Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Need to do Port Forwarding to make server accessible over the internet

Post Reply
 
User avatar
wjak
just joined
Topic Author
Posts: 7
Joined: Fri May 21, 2021 6:28 am

Need to do Port Forwarding to make server accessible over the internet

Fri May 21, 2021 12:22 pm

My setup: I have 2 internet subscriptions, 2 port switches, 2 servers and the Mikrotik Router. Internet1 modem connects a Router then to port 1 of Switch1 then Switch1 to serverA. Internet2 connects to Mikrotik router. Mikrotik router connects to Switch1 on another port and connects to Switch2 on its port 1. Switch2 connects to ServerB

I am able to do port forwarding in the router of internet1 and my application in ServerA is accessible over the internet - ssh, http, https, etc.

My problem is the server under the Mikrotik router. My port forwarding through ip firewall rules and NAT isnt working. The application in ServerB is running and is accessible when connected within the network. But not accessible through the Public IP.

Whats wrong with my configuration?

Code: Select all
# may/21/2021 17:07:42 by RouterOS 6.45.9
# software id = 662H-04I9
#
# model = RBD52G-5HacD2HnD
# serial number = CDFC0CE271C8
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-full,100M-full,1000M-full,5000M-full,10000M-full name="ether1 - 200"
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-full,5000M-full name="ether2 - 100"
set [ find default-name=ether3 ] advertise=10M-full,100M-full,1000M-full name=\
    "ether3- LAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=philippines mode=\
    station-pseudobridge ssid=MIS_MITHI wireless-protocol=nv2-nstreme-802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.7.30-192.168.7.200
add name=dhcp_pool1 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool2 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool3 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool4 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface="ether3- LAN" name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=10.0.0.1/24 interface="ether3- LAN" network=10.0.0.0
add address=119.92.135.194 interface="ether1 - 200" network=119.92.135.194
/ip dhcp-client
add add-default-route=no disabled=no interface="ether1 - 200"
add add-default-route=no disabled=no interface="ether2 - 100"
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.1.1,192.168.0.2 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=forward disabled=yes dst-port=22 in-interface=\
    "ether1 - 200" protocol=tcp
add action=drop chain=forward disabled=yes dst-port=23 in-interface=\
    "ether1 - 200" protocol=tcp
add action=add-src-to-address-list address-list="PortScan Attackers" \
    address-list-timeout=1d chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="PortScan Attackers" \
    address-list-timeout=1d chain=forward protocol=tcp psd=21,3s,3,1
add action=drop chain=input src-address-list="PortScan Attackers"
add action=accept chain=input connection-state=established,related,new
add action=accept chain=forward connection-state=established,related,new
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat
/ip firewall mangle
add action=accept chain=prerouting comment=ACCEPT dst-address=192.168.1.0/24 \
    in-interface="ether3- LAN"
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=\
    "ether3- LAN"
add action=mark-connection chain=prerouting comment="INPUT REROUTE" \
    connection-mark=no-mark in-interface="ether1 - 200" new-connection-mark=200 \
    passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface="ether2 - 100" new-connection-mark=100 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC dst-address-type=!local \
    in-interface="ether3- LAN" new-connection-mark=200 passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface="ether3- LAN" new-connection-mark=100 passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=ROUTE connection-mark=200 \
    in-interface="ether3- LAN" new-routing-mark=to200 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=100 in-interface=\
    "ether3- LAN" new-routing-mark=to100 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 src-address=\
    10.0.0.0/24
add action=masquerade chain=srcnat out-interface="ether1 - 200"
add action=masquerade chain=srcnat out-interface="ether2 - 100"
add action=accept chain=dstnat
add action=dst-nat chain=dstnat dst-address-list="" dst-port=5240 protocol=tcp \
    to-addresses=10.0.0.31 to-ports=5240
add action=dst-nat chain=dstnat dst-address-list="" dst-port=22 protocol=tcp \
    src-address-list="" to-addresses=10.0.0.31 to-ports=22
add action=src-nat chain=srcnat src-address=10.0.0.31 to-addresses=\
    119.92.135.194
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to200
add check-gateway=ping distance=2 gateway=192.168.0.2 routing-mark=to100
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.0.2
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=DOST10
/tool graphing interface
add
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1957
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Need to do Port Forwarding to make server accessible over the internet

