4011 affecting outbound services

ZachH83 · Tue Dec 01, 2020 4:47 pm

just set up my 4011 a few days back, and it has been fantastic so far.

Today however, I went to start streaming one of my games, and I was getting a 60% network frame loss. This has not happened before. It could be the streaming service having issues, but, its more likely something on my end. The only changes I have made have been swapping out the router I had for the 4011.

It actually seems like its blocking a lot of outbound stuff? I'm reading that it doesn't have any outbound firewall, but, I can't get to anything on the outside from my emby server, or my php server, or my streaming computer.

I'd like to get this sorted as soon as possible. I posted in general around 18 hours ago, and it still hasn't been approved. thought I'd try my luck here.

anav · Tue Dec 01, 2020 5:28 pm

post your config
/export hide-sensitive file=anynameyouwish

ZachH83 · Tue Dec 01, 2020 5:31 pm

# dec/01/2020 10:30:32 by RouterOS 6.47.8
# software id = VYLD-A8V1
#
# model = RB4011iGS+
# serial number = D4450CB79C24
/interface bridge
add name=bridge1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d10m name=\
dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:b4:2e:99:ac:10:b1 mac-address=\
B4:2E:99:AC:10:B1 server=dhcp1
add address=192.168.1.51 mac-address=70:BC:10:26:54:95 server=dhcp1
add address=192.168.1.100 mac-address=10:BE:F5:20:7A:D4 server=dhcp1
add address=192.168.1.111 mac-address=D8:31:34:D3:58:A3 server=dhcp1
add address=192.168.1.120 client-id=1:98:b8:ba:52:80:7c mac-address=\
98:B8:BA:52:80:7C server=dhcp1
add address=192.168.1.53 client-id=1:70:bc:10:30:1b:17 mac-address=\
70:BC:10:30:1B:17 server=dhcp1
add address=192.168.1.122 client-id=1:98:b8:ba:5b:14:a9 mac-address=\
98:B8:BA:5B:14:A9 server=dhcp1
add address=192.168.1.34 mac-address=D8:28:C9:0E:D5:C9 server=dhcp1
add address=192.168.1.50 client-id=1:70:bc:10:30:1a:b mac-address=\
70:BC:10:30:1A:0B server=dhcp1
add address=192.168.1.113 client-id=1:0:7c:2d:9b:f4:39 mac-address=\
00:7C:2D:9B:F4:39 server=dhcp1
add address=192.168.1.52 client-id=1:70:bc:10:30:1a:39 mac-address=\
70:BC:10:30:1A:39 server=dhcp1
add address=192.168.1.121 client-id=1:64:89:f1:45:f7:8d mac-address=\
64:89:F1:45:F7:8D server=dhcp1
add address=dhcp client-id=1:0:18:dd:7:41:2d disabled=yes mac-address=\
00:18:DD:07:41:2D server=dhcp1
add address=192.168.1.33 client-id=1:0:18:dd:7:5f:3f mac-address=\
00:18:DD:07:5F:3F server=dhcp1
add address=192.168.1.3 client-id=1:b4:2e:99:cd:32:9d mac-address=\
B4:2E:99:CD:32:9D server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=accept chain=forward comment="COD TCP" connection-nat-state=dstnat \
dst-address=192.168.1.2 dst-port=3074,27014-27050 protocol=tcp
add action=accept chain=forward comment="COD UDP" connection-nat-state=dstnat \
dst-address=192.168.1.2 dst-port=3074,3478,4379-4380,27000-27031,27036 \
protocol=udp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=accept chain=forward comment="WOW TCP" dst-address=192.168.1.2 \
dst-port=1119,3724,6012 protocol=tcp
add action=accept chain=forward comment="WOW UDP 1119,3724,6012" dst-address=\
192.168.1.2 dst-port=1119,3724,6012 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="COD TCP 3074" dst-port=3074 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=3074
add action=dst-nat chain=dstnat comment="COD TCP 27014-27050" dst-port=\
27014-27050 in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 \
to-ports=27014-27050
add action=dst-nat chain=dstnat comment="COD UDP 3074" dst-port=3074 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=3074
add action=dst-nat chain=dstnat comment="COD UDP 3478" dst-port=3478 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=3478
add action=dst-nat chain=dstnat comment="COD UDP 4379-4380" dst-port=\
4379-4380 in-interface=ether1 protocol=udp to-addresses=192.168.1.2 \
to-ports=4379-4380
add action=dst-nat chain=dstnat comment="COD UDP 27000-27031" dst-port=\
27000-27031 in-interface=ether1 protocol=udp to-addresses=192.168.1.2 \
to-ports=27000-27031
add action=dst-nat chain=dstnat comment="COD UDP 27036" dst-port=27036 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=27036
add action=dst-nat chain=dstnat comment="WOW TCP 1119" dst-port=1119 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=1119
add action=dst-nat chain=dstnat comment="WOW TCP 3724" dst-port=3724 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=3724
add action=dst-nat chain=dstnat comment="WOW TCP 6012" dst-port=6012 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2 to-ports=6012
add action=dst-nat chain=dstnat comment="WOW UDP 1119" dst-port=1119 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=1119
add action=dst-nat chain=dstnat comment="WOW UDP 3724" dst-port=3724 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=3724
add action=dst-nat chain=dstnat comment="WOW UDP 6012" dst-port=6012 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2 to-ports=6012
/ip upnp
set enabled=yes
/ip upnp interfaces
add forced-ip=192.168.1.1 interface=ether1 type=external
/system clock
set time-zone-name=America/New_York

