Community discussions

MikroTik App
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Forwarding Minecraft server

Wed Feb 17, 2021 9:12 pm

Hy everyone, been working with Mikrotiks for some time now and finally set up one at home so i could learn more. I have set up port forwarding for RDP and it works fine. I just copied that and added a new one fore minecraft only changing the ports to 25565 and it just wont work. I see requests coming in the log but neither the minecraft client or websites like www.yougetsignal.com/tools/open-ports/ and mcsrvstat.us/server/ dont see my minecraft server.
Btw im using Winbox as it seems more easier than terminal commands for me for now but i can do terminal.
I got a NAT rute as follows:
Chain: dstnat
Protocol: 6 tcp
Dst Port: 25565
In interface: pppoe-out
Action: dst-nat
To addr: 10.20.0.10

Exact same setup for RDP but does not work for minecraft
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Thu Feb 18, 2021 2:44 pm

/export hide-sensitive file=anynameyouwish

Please post your config....
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 7:18 pm

Export attached
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Thu Feb 18, 2021 7:30 pm

/ip address
add address=10.20.0.1/24 comment=defconf interface=ether2 network=10.20.0.0

should be
/ip address
add address=10.20.0.1/24 comment=defconf interface=bridge network=10.20.0.0

You are missing input rules so your router is not protected from the internet??
Unplug it from the internet and add these rules immediately!!! We can modify them a bit better later but these work.
copy and paste!!!

ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 (if not using capsman this rule can be removed)
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN

The rest of the rules seem fine, assuming you meant to do port translation on RDP, coming in to router as 3399 and then translated so the server sees 3389
Last edited by anav on Thu Feb 18, 2021 7:34 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 7:42 pm

Okay added the rules.. Did not know i needed them :/

Anyways... Yes because i have seen viruses enter networks via RDP port specifically 3389 so changing it to 3399 seems "more" secure.
MC server just goes from 25565 to 25565

EDIT: I did notice A LOT of login attempts yesterday so disabled all services except for winbox
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Thu Feb 18, 2021 9:40 pm

Okay added the rules.. Did not know i needed them :/

Anyways... Yes because i have seen viruses enter networks via RDP port specifically 3389 so changing it to 3399 seems "more" secure.
MC server just goes from 25565 to 25565

EDIT: I did notice A LOT of login attempts yesterday so disabled all services except for winbox
I would be tempted to netinstall a clean version of the OS (use long term version 6.47.9 I think) onto your router before using again to ensure things are clean.
Minecraft server should be the least of your worries at this point. :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 10:00 pm

While I am aware of the risks of someone entering my network from the outside, I am also confident that nothing out of the ordinary has happened on my network since its only my PC, phone and TV that's on it.
If you wish you could explain to me the Firewall rules you said i needed to apply to secure it since i thought that disabeling all services except for winbox and making my password secure i should be okay.
Note that when i said i noticed a lot of logins i ment i noticed like 50ish in the span of a few hours (after i woke up) and i decided to remove ssh, telnet and such to prevent this.
Also now i disabled the built in admin account, added my own with a 32 character long unique password and only allowing logins from my pc (using my PC's IP address).

Now i just want to know why my port forwarding is not working and what can I do to fix it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:28 pm

Sure, no worries, I would do the netinstall thing regardless.
Yes you need both input chain and forward chain firewall rules.

In any case, did you make the rest of the changes noted?? (ie the bridge IP address)?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:29 pm

I probably will do a full reinstall after i figure out why mc is not working and what all the filter rules mean :)

Yes i did change it to bridge
Last edited by mike6715b on Thu Feb 18, 2021 11:30 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:30 pm

Would tidy this up for sure....... the ones in red should be removed.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=WAN
add list=WAN

add interface=pppoe-out list=WAN

Can you clarify if its EXTERNAL users that cannot reach or your server?
If by chance you mean internal users on the LAN, are they attempting to connect via the servers LANIP or the routers WANIP (loopback)?
Last edited by anav on Thu Feb 18, 2021 11:31 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:31 pm

Would tidy this up for sure....... the ones in red should be removed.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=WAN
add list=WAN

add interface=pppoe-out list=WAN
Okay they are removed...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:33 pm

Can you clarify if its EXTERNAL users that cannot reach or your server?
If by chance you mean internal users on the LAN, are they attempting to connect via the servers LANIP or the routers WANIP (loopback)?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:33 pm

I have Cloudflare setup for my domain that updates with my public IP (since it changes every 24h). Local connection works. Outside connections used to work but after i added the mikrotik as my main router (ISP's router in bridge-mode) i wasen't able to connect anymore.