Fri May 21, 2021 12:58 pm

Code: Select all
add action=dst-nat chain=dstnat dst-address-list="" dst-port=5240 protocol=tcp \
    to-addresses=10.0.0.31 to-ports=5240
add action=dst-nat chain=dstnat dst-address-list="" dst-port=22 protocol=tcp \
    src-address-list="" to-addresses=10.0.0.31 to-ports=22
You are missing the dst-address-list (or dst-address) part of the port forwarding. This shoud contain either WAN (dst-address-list) or the interface (dst-address) acting as WAN.

Do you have a static or dynamic IP address on the WAN interface?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need to do Port Forwarding to make server accessible over the internet

Fri May 21, 2021 1:41 pm

What is the purpose of this.......
add name=dhcp_pool1 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool2 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool3 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool4 ranges=10.0.0.2-10.0.0.254

What is this config........
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.1.1,192.168.0.2 gateway=10.0.0.1

Your firewall rules are poor........

Mangling why?
What does this have to do with your network.....
dst-address=192.168.1.0/24 \
dst-address=192.168.0.0/24

In NAt rules.
remove the first dstnat rule that has no definitions....
add action=accept chain=dstnat

As stated your two dstnat rules are missing information.
Create a firewall address list using IP cloud net name and call it PortF and use dst-address-list of that name.
add action=dst-nat chain=dstnat dst-address-list=PortF dst-port=5240 protocol=tcp \
to-addresses=10.0.0.31 to-ports=5240
add action=dst-nat chain=dstnat dst-address-list=PortF dst-port=22 protocol=tcp \
src-address-list="" to-addresses=10.0.0.31 to-ports=22

However, its unclear on which external WANIP your server requests will come in on??


THis is not required
add action=src-nat chain=srcnat src-address=10.0.0.31 to-addresses=\
119.92.135.194
Top
 
User avatar
wjak
just joined
Topic Author
Posts: 7
Joined: Fri May 21, 2021 6:28 am

Re: Need to do Port Forwarding to make server accessible over the internet

Mon May 24, 2021 9:54 am

Code: Select all
add action=dst-nat chain=dstnat dst-address-list="" dst-port=5240 protocol=tcp \
    to-addresses=10.0.0.31 to-ports=5240
add action=dst-nat chain=dstnat dst-address-list="" dst-port=22 protocol=tcp \
    src-address-list="" to-addresses=10.0.0.31 to-ports=22
You are missing the dst-address-list (or dst-address) part of the port forwarding. This shoud contain either WAN (dst-address-list) or the interface (dst-address) acting as WAN.

Do you have a static or dynamic IP address on the WAN interface?
Yes, i have added it but im not sure it had any effect.
Top
 
User avatar
wjak
just joined
Topic Author
Posts: 7
Joined: Fri May 21, 2021 6:28 am

Re: Need to do Port Forwarding to make server accessible over the internet

Mon May 24, 2021 10:23 am

What is the purpose of this.......
add name=dhcp_pool1 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool2 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool3 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool4 ranges=10.0.0.2-10.0.0.254

What is this config........
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.1.1,192.168.0.2 gateway=10.0.0.1

Your firewall rules are poor........

Mangling why?
What does this have to do with your network.....
dst-address=192.168.1.0/24 \
dst-address=192.168.0.0/24

In NAt rules.
remove the first dstnat rule that has no definitions....
add action=accept chain=dstnat

As stated your two dstnat rules are missing information.
Create a firewall address list using IP cloud net name and call it PortF and use dst-address-list of that name.
add action=dst-nat chain=dstnat dst-address-list=PortF dst-port=5240 protocol=tcp \
to-addresses=10.0.0.31 to-ports=5240
add action=dst-nat chain=dstnat dst-address-list=PortF dst-port=22 protocol=tcp \
src-address-list="" to-addresses=10.0.0.31 to-ports=22

However, its unclear on which external WANIP your server requests will come in on??