ZachH83 · Tue Dec 01, 2020 5:36 pm

192.168.1.3 is the system that I stream from, which was losing 60% of the frames
192.168.1.31 is the TNAS, which hosts my php server, as well as my emby server, both of which are failing.

anav · Tue Dec 01, 2020 10:49 pm

(1) /ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 Should be the bridge

(2) Your firewall filter chain is a bloated mess and contains nothing of what you really need,
Replace with default settings IS ALL YOU NEED..................

(3) why is UPNP on, or required if you have forwarded so many ports????? I would start by turning that off until the config is fixed and if still needed.

(4) NAT RULES - dont need to-ports if same as dst ports. It is clear that you have nothing forwarded to any IP other than 192.168.2. So its no surprize to me nothing happens on 192.168.1.31

/ip firewall nat
add action=dst-nat chain=dstnat comment="COD UDP 27000-27031" dst-port=\
27000-27031 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="COD UDP 27036" dst-port=27036 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW TCP 1119" dst-port=1119 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW TCP 3724" dst-port=3724 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW TCP 6012" dst-port=6012 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW UDP 1119" dst-port=1119 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW UDP 3724" dst-port=3724 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW UDP 6012" dst-port=6012 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2

anav · Tue Dec 01, 2020 10:58 pm

Ip firewall filter approach

/ip firewall filter
[input chain - default rules in italics, admin added rules otherwise]
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=adminaccess [only admin should be able to fully access the router]
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=53
add action=accept chain=input in-interface-list=LAN protocol=udp dst-port=53
add action=drop chain=input comment="drop all else" (caution put in this rule only when admin access rules are in place!!)

[forward chain -default rules in italics, admin added rules otherwise]
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface=list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="drop all else"

/ip firewall address list
add address=IP address of admindesktop list=adminaccess
add address=IP address of adminlaptop list=adminaccess
add address=IP address of adminIpad list=adminaccess

ZachH83 · Wed Dec 02, 2020 12:00 am

1. The bridge was set up by the default system. Once I plugged in the router, and went to the default ip address in the browser, set my settings and hit save, it created the bridge. Ether 2 is plugged into my gaming pc. Ether 1, is inet, and ether 3 goes to my unmanaged switch. If I run the command you provided, what will that change?

2. The firewall stuff that I have is port forwarding for 2 games, as this is a router in home use. So, the ports are opened to make sure there is less delay. The other firewall stuff is blocking the constant login attempts that seem to happening in my router log. It black lists them. I got that off the microtik forums. I'm not sure what else I could do with it. I don't know how else to stop the bruteforce.

3. UPNP is on because I am not the only person using this network, my kids are also gaming on their xboxs. I was told that the UPNP was pretty necessary for gaming on a home network. Should I still turn it off?

4. Why would what is forwarded TO the .2 address affect the outbound of the .31?

With the information I just replied with, will the provided information you gave me still be ok? I'll give it a run if so.

anav · Wed Dec 02, 2020 12:17 am

From your post: " 192.168.1.3 is the system that I stream from, which was losing 60% of the frames
192.168.1.31 is the TNAS, which hosts my php server, as well as my emby server, both of which are failing."

So I would expect servers to be on 192.168.31.1 ??????????

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Yes get rid of the bloat, make the changes, full steam ahead. We want to get you up and running successfully.
After that is accomplished we can address the other issues if any crop up, in better ways.

