Community discussions

MikroTik App
 
mommish
just joined
Topic Author
Posts: 16
Joined: Sun Feb 21, 2021 4:10 pm

Opening ports

Mon Mar 01, 2021 7:17 pm

Hello.

I have recently set up our new Rb4011 instead of our old Cisco with the same setting as the old one.

So in this network we have 12 Unifi Acces Points and now i cant see them in the AP Controller, but they are online and working.

I can also not remote with Google desktop remote.

So i checked wich ports unifi and Google desktop remote uses and tried to open these with no succes.

Is there something in the default firewall rules I must add?

I opened the ports in ip-firewall-nat and dstnat and put the local gateway ip.

Checked several guides and did the same.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Opening ports

Mon Mar 01, 2021 8:42 pm

Post your config and draw a network diagram

/export hide-sensitive file=anynameyouwish
 
mommish
just joined
Topic Author
Posts: 16
Joined: Sun Feb 21, 2021 4:10 pm

Re: Opening ports

Mon Mar 01, 2021 11:42 pm

Post your config and draw a network diagram

/export hide-sensitive file=anynameyouwish
# mar/01/2021 22:52:00 by RouterOS 6.47.9
# software id = V50M-CHT9
#
# model = RB4011iGS+
# serial number = D4480DA9DB22
/interface bridge
add admin-mac=08:55:31:6D:1B:27 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x0104iphex
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.1.239
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.1.254/23 comment=defconf interface=ether1 network=\
192.168.0.0
add address=wanip interface=sfp-sfpplus1 network=wanip
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.0.0/23 comment=defconf dhcp-option=unifi dns-server=\
192.168.1.254,8.8.8.8 gateway=192.168.1.254 netmask=23
/ip dns
set allow-remote-requests=yes servers=wandns,wandns
/ip dns static
add address=192.168.1.254 comment=defconf name=router.lan
/ip firewall address-list
add address=wan list=admin
add address=192.168.1.239 list=internet
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=wanip dst-port=3478 \
protocol=udp to-addresses=192.168.1.254 to-ports=3478
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5514 \
protocol=udp to-addresses=192.168.1.254 to-ports=5514
add action=dst-nat chain=dstnat connection-type="" dst-address=wanip \
dst-port=8080 protocol=tcp to-addresses=192.168.1.254 to-ports=8080
add action=dst-nat chain=dstnat dst-address=wanip dst-port=8443 \
protocol=tcp to-addresses=192.168.1.254 to-ports=8443
add action=dst-nat chain=dstnat dst-address=wanip dst-port=8880 \
protocol=tcp to-addresses=192.168.1.254 to-ports=8880
add action=dst-nat chain=dstnat dst-address=wanip dst-port=8843 \
protocol=tcp to-addresses=192.168.1.254 to-ports=8843
add action=dst-nat chain=dstnat dst-address=wanip dst-port=6789 \
protocol=tcp to-addresses=192.168.1.254 to-ports=6789
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5656-5699 \
protocol=udp to-addresses=192.168.1.254 to-ports=5656-5699
add action=dst-nat chain=dstnat dst-address=wanip dst-port=27117 \
protocol=tcp to-addresses=192.168.1.254 to-ports=27117
add action=dst-nat chain=dstnat dst-address=wanip dst-port=1001 \
protocol=udp to-addresses=192.168.1.254 to-ports=1001
add action=dst-nat chain=dstnat dst-address=wanip dst-port=1900 \
protocol=udp to-addresses=192.168.1.254 to-ports=1900
add action=dst-nat chain=dstnat dst-address=wanip dst-port=443 \
protocol=tcp to-addresses=192.168.1.254 to-ports=443
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5222 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5222
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5223 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5223
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5269 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5269
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5280 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5280
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5281 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5281
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5298 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat dst-address=wanip dst-port=5298 \
protocol=udp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat dst-address=wanip dst-port=3478 \
protocol=tcp to-addresses=192.168.1.254 to-ports=3478
add action=dst-nat chain=dstnat dst-address=wanip dst-port=19302 \
protocol=udp to-addresses=192.168.1.254 to-ports=19302
add action=dst-nat chain=dstnat dst-address=wanip dst-port=19305 \
protocol=udp to-addresses=192.168.1.254 to-ports=19305
add action=dst-nat chain=dstnat dst-address=wanip dst-port=10001 \
protocol=udp to-addresses=192.168.1.254 to-ports=10001
add action=dst-nat chain=dstnat dst-address=wanip dst-port=80 \
protocol=tcp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat dst-address=wanip dst-port=80 \
protocol=udp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat dst-address=wanip dst-port=22 \
protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=dst-nat chain=dstnat dst-address=wanip dst-port=22 \
protocol=udp to-addresses=192.168.1.254 to-ports=22
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=3478 \
protocol=udp to-addresses=wanip to-ports=3478
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=5514 \
protocol=udp to-addresses=wanip to-ports=5514
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8080 \
protocol=tcp to-addresses=wanip to-ports=8080
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8443 \
protocol=tcp to-addresses=wanip to-ports=8443
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8880 \
protocol=tcp to-addresses=wanip to-ports=8880
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8843 \
protocol=tcp to-addresses=wanip to-ports=8843
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=6789 \
protocol=tcp to-addresses=wanip to-ports=6789
add action=dst-nat chain=dstnat dst-port=8291 protocol=tcp to-addresses=\
192.168.1.254 to-ports=8291
add action=dst-nat chain=dstnat dst-port=10001 protocol=udp to-addresses=\
wanip to-ports=10001
/ip route
add distance=1 gateway=wanip
/ip service
set www-ssl certificate=root-cert disabled=no
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
mommish
just joined
Topic Author
Posts: 16
Joined: Sun Feb 21, 2021 4:10 pm

Re: Opening ports

Tue Mar 02, 2021 12:32 am

Another issue is that I used to use Google remote desktop to acces server pc from home, but now it works very very slow and very laggy with the mikrotik router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Opening ports

Tue Mar 02, 2021 3:05 am

I would say your config is non-standard or you dont know what you are doing.