So its the EXTERNAL peoples who can NOT connect
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server  [SOLVED]

Thu Feb 18, 2021 11:43 pm

So the issue is not necessarily the config.............
Can you confirm that the client WANIP your router gets, is the same that cloudfare is reporting and is the same that is the MT cloud IP??

In other words, there is only ONE PUBLIC IP associated with your account??

I am assuming yes because RDP port forwarding seems to work just fine, which would logically tell one your firewall rules and destination nat rules are fine.
Then, I would only suspect that the Minecraft Server or PC its residing on are the issue.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:46 pm

Yes... Cloudflare has the same IP as my WAN and Mikrotik Cloud IP.
I know i used to be able to check via https://mcsrvstat.us/ if the server is working since it queries on the same port (port 25565) but its not working. Also port checker tools like https://www.yougetsignal.com/tools/open-ports/ also report open port for RDP but not for minecraft
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:50 pm

Just saw your updated question... After disabling windows firewall the server is visible... Seems after connecting to my Mikrotik my PC changed my network type to Public not Private...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:53 pm

No worries, it was a logical conclusion based on the info provided. If RDP was on the same PC wouldnt the firewall have blocked that as well??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Thu Feb 18, 2021 11:54 pm

I never thought it was my firewall since I added a custom rule that accepts port 25565 on all networks...

Anyways.. I will mark your post as the solution, but could you elaborate more on those filter rules you said are required to make my router secure?
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Fri Feb 19, 2021 12:00 am

No worries, it was a logical conclusion based on the info provided. If RDP was on the same PC wouldnt the firewall have blocked that as well??
That's why i didn't assume it wasn't my PC since RDP worked and I had a rule setup for port 25565 allowing it on all network types :/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Fri Feb 19, 2021 12:00 am

I never thought it was my firewall since I added a custom rule that accepts port 25565 on all networks...

Anyways.. I will mark your post as the solution, but could you elaborate more on those filter rules you said are required to make my router secure?
Sure post your latest config assuming you made some changes so I can work from that............
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Fri Feb 19, 2021 12:04 am

Latest export included
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Fri Feb 19, 2021 12:22 am

Looks good!
The default rules are excellent in that a user can plug in the router and safely work right away.
However they can be refined.
You may have noticed that the default rules are setup with a design that says, EVERYTHING IS ALLOWED, unless we deny it.
So it relies on the user to know which things to deny.
It does this with really broad hammer by these two rules.

{input chain}
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

{forward chain}
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"not DSTNATed"


Both use the ! symbol which means everything but not the following which is actually a tricky rule that can have unintended consequences in a config.
They are safely used here but are often more difficult to understand as its like a double negative when talking.
So I dont like these rules because they are not as straightforward as possible. In the case of the forward chain the rule is dual hatted, another thing I dont like (KISS), it stop traffic general but is also the rule that allows port forwarding.

So the subtle change is to turn the firewall rules to a different design, that is to BLOCK ALL TRAFFIC, and only have allow rules for traffic the admin wants to permit.
Since I certainly am not aware of all the things possible, this is the safest approach for me.
Easily accomplished by adding a drop all rule at the end of both chains. In the input chain one needs to do this after adding an allow rule for the admin to access the route.
SO, the default rules which you basically have now then look like this......