ZachH83 · Wed Dec 02, 2020 12:23 am

Yes, my tnas is on 192.168.1.31, which is where the emby server and php server are running.

The streaming is coming from another pc, that is plugged into the switch that is plugged into ether 3.

Will changing the bridge affect the DHCP at all? I would like everything to stay on the 192.168.1.***, so when I run that command, will anything change in that regard?

Also, will running these commands results in my kids not being able to get responses from their game servers?

ZachH83 · Wed Dec 02, 2020 12:29 am

(1) /ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 Should be the bridge

[admin@MikroTik] /ip address> add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
failure: already have such address

Here is the config file with the other changes so far.

# dec/01/2020 18:57:34 by RouterOS 6.47.8
# software id = VYLD-A8V1
#
# model = RB4011iGS+
# serial number = D4450CB79C24
/interface bridge
add name=bridge1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d10m name=\
dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:b4:2e:99:ac:10:b1 mac-address=\
B4:2E:99:AC:10:B1 server=dhcp1
add address=192.168.1.51 mac-address=70:BC:10:26:54:95 server=dhcp1
add address=192.168.1.100 mac-address=10:BE:F5:20:7A:D4 server=dhcp1
add address=192.168.1.111 mac-address=D8:31:34:D3:58:A3 server=dhcp1
add address=192.168.1.120 client-id=1:98:b8:ba:52:80:7c mac-address=\
98:B8:BA:52:80:7C server=dhcp1
add address=192.168.1.53 client-id=1:70:bc:10:30:1b:17 mac-address=\
70:BC:10:30:1B:17 server=dhcp1
add address=192.168.1.122 client-id=1:98:b8:ba:5b:14:a9 mac-address=\
98:B8:BA:5B:14:A9 server=dhcp1
add address=192.168.1.34 mac-address=D8:28:C9:0E:D5:C9 server=dhcp1
add address=192.168.1.50 client-id=1:70:bc:10:30:1a:b mac-address=\
70:BC:10:30:1A:0B server=dhcp1
add address=192.168.1.113 client-id=1:0:7c:2d:9b:f4:39 mac-address=\
00:7C:2D:9B:F4:39 server=dhcp1
add address=192.168.1.52 client-id=1:70:bc:10:30:1a:39 mac-address=\
70:BC:10:30:1A:39 server=dhcp1
add address=192.168.1.121 client-id=1:64:89:f1:45:f7:8d mac-address=\
64:89:F1:45:F7:8D server=dhcp1
add address=dhcp client-id=1:0:18:dd:7:41:2d disabled=yes mac-address=\
00:18:DD:07:41:2D server=dhcp1
add address=192.168.1.33 client-id=1:0:18:dd:7:5f:3f mac-address=\
00:18:DD:07:5F:3F server=dhcp1
add address=192.168.1.3 client-id=1:b4:2e:99:cd:32:9d mac-address=\
B4:2E:99:CD:32:9D server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall address-list
add address=192.168.1.2 list=adminaccess
add address=192.168.1.3 list=adminaccess
add address=192.168.1.32 list=adminaccess
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=adminaccess
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="COD TCP 3074" dst-port=3074 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="COD TCP 27014-27050" dst-port=\
27014-27050 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="COD UDP 3074" dst-port=3074 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="COD UDP 3478" dst-port=3478 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="COD UDP 4379-4380" dst-port=\
4379-4380 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="COD UDP 27000-27031" dst-port=\
27000-27031 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="COD UDP 27036" dst-port=27036 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW TCP 1119" dst-port=1119 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW TCP 3724" dst-port=3724 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW TCP 6012" dst-port=6012 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW UDP 1119" dst-port=1119 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW UDP 3724" dst-port=3724 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="WOW UDP 6012" dst-port=6012 \
in-interface=ether1 protocol=udp to-addresses=192.168.1.2
/ip upnp
set enabled=yes
/ip upnp interfaces
add forced-ip=192.168.1.1 interface=ether1 type=external
/system clock
set time-zone-name=America/New_York

ZachH83 · Wed Dec 02, 2020 2:00 am

Whats next? The servers still are not connecting so far.

anav · Wed Dec 02, 2020 2:51 am

HI there,
The only thing I see really wrong is this one......

/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0

That should be bridge not ether2.

Can you confirm that you are able to reach the internet?

