Community discussions

MikroTik App
 
stevemobs
just joined
Topic Author
Posts: 1
Joined: Sun Feb 21, 2021 5:43 am

Port Forwarding

Sun Feb 21, 2021 5:51 am

Bought my first Mikrotik Router Hex S a couple days ago and I can not get port forwarding to work at all. I have watched all the YouTube videos and they each do it a little differently. I have a unraid server running on 192.168.50.29. In there is a docker container called Nginx proxy manager. I am trying to forward ports 80 to port 180 on the docker container and port 443 to 1443 on the docker container. I have changed the Mikrotik Webfig port number to something other than 80 and 443 is currently disabled. I have setup the DSTNAT forwarding rules under nat and have also created the firewall forwarding rules as well. For DST address I am putting the public ip of my router/internet. My internet is coming into my router on ethernet 1. I can not figure out what simple thing I am missing.

I am using the default configuration and haven't changed much besides trying to setup port forwarding.
Thanks for the help



[admin@MikroTik] > /export 
# feb/20/2021 21:45:16 by RouterOS 6.48.1
# software id = U07L-4D89
#
# model = RB760iGS
# serial number = E1F20D0999FB
/interface bridge
add admin-mac=08:55:31:64:45:6A auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.50.2 client-id=1:4:d9:f5:c2:4d:e0 mac-address=04:D9:F5:C2:4D:E0 server=defconf
add address=192.168.50.50 mac-address=1C:FE:2B:AC:CA:60 server=defconf
add address=192.168.50.51 client-id=1:c4:d6:55:40:f4:f7 mac-address=C4:D6:55:40:F4:F7 server=defconf
add address=192.168.50.52 client-id=1:d0:52:a8:54:10:3a mac-address=D0:52:A8:54:10:3A server=defconf
add address=192.168.50.54 mac-address=C4:95:00:7F:43:95 server=defconf
add address=192.168.50.11 client-id=1:0:e0:4c:1:f:20 mac-address=00:E0:4C:01:0F:20 server=defconf
add address=192.168.50.53 client-id=1:34:af:b3:58:ee:d9 mac-address=34:AF:B3:58:EE:D9 server=defconf
add address=192.168.50.22 client-id=1:48:b0:2d:1:2f:ad mac-address=48:B0:2D:01:2F:AD server=defconf
add address=192.168.50.21 mac-address=F8:54:B8:22:D4:CA server=defconf
add address=192.168.50.20 client-id=1:ac:bc:32:67:65:62 mac-address=AC:BC:32:67:65:62 server=defconf
add address=192.168.50.12 client-id=1:7a:e2:2a:10:a7:64 mac-address=7A:E2:2A:10:A7:64 server=defconf
add address=192.168.50.23 client-id=1:48:b0:2d:4:df:3d mac-address=48:B0:2D:04:DF:3D server=defconf
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.50.30
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-address-type=local src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward dst-address=192.168.50.29 dst-port=51820 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="Port forwarding for Plex\
\n" dst-address=192.168.50.29 dst-port=32400 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=443 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=80 in-interface=ether1 protocol=udp
add action=accept chain=forward dst-address=192.168.50.29 dst-port=5001 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 80\
\n" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.50.29 to-ports=180
add action=dst-nat chain=dstnat comment="Port forwarding for Plex" dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=192.168.50.29 to-ports=32400
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 80" dst-port=80 in-interface=ether1 protocol=udp to-addresses=192.168.50.29 to-ports=180
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 443" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.50.29 to-ports=1443
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 443" dst-port=443 in-interface=ether1 protocol=udp to-addresses=192.168.50.29 to-ports=1443
add action=dst-nat chain=dstnat dst-port=5001 in-interface=ether1 protocol=tcp to-addresses=192.168.50.29 to-ports=5001
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=udp to-addresses=192.168.50.29 to-ports=51820
/ip service
set www port=8080
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
k6ccc
Long time Member
Long time Member
Posts: 643
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Port Forwarding

Sun Feb 21, 2021 8:15 am

Two of your code segments. The first is you DST Nat rules. I am going to assume that the first one (the port 80 TCP) is really like the port 80 UDP, but got mangled in the export and paste. Assuming that is true, those rules are fine.
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 80\
\n" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.50.29 to-ports=180
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 80" dst-port=80 in-interface=ether1 protocol=udp to-addresses=192.168.50.29 to-ports=180
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 443" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.50.29 to-ports=1443
add action=dst-nat chain=dstnat comment="NGINX Proxy Port Forwarding 443" dst-port=443 in-interface=ether1 protocol=udp to-addresses=192.168.50.29 to-ports=1443

However, here is your issue. Your accept rules are for the original ports (80 and 443) instead of the forward destination ports (180 and 1443).
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=443 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="NGNIX Proxy firewall rule" dst-address=192.168.50.29 dst-port=80 in-interface=ether1 protocol=udp

Your other option is a generic accept anything that has been DST-NATted:
add action=accept chain=forward comment="Accept all that is DST NATed"  connection-nat-state=dstnat connection-state=new
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6190
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Sun Feb 21, 2021 2:11 pm

K6ccc, i made the same config type errors as many will do coming from other routers to MT.
In most routers one makes two complete list of rules for port forwarding and firewall rules.
Not so in the MT world.
One firewall rule is required for port forwarding and the the heavy lifting is all done on the dst nat rules.
So the op only needs that last rule your provided for firewall rules.

The rest depends on correctly configured dst nat rules.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
k6ccc
Long time Member
Long time Member
Posts: 643
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Port Forwarding

Mon Feb 22, 2021 12:26 am

Both methods work. The one accept all DST-NATted is certainly the easy route, but I wanted him to know why his rules did not work right - in other words, he might learn something. The other part is that there are times where you have a need to either not use the one accept rule, or to not use it for certain packets. Similar reason to having some rules before the "normal" accept all established and related connections.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6190
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Mon Feb 22, 2021 12:37 am

True dat, more so I thought is the fact that really port forwarding is just one example of what dstnat rules can do.
They can be used anywhere but I am not comfortable using them within LANs for example, not sure what I would be doing LOL
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: DanMos79 and 69 guests