,
I did quickly look over the data I posted but missed that it posted our public IP. (It is dynamic, but I still missed it) I'm new here and saw the command /hide-sensitive and assumed incorrectly that it hid that data for you.

As far as my problem, I did manage to figure out that our cable router needed to be configured to forward those ports, and I also changed my nat rules to to use the proper internal address (192.168.1.9 in my case), but the ports are still showing up as filtered. I can see traffic on the interface if I sniff it from a website port checker, but I'm not seeing anything when probing from my LAN.

This is probing port 8000 from https://portchecker.co/check

/tool sniffer quick ip-address=192.168.88.100 port=8000
INTERFACE               TIME    NUM DI SRC-MAC           DST-MAC           VLAN  
bridge                 2.203      1 ->
ether2-master          2.203      2 ->
-- [Q quit|D dump|C-z pause]

portqry -n 192.168.88.100 -p tcp -e 8000 just returns filtered regardless if I give the internal or external address

Here are my current firewall rules.

 /ip firewall export 
# sep/21/2019 11:09:24 by RouterOS 6.34.4
# software id = FQYD-RZAF
#
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
    ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add chain=forward comment="Allow connections from the LAN" connection-state=new \
    in-interface=bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    ether1
add action=dst-nat chain=dstnat comment="WebAPI" dst-address=\
    192.168.1.9 dst-port=8000 log=yes log-prefix=WebAPI protocol=tcp \
    to-addresses=192.168.88.100 to-ports=8000
add action=dst-nat chain=dstnat dst-address=192.168.1.9 dst-port=2121 log=yes \
    log-prefix=WebAPI protocol=tcp to-addresses=192.168.88.100 to-ports=2121

Thanks

Edit: I can now reach both ports internally on the LAN. Was a firewall issue on the server. Still showing filtered from public IP though.

The rules on the cable router are as follows
-
WebAPI 8000
TCP - UDP
*
192.168.1.9
8000
8000

WebAPI 2121
TCP - UDP
*
192.168.1.9
2121
2121

Edit 2: All working now. Again was a server firewall issue.
Thanks!

Trouble Forwarding Ports [SOLVED]

Trouble Forwarding Ports

Re: Trouble Forwarding Ports [SOLVED]

Re: Trouble Forwarding Ports

Who is online