Also you still do not have any port forwarding to your servers,,,,,,,,,, they all point to one IP, which is not your 192.168.31.1
Perhaps I should have asked more directly what the heck is on 192..168.1.2 ??

By the way I have adult gamers in this house and they play all sorts of games, no ports forwarded and no UPNP.
They do not run servers however.

Also, are you expecting yourself and your kids to access the servers within the house? If so are you simply using the LANIP of the servers??

ZachH83 · Wed Dec 02, 2020 3:37 am

I am able to reach the internet from all devices currently.

192.168.1.2 is the pc I use to game on. The forwarded ports are for Call of Duty, and World of Warcraft (example: https://portforward.com/call-of-duty-modern-warfare). This is why there are ports forwarded to this device.

The emby server, is a media server that is accessible from all devices on the network. I also use this devices for network storage as well. So, any of my computers or kids computers use it to stare pictures, videos, etc.

I did just reinstall the OS on the TNAS, as it was acting up, and it seems to have resolved that issue. Its now allowing for my emby server to reach outside the network. I have NO idea what the actual cause of the issue was. It never did that on previous routers. But at least its resolved, hopefully.

From my understanding, without the upnp, it makes for delay and even blocked connections for games that are going out to the internet. This may not be noticeable in slower paced games, but in competitive fast paced ones, it can make or break the game play. I noticed a big difference on previous routers before and after I set up the port forwarding.

I appreciate all the help so far. This one was really bugging me.

I'm going to try my stream out here in a bit and see if the frame drop is still happening. If it is, I'll probably have some more questions on what to do for that.

I stream using a 2 pc set up. The other pc is on 192.168.1.3, and it uses OBS to stream my game to facebook. I really hope that this issue is resolved as well. We will see.

ZachH83 · Wed Dec 02, 2020 3:38 am

HI there,
The only thing I see really wrong is this one......

/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0

Oh, also, what should I do about this? The interface should be 'bridge'? Or does the bridge get assigned to ether2 by default when the system bridges all LAN ports together?

ZachH83 · Wed Dec 02, 2020 5:18 am

Just tried some things out. My xbox live chat is now not working, and its displaying as moderate and blocked. It was working fine prior to the changes made tonight.

anav · Wed Dec 02, 2020 5:48 am

Remember that we set this rule
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

In other words there is nothing blocking your streaming to the interent, so it should simply work.
If it doesnt work then its something wrong on the device itself (PC or application).

Also port forwarding all those ports to your computer is most bizarre for a modern game.
Typically if you start the game you are the one initiating the connection and thus all returning related traffic should be allowed back through and there should be no need to open ports as that negotiation should be done transparently within the program.

Also be aware that since you forward all those ports to your PC, they are unavailable for any other PCs on the network.

The setting must be to the bridge, ether2 is not the dhcp server and all the other etherports belong to the bridge not ether 2.......................... its logical lol !!

I just confirmed with my adults, that COD and WOW works fine for them and they use PCs.
I cannot vouch for Xboxs and playstations etc, thats a different kettle of fish...........

My settings......... which have no ports forwarded for games and my UPNP is off.

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" log-prefix=\
    AdminAccess src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow NTP service" connection-state=\
    new dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
    NTPserver
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="ENABLE HomeLAN  to WAN" \
    in-interface=Home-LAN_V11 log-prefix="ALLOWED LAN 2 WAN TRAFFIC" \
    out-interface-list=WAN
add action=accept chain=forward comment="allow VLANS  to WAN " \
    in-interface-list=VLANSwInt out-interface-list=WAN
add action=accept chain=forward comment=VlanUsers_TO_Printer \
    dst-address-list=House_Printers in-interface-list=LAN log-prefix=\
    "ALLOWED MSTUDY TRAFFIC" src-address-list=AccessToPrinters
add action=accept chain=forward comment=\
    "Allow Port Forwarding -  DSTNAT" connection-nat-state=dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic" log-prefix="FORWARD DROP ALL"

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN - FibreOP" \
    ipsec-policy=out,none out-interface=vlanbell
add action=masquerade chain=srcnat comment="SCR_NAT for LAN - Cable" \
    ipsec-policy=out,none out-interface=Eastlink_eth7

......

upnp.JPG

anav · Wed Dec 02, 2020 6:34 am

Searching around,.......
Things to try....................
(1) I just tested with my son's XboxOne, tested NAT and it said moderate, then only enabled DST NAT to the XboxOne IP for both protocols TCP and UDP destination port 3074, now NAT says Open.