(1) Is there any reason why your DHCP client is part of the bridge??
(2) This is compounded because now sfpplus is both a member of the LAN 9(via the bridge) and the WAN (Interface list members).
(3) Why would you set all the ethernet ports to belong to the bridge, and correctly assign the bridge as the interface for ip dhcp-server AND THEN
go and put ether1 as the interface for the IP address of the subnet ?????????????
(4) These rules make no sense to me and I would get rid of them.
The central problem is dst-address=192.168.1.254 and to-addresses=wanip
.....
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=3478 \
protocol=udp to-addresses=wanip to-ports=3478
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=5514 \
protocol=udp to-addresses=wanip to-ports=5514
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8080 \
protocol=tcp to-addresses=wanip to-ports=8080
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8443 \
protocol=tcp to-addresses=wanip to-ports=8443
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8880 \
protocol=tcp to-addresses=wanip to-ports=8880
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8843 \
protocol=tcp to-addresses=wanip to-ports=8843
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=6789 \
protocol=tcp to-addresses=wanip to-ports=6789
add action=dst-nat chain=dstnat dst-port=8291 protocol=tcp to-addresses=\ (NO DEST ADDRES??)
192.168.1.254 to-ports=8291
add action=dst-nat chain=dstnat dst-port=10001 protocol=udp to-addresses=\ (NO DEST ADDRES???)
wanip to-ports=10001
(5) The dst nat rules prior to that can be simplified.

add action=dst-nat chain=dstnat dst-address=wanip dst-port=22,80,1001,1900,3478,5298,5514,5556-5699,10001,19302,19305
protocol=udp to-addresses=192.168.1.254

add action=dst-nat chain=dstnat dst-address=wanip dst-port=22,80,443,3478,5222,5269,5280,5281,5298,6789,8080,8443,8843,8880,27117,
protocol=tcp to-addresses=192.168.1.254
 
mommish
just joined
Topic Author
Posts: 16
Joined: Sun Feb 21, 2021 4:10 pm

Re: Opening ports

Tue Mar 02, 2021 9:37 am

I would say your config is non-standard or you dont know what you are doing.

(1) Is there any reason why your DHCP client is part of the bridge??
(2) This is compounded because now sfpplus is both a member of the LAN 9(via the bridge) and the WAN (Interface list members).
(3) Why would you set all the ethernet ports to belong to the bridge, and correctly assign the bridge as the interface for ip dhcp-server AND THEN
go and put ether1 as the interface for the IP address of the subnet ?????????????
(4) These rules make no sense to me and I would get rid of them.
The central problem is dst-address=192.168.1.254 and to-addresses=wanip
.....
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=3478 \
protocol=udp to-addresses=wanip to-ports=3478
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=5514 \
protocol=udp to-addresses=wanip to-ports=5514
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8080 \
protocol=tcp to-addresses=wanip to-ports=8080
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8443 \
protocol=tcp to-addresses=wanip to-ports=8443
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8880 \
protocol=tcp to-addresses=wanip to-ports=8880
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=8843 \
protocol=tcp to-addresses=wanip to-ports=8843
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=6789 \
protocol=tcp to-addresses=wanip to-ports=6789
add action=dst-nat chain=dstnat dst-port=8291 protocol=tcp to-addresses=\ (NO DEST ADDRES??)
192.168.1.254 to-ports=8291
add action=dst-nat chain=dstnat dst-port=10001 protocol=udp to-addresses=\ (NO DEST ADDRES???)
wanip to-ports=10001
(5) The dst nat rules prior to that can be simplified.

add action=dst-nat chain=dstnat dst-address=wanip dst-port=22,80,1001,1900,3478,5298,5514,5556-5699,10001,19302,19305
protocol=udp to-addresses=192.168.1.254

add action=dst-nat chain=dstnat dst-address=wanip dst-port=22,80,443,3478,5222,5269,5280,5281,5298,6789,8080,8443,8843,8880,27117,
protocol=tcp to-addresses=192.168.1.254
Hello, these were defaults, but they were not enabled, I removed them anyway.
 
mommish
just joined
Topic Author
Posts: 16
Joined: Sun Feb 21, 2021 4:10 pm

Re: Opening ports

Tue Mar 02, 2021 11:05 am

Finally!

DHCP client and WAN on bridge were disabled but somehow after i removed them now it works fine! Thank you very much.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Opening ports

Tue Mar 02, 2021 2:28 pm

Glad its working but nothing about your setup was defaults, so you must have got the router from someone else or made many changes.

Who is online

Users browsing this forum: 0xAA55, Ahrefs [Bot] and 40 guests