Community discussions

MikroTik App
 
wezzy
just joined
Topic Author
Posts: 2
Joined: Sun May 16, 2021 4:08 pm

Port forward issues

Sun May 16, 2021 4:32 pm

Hi,

So I'm been sitting with Router OS for about a day now, so I've a lot to learn.
I've set up the initial settings. Internet works and so on.
But...I cannot get the forwarding rules to work. I've been looking at videos and I have read instructions, manual and examples. To my knowledge it should work, but it does not.
Oh and of course it worked fine on my old home router.

I have set up NAT rules and I've set up firewall rules. Then I use my cellphone (disconnected from the wifi) for testing the access.

My goal is to set up access to my Synology NAS on port 5001 for external access.

I also found something a bit strange which is more to do with how my isp works I guess. I get an address on my MikroTik WAN port in the range 100.x.y.z but if I look at myip for example it reports a public address which is in the range of 155.4.xx.yy. Is that something I need to set up to make it work?

I've set it up as follows:
# may/16/2021 15:23:30 by RouterOS 6.48.2
# software id = 3VDA-B7BE
#
# model = RB3011UiAS
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=08:xxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN-port
/interface vlan
add interface=ether6 name=vlan2 vlan-id=30
/interface ethernet switch port
set 5 default-vlan-id=30 vlan-header=add-if-missing vlan-mode=check
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.xx.xx.1-10.xx.yy.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp disabled=no interface=ether6 name=VLAN2_DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=ether6 pvid=30
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN-port list=WAN
add comment="LAN VLAN2" interface=ether6 list=LAN
/ip address
add address=10.xx.yy.1/24 comment=defconf interface=bridge network=10.xx.yy.0
/ip dhcp-client
add comment=defconf disabled=no interface=WAN-port
/ip dhcp-server network
add address=10.xx.yy.0/24 comment=defconf gateway=10.xx.yy.1 netmask=24
add address=10.xx.yz.2/32 comment="vlan2 dhcp"
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.xx.yy.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.xx.yy.120 list=NAS
add address=155.xx.yy.225 list=EXTERNAL-IP
/ip firewall filter
add action=accept chain=forward disabled=yes log=yes port=5001 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked log=yes
add action=accept chain=forward comment="Accept all that is DST NATed" \
    connection-nat-state=dstnat connection-state=new log=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=forward comment="NAS log in" disabled=yes dst-port=\
    5000-5001 in-interface=WAN-port log=yes protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=5000-5001 in-interface=\
    WAN-port protocol=tcp to-addresses=10.xx.yy.120 to-ports=5000-5001
add action=dst-nat chain=dstnat dst-port=5000-5001 in-interface=WAN-port log=\
    yes protocol=udp to-addresses=10.xx.yy.120 to-ports=5000-5001
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN-port log=yes \
    protocol=tcp to-addresses=10.xx.yy.120 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN-port protocol=\
    tcp to-addresses=10.xx.yy.120 to-ports=443
/ip smb
set domain=HOME
/lcd interface
set sfp1 disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=MikroTik_Galaxy
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set watch-address=10.xx.yy.120
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add host=10.xx.yy.120
 
wezzy
just joined
Topic Author
Posts: 2
Joined: Sun May 16, 2021 4:08 pm

Re: Port forward issues  [SOLVED]

Mon May 17, 2021 6:55 pm

Hi,

So I figured it out.
It was no issue on the settings on RouterOS it was rather an issue with my ISP.
I had a public IP but it was attached to the MAC address of my old router.
So then I requested them to connect it to the MAC address of port1 on the Mikrotik.
After this it started to work like before. I can use my domain name and connect to my NAS from outside again.

Anyway, thank you to those of you who took the time and read through my initial request.

Who is online

Users browsing this forum: cmmike, itsbenlol, SanchoHa, svh79 and 49 guests