(2) Is this solved? I myself got a headache with this, being a certified MK consultant with years of experience I was starting to doubt my abilities. What solved for me was a simple rule. The big problem with this thing is that Microsoft doesn't show on it's support page the correct ports to be redirected. All it needed was port 56102 UDP, and that can be customized on the Xbox itself by going to network advanced settings.

Here is the rule that I created on my RB and it's working. If your case isn't solved yet I hope this comes in a good way for you.
Code: Select all

/ip firewall nat
chain=dstnat action=dst-nat to-addresses='IP-XBOX' to-ports=56102
protocol=udp dst-address='IP-WAN' dst-port=56102 log=no log-prefix=""

+++++++++++++++++++++++++++

(3) Another thing was that for UPNP to work, a service on the router you need to create an input rule
you need to create an input rule for port 1900 udp
add chain=input action=accept in-interface=LAN dst-port=1900 protocol=udp

upnp settings: external interface = your WANIP , internal interface = 192.168.1.2

ZachH83 · Wed Dec 02, 2020 8:38 am

Thanks for the reply. I'll get on this tomorrow morning after I get up and let you know what happens. Its bed time for me for the evening. Thank you again.

Moba · Wed Dec 02, 2020 2:48 pm

I don't have time to go through all the thread this morning, but you seem to be fixing issues you don't have. Opening ports doesn't speed up anything for games - it lets you host matches on your client and it isn't required to play (listen servers). That's what the NAT type says. Adding any unnecessary rule actually slows the router, because rules equal CPU time and CPU time equals latency on any computer. And bad configs also cause other major headaches.

For COD, time sensitive game state packets use 3074. That's it. All those other connections are there for other features (chat, stats, validating the client, etc.). Streaming uses another port. For security reasons, you shouldn't open ports unless you're hosting a server. Please note that listen servers were the worst idea in online gaming ever: They are bad for performance and security. The default settings will give you a moderate NAT type unless your ISP forces you to use a firewall on their end.

Follow anav's advice and simplify your config as much as possible. If you have specific issues with a default config, posts them and someone will help you fix them.

ZachH83 · Wed Dec 02, 2020 6:56 pm

I won't have time to really get into this until later in the afternoon (only have a few minutes to post this), but have you ever played a game like COD on a moderate nat type? Its horrendous. Its nothing compared to the open nat type, which is achieved through the port forwarding. So you are saying that this is useless, but yet the gaming community/industry has been recommending it for a while now. You're saying its useless, but myself, and every person I know that has played on a moderate vs open NAT type, can claim the better experience?

Activision's own words-

If you are experiencing connectivity issues, it may have been suggested that you forward or open ports, set port forwarding, or change your NAT type. This guide explains the basics of port forwarding first party ports and information on NAT types and provides troubleshooting to help improve your connection.

What are ports, and what is port forwarding?

Ports are simply virtual pipelines that allow computers and devices to communicate and send information back and forth on the Internet. See more about ports used for Call of Duty games.

Port forwarding – or creating a port forward – is a common process in gaming that makes your gaming console or PC more accessible to other gaming consoles or PCs on the Internet. Port forwarding can improve connection speed, lobby wait times, and overall gameplay, particularly for a host.

What about NAT?

NAT (Network Address Translation) is a networking concept that allows your router to share a single IP (Internet Protocol) address across multiple devices on your network. Instead of your ISP (Internet Service Provider) assigning an IP address to every device that connects to the Internet, NAT allows your ISP to assign a single IP address to your router. The router then manages a set of IP addresses for all devices on your home network.

There are three main NAT types depending on your platform: Open, Moderate, and Strict on Microsoft or PC, and Type 1, Type 2, and Type 3 on Sony. Moderate/Type 2 and Strict/Type 3 NAT types limit the connections your gaming console or PC can make to other gaming consoles or PCs. For example, Moderate/Type 2 NATs can only connect with gaming consoles or PCs using Moderate/Type 2 or Open/Type 1 NAT, and Strict/Type 3 NATs can only connect with gaming consoles or PCs using Open/Type 1 NAT. Ultimately, an Open/Type 1 NAT will provide the best connection quality.

I appreciate you guys helping me out, but you're also telling me things that don't line up with what most competitive gamers have dealt with. Its one thing to play a game online, its another to play a competitive fast-paced game, where every microsecond counts...