{input chain}
ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Router-ACCESS only for ADMIN" in-interface=Bridge
source-address-list=AdminAccess (note)

add action=accept chain=input comment="Allow access to router dns services for all users" in-interface=LAN\
dest-port=53 protocol=tcp connection-state=new
add action=accept chain=input comment="Allow access to router dns services for all users" in-interface=LAN\
dest-port=53 protocol=udp connection-state=new

add action=drop chain=input comment=Drop

We add an allow rule, on the interface that the admin uses, in your case bridge, and is narrowed down to a list of IP addresses you enter
(ip static of desktop, laptop, smartphone, ipad etc.......). No one else needs full access to the router itself.
note: this list is made up in the firewall address list.
If you dont have this rule in place first and you add a drop rule at the end you will lock yourself out of the router LOL.
We then add rules to allow users that require services from the router, these are normally only DNS, sometimes people provide NTP to devices on the LAN.

Next lets look at the changes to the forward chain.
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Internet Access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding"\
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add action=drop chain=forward comment=Drop


Here we added an allow rule for lan to wan traffic
We added an allow port forwarding rule.
Dropped everything else.

If we had vlans for example, the drop rule would ensure that at layer 3 they would not talk to each other.
If you had a shared printer on different subnets, one would make an allow rule for subnetA, to access shared printer on subnet B.
If you wanted the admin on vlan A, to be able to access other vlans, you would make such a rule.

So basically this construct allows the admin to more clearly config as to what is permissible.

As an aside for port forwarding, if you can its best to get a defined list of external users, their public IP addresses and put this in a firewall address list.
Then add the list to the destination nat rule..........as follows......
add action=dst-nat chain=dstnat comment="mike6715b - MC" dst-port=25565 \
in-interface=pppoe-out log=yes log-prefix=mc-server protocol=tcp \
to-addresses=10.20.0.10 source-address-list=allowed_users

You have pointed out that the ports are visible on scans but appear as closed.
If you add a source address list to the dstnat rules, the ports are NOT visible on scans at all.
Also I should point out that if the dst ports are the same as to ports, you dont need to enter the to-ports at all, and that is why they are not shown above.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mike6715b
just joined
Topic Author
Posts: 17
Joined: Wed Feb 17, 2021 9:07 pm

Re: Forwarding Minecraft server

Fri Feb 19, 2021 12:47 am

Correct me if im wrong...
The input chain is for stuff going to the router it self like Winbox and ssh-ing into the router.
Forward chain is stuff just passing through the router like RDP witch needs to get to my PC.

I disabled the admin account and added my own account and set login from allowed-addresses to my PC's address.

From what I gather... Filter rules just go down the list and cross references the connection with the filter rules until it finds the rule that applies to it and applies the actions.
What about the masquerade rule? I know its required to have internet. Is that its only purpose?

It's not really possible for me to create a source-address-list for allowed users since they also have changing IP addresses (right??)

I will be adding the new rules tomorrow (in safe mode so I don't lock myself out since I can see that happening lol) and if all works well keep playing with it and see what more i can do

Thanks for the comprehensive response, I was not expecting it :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forwarding Minecraft server

Fri Feb 19, 2021 1:50 am

Correct,
The input chain is for traffic to/fro the router (Wan to router, router to Wan, lan to router router to lan), the forward chain is for traffic across the router wan to lan, lan to wan, lan to lan.
Yes most people get rid of the admin account in the USERS settings and create their own, that is separate from firewall rules (and any mention I make of admin in firewall rules, replace the word admin in firewall rules by the word mike lol)
The masquerade rule, which is really a type of source-nat rule, primary purpose is to tell the router, hey for outbound traffic that is going out the routing, you as admin have specified, assign it the public IP address of this interface when it heads outbound. Returning traffic will then be natted back to the originating LANIP.

Correct if your users have changing public IP addresses you are screwed, but there is an easy solution!!
But I would say, if someone wants access to your server, tell them to get a free domain name, plenty out there.
Then your source address list would look like
/ip firewall address-list
add address=my.domain.name list=allowedexternalusers
add address=myname.isbetter.org list=allowedexternalusers
add address=myname.is.free list=allowedexternalusers

The MT router will resolve those names and VOILA you have a source address list that works.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Bing [Bot], mike7, n0i2, sjdurand and 80 guests