I'm not stating these things to argue with you, but because you are giving me information that is contrary to everything I have been shown so far. This doesn't mean I am saying you are wrong, it means that I need you to help me understand why what I have been shown is incorrect. I'm very willing to learn, but I have to make sure that you guys have a concept of gaming to compliment your knowledge in security and other networking issues, because they don't always go hand in hand.

anav · Wed Dec 02, 2020 7:53 pm

Did you try the items I found on other posts...........?

Suggest you use a different consumer style router at the end of the day if nothing works..........

Oh and by the way, the player at my house behind the MT with no special settings will kick your as in WOW or COD.

erkexzcx · Wed Dec 02, 2020 8:40 pm

Maybe totally unrelated, don't by mad at me, but once I had to setup another router on my LAN which would act as a gateway.

Then I setup static route in my main Mikrotik router, so if device is accessing <some_network>, route through that gateway on the LAN. Else - route as usual to the WAN.

Turned out there was some random loss of packets and service just did not work properly. What I had to do is to enable bridge firewall in bridge settings. It fixed issue completely. Maybe it's a bug with Mikrotik, maybe it's just how it works, but it fixed it. I have no rules in bridge firewall/nat, just simple bridge and ports in it.

anav · Wed Dec 02, 2020 9:03 pm

What I was suggesting is a consumer router connected to the modem with LAN PORT to gaming Computer for teh OP and then another lan port to the mikrotik for all other traffic (double nat scenario but liveable).

ZachH83 · Wed Dec 02, 2020 10:30 pm

Did you try the items I found on other posts...........?

Suggest you use a different consumer style router at the end of the day if nothing works..........

Oh and by the way, the player at my house behind the MT with no special settings will kick your as in WOW or COD.

Not yet, will be able to mess with it here in about an hour and a half.

Let your player know the arena is open whenever he or she is ready lol :D

ZachH83 · Wed Dec 02, 2020 11:41 pm

Searching around,.......
Things to try....................
(1) I just tested with my son's XboxOne, tested NAT and it said moderate, then only enabled DST NAT to the XboxOne IP for both protocols TCP and UDP destination port 3074, now NAT says Open.

(2) Is this solved? I myself got a headache with this, being a certified MK consultant with years of experience I was starting to doubt my abilities. What solved for me was a simple rule. The big problem with this thing is that Microsoft doesn't show on it's support page the correct ports to be redirected. All it needed was port 56102 UDP, and that can be customized on the Xbox itself by going to network advanced settings.

Here is the rule that I created on my RB and it's working. If your case isn't solved yet I hope this comes in a good way for you.
Code: Select all

/ip firewall nat
chain=dstnat action=dst-nat to-addresses='IP-XBOX' to-ports=56102
protocol=udp dst-address='IP-WAN' dst-port=56102 log=no log-prefix=""

+++++++++++++++++++++++++++

(3) Another thing was that for UPNP to work, a service on the router you need to create an input rule
you need to create an input rule for port 1900 udp
add chain=input action=accept in-interface=LAN dst-port=1900 protocol=udp

upnp settings: external interface = your WANIP , internal interface = 192.168.1.2

1. 3074 is one of the original ports that I had forwarded. I tried a slow reentry process, starting with the base config you gave me. -> Nat type Moderate in COD. I then added filters recommended from another page for PF games. -> Nat Type moderate in COD. I then added the NAT rules again. -> NAT type open in COD. So the result was the same as his experience.

2. 56102 is an xbox specific port, since I'm on pc, it won't apply. The xbox console companion I was referring to is a software that runs on the pc, and allows you to join xbox live parties with people on xbox for voice chat.

3. I set this up, before adding the NAT rules, and it still showed as moderate, so it didn't seem to open up the NAT.

As far as a consumer router, I actually bought this microtik to replace the nighthawk Ax12 I had gotten. The firmware in that thing was atrocious and I was having to reset it on a daily basis. May have just been a defective product, but I only had it for 5 months, and for $521, I'd expected a lot less head ache. I did have a dlink dir 855L, and that thing was phenominal, had it for years, and then one day it stopped remembering my settings. I would go in and re set it up, and a day later it was needing it again... shame really like it... Anywho, I am trying to set this 4011 up so that I don't need a 2nd router.

anav · Thu Dec 03, 2020 1:25 am

Understood but I am all out of ideas :-(

Did you try the UPNP on with the service permitted in the input chain??

Moba · Thu Dec 03, 2020 2:25 am

I used to play UT long before consoles where a thing and I ran quite a few servers back then, including home servers for my kids and their friends. I was also around when the Xbox came out and they added listen servers for MW2 on PC. But what do I know...you should listen to the gaming community that also believes RBG on devices equals better performance.

The only reason for NAT types is to host games. It's a crappy design to save money on dedicated servers. A DMZ or port forwarding doesn't speed up packets. The connectivity issues are from client hosting games where NAT type matters and is not speed related at all (NAT types are clearly explained by Activision). Recent COD games use dedicated servers on PC for each region. Game state data goes through them and, as an example, DumaOS uses that data to optimize latency on their routers.

If you are sure that listen servers are used and limiting your match options, get a gaming router and enable UPnP. The packets will not move any faster...

anav · Thu Dec 03, 2020 2:29 am

I think what Moba is saying is that if you are playing online, all routers should work well because there are no problems simply using client software on MODERN games.
If you decide to run your own server for other people to use, then it will not be as good and why would you do it anyway. No one does that anymore.
You get on discord and join a group and play games online together............. on professionally run gaming servers.

Moba · Thu Dec 03, 2020 3:10 pm

When listen servers are used on clients, you may have issues connecting to other players, as they will to you, depending on your NAT type. So you could get lag or wait a long time to connect. It's possible that listen servers are still used on consoles for CW or MW - I don't have an Xbox to check. If I did, it would be isolated from everything else on my network.

ROS takes effort and is not for everyone. My son, who now plays on console, uses a router from Best Buy because when he gets home from work, he just wants to play with his friends, not learn about security, routing, iptables or anything else that uses a CLI. There's a right tool for every job.

Moba · Thu Dec 03, 2020 6:03 pm

I aways like to check things myself before giving a final answer...

It is a simple two step process in ROS: one NAT rule for the client and one firewall rule for the client.

Proof it works on my 4011:

https://ibb.co/D8B5DVq

And like I explained already, it does not reduce latency or change anything else because COD uses dedicated servers on PC. However, it might make me feel good because I have the "best" NAT type according to Activision. Regardless, opening ports to the WAN on a home network is generally a terrible idea.

anav · Thu Dec 03, 2020 10:10 pm

Hi Moba,
Do you mean the standard firewall rule allowing destination NAT in general, and one specific destination nat rule for the client PC (as though it were a server) via port 3074 (both tcp/udp)?

Moba · Fri Dec 04, 2020 12:20 am

Yes, a destination rule opening only udp port 3074 in the firewall's forward chain for the client's IP (obviously made static) and a corresponding destination NAT rule so the client can act like a server. Game state traffic in COD (and other latency sensitive games) only uses udp. That's the connection that is visible and active when you monitor the client's connections while playing.

As you can realize, by doing this, everyone outside your LAN can connect through that port to the client. Personally, I do not trust MS or game devs enough to give them access to my network. It's like giving them a key to your house. Who knows who could steal that key and abuse it? When Activision, in all their great wisdom, started using listens servers, hacked clients were rampant on PC and Xbox.

Anyway, all the other ports are for game features and shouldn't need to be forwarded nor prioritized with QoS. If port 56102 is really required, the solution has already been posted in a thread you replied to earlier this year.

Moba · Fri Dec 04, 2020 5:31 pm

I'll add that using UPnP on a secure router defeats its purpose. Might as well use that crap from Best Buy, hence my recommendation.

anav · Fri Dec 04, 2020 7:55 pm

I understand about uPNP but trying to see, for testing purposes, if it fixed anything, of which i doubt it would.
If it did then perhaps it would give clues to how to solve this by other means.

Moba · Fri Dec 04, 2020 11:31 pm

You're a patient person. I have few solutions when port forwarding magically speeds up packets on a router on the authority of a gaming company.

anav · Sat Dec 05, 2020 5:33 am

ROS is so configurable, it seems crazy that a good gaming experience cannot be had. However if the device limitations or game itself is the issue, then our job here is done LOL.

mozerd · Sat Dec 05, 2020 9:30 pm

I understand about uPNP but trying to see, for testing purposes, if it fixed anything, of which i doubt it would.
If it did then perhaps it would give clues to how to solve this by other means.

Nonsense, absolute nonsense. When properly done UPNP can be used without any worry ... I have many very secure gaming systems in use all of which use UPnP ... NEVER a problem.

From a Tik perspective:
Isolate gaming in its own subnet or vlan and make sure the subnet/vlan is isolated [blocked] from any other internal network
only permit specific devices access to UPNP services

That is how it’s done.

Moba · Sun Dec 06, 2020 12:24 am

Why do you need to isolate it if it's safe ? And while you may know how to limit gaming clients, most novice users don't. All those vulnerabilities security researchers found must have been fake news...

anav · Sun Dec 06, 2020 4:50 am

Hi Mozerd, concur that you are making the rest of the network safe from the 'gaming' computers which are made vulnerable. As long as those computers are never used on the home network later,,,,,,,,,,

mozerd · Sun Dec 06, 2020 2:25 pm

Hi Mozerd, concur that you are making the rest of the network safe from the 'gaming' computers which are made vulnerable. As long as those computers are never used on the home network later,,,,,,,,,,

Gaming consoles are never allowed to communicate with other parts of the network. Computers that are also used for gaming in Networks my org configure and maintain have NEVER demonstrated any rogue activity over the past 15 years and there are 'many' in play. UPnP is safe as long as one uses good security practices along with common sense.

Yes there are lots of careless people [families] ... I am ABSOLUTLY amazed by the number of MOAB MikroTik users I have communicated with that have no security disciplines [awareness] in place from the get go -- just a wild west approach configuring their Tiks

Many of my org's users also have Synology NAS's that rely on UPnP which can be accessed by all subnets/vlans for backups and streaming .... done properly never an issue. Key points is who and how and staying on top with effective maintenance.

Many if not all IoT devices use UPnP ... and that is a very big business today ... 50% of my orgs current workload is installing security cameras +++ tied to my networks.

Moba · Sun Dec 06, 2020 2:41 pm

To be fair, modern consoles are now more or less completely locked down for economic reasons. Gaming computers on the other hand are not. Any competitive game means cheats installed long before titles hit retail. Rogue code and UPnP is a winning combination on any network.

Your business experience selling security, while relevant for your customers, can't be used as an argument about home security in general, since most PC gamers aren't your clients. And when you isolate gaming clients for security reasons, just as I would, you prove my point. Out of the hundreds of computer users in my extended family, about 5 have heard of Synology and the few that have security systems installed hired consultants to do so.

Can UPnP be used securely, sure. That wasn't my point in this thread at all. The OP wanted to forward ports to improve the speed of his gaming client.

anav · Sun Dec 06, 2020 2:58 pm

My point is that modern software should encompass all the negotiation needed back and forth to opening ports and NOT rely upon client port forwarding ports or UPNP etc..........

mozerd · Sun Dec 06, 2020 3:10 pm

My point is that modern software should encompass all the negotiation needed back and forth to opening ports and NOT rely upon client port forwarding ports or UPNP etc..........

Some AI engines when incorporated into apps and exploited will do that but AI has a very long way to go .... maybe in 5 years. Netgear is using AI very effectively in their Orbi line of Routers. AI adds a tremendous amount of resource requirements and that is only going to get MUCH bigger. Orbi is not inexpensive but they are selling like hot cakes.

anav · Sun Dec 06, 2020 3:15 pm

Well theres the issue right there. MT has no clue on whats going on in the consumer wifi market. They are stuck in the cheapo (hate to be rude) european head in the sand consumers, where a new product there is first generation AC and all my relatives think the N router is the best thing since slice bread. No wonder they are five years behind.
The rest of the world has moved on significantly. My advice is to stop pretending to be able to encompass consumer wifi or actually put resources into it.

Moba · Sun Dec 06, 2020 3:50 pm

All three of us are privileged to be living in a country where social policies have steadily increased disposable income for families in the last 50 years. MT has a big presence in countries that are not so lucky and where tech in general is not as accessible.

I have no practical need for all the new smart connected devices sold for home use, so for me, MT works ok. If I wanted cutting edge, I'd look elsewhere. I have tried many consumer products over the years and we use products from a big MT competitor at work: they all have their own issues. Until I get devices that support 802.11ax, I have no need for it. I have a new AC86 sitting on my desk that I used for testing, but never use myself. The new AX models should be even better for their intended market.

I agree that it would be nice if more money was spent adding new features, but fixing existing issues should also be a priority. Other companies that offer low cost gear are quick to add features every year, but drop support for older hardware and never fix bugs. The age of cheap disposable electronics will have to end eventually and prices will have to increase accordingly. How that will affect MT remains to be seen.

anav · Sun Dec 06, 2020 8:22 pm

Hi Moba, thanks for the sobering post and concur.

Who is online