THis is not required
add action=src-nat chain=srcnat src-address=10.0.0.31 to-addresses=\
119.92.135.194
Thank you for the tips anav.

i deleted the other dhcp pools. I left dhcp_pool4 because its being used for DHCP server dhcp1 using the interface ether4-LAN.

the dhcp-server network config is there because we have two internet sources/modems. 192.168.1.1 and 192.169.0.2 are their DNS servers respectively.

Ill look into improving my firewall rules.

The mangling is for setting the routes of the fail over and load balance.

In NAT rules, this seems to have an effect after i disabled it. Before, i could only access ssh thought user@local-ip. Now, im able to ssh using the user@public-ip.
Also for accessing public-ip:5240 in the browser. Before, i could also access it using local-ip:5240. i am now able to access it using public-ip:5240 BUT only within the network. If I access it outside like thru mobile data in my phones browser, the site cant be reached, refused to connect, ERR_CONNECTION_REFUSED.

I added both dst-address using the public-ip and dst-address-list.

I removed the last src NAT rule.

Im unsure if the other changes had any effect, aside from the first dstnat rule that has no definitions that i disabled. I still cant access the server outside our network but at least there is progress. Currently, from the 2 internet sources that we have, I am only able to access it from the internet source that the server is under. When i connect to our other network, its inaccessible.

What else could be preventing my port forwarding NAT rules from working?
Last edited by wjak on Mon May 24, 2021 10:59 am, edited 3 times in total.
Top
 
User avatar
wjak
just joined
Topic Author
Posts: 7
Joined: Fri May 21, 2021 6:28 am

Re: Need to do Port Forwarding to make server accessible over the internet

Mon May 24, 2021 10:24 am

This is the new config export
Code: Select all
# may/24/2021 15:23:32 by RouterOS 6.45.9
# software id = 662H-04I9
#
# model = RBD52G-5HacD2HnD
# serial number = CDFC0CE271C8
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full,5000M-full,10000M-full name="ether1 - 200"
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-full,5000M-full name="ether2 - 100"
set [ find default-name=ether3 ] advertise=10M-full,100M-full,1000M-full name="ether3- LAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=philippines mode=station-pseudobridge ssid=MIS_MITHI wireless-protocol=\
    nv2-nstreme-802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.7.30-192.168.7.200
add name=dhcp_pool4 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface="ether3- LAN" name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=10.0.0.1/24 interface="ether3- LAN" network=10.0.0.0
add address=119.92.135.194 interface="ether1 - 200" network=119.92.135.194
/ip dhcp-client
add add-default-route=no disabled=no interface="ether1 - 200"
add add-default-route=no disabled=no interface="ether2 - 100"
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.1.1,192.168.0.2 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=119.92.135.194 list=PortF
/ip firewall filter
add action=drop chain=forward disabled=yes dst-port=22 in-interface="ether1 - 200" protocol=tcp
add action=drop chain=forward disabled=yes dst-port=23 in-interface="ether1 - 200" protocol=tcp
add action=add-src-to-address-list address-list="PortScan Attackers" address-list-timeout=1d chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="PortScan Attackers" address-list-timeout=1d chain=forward protocol=tcp psd=21,3s,3,1
add action=drop chain=input src-address-list="PortScan Attackers"
add action=accept chain=input connection-state=established,related,new
add action=accept chain=forward connection-state=established,related,new
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat
/ip firewall mangle
add action=accept chain=prerouting comment=ACCEPT dst-address=192.168.1.0/24 in-interface="ether3- LAN"
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface="ether3- LAN"
add action=mark-connection chain=prerouting comment="INPUT REROUTE" connection-mark=no-mark in-interface="ether1 - 200" new-connection-mark=200 \
    passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="ether2 - 100" new-connection-mark=100 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC dst-address-type=!local in-interface="ether3- LAN" new-connection-mark=200 passthrough=\
    yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface="ether3- LAN" new-connection-mark=100 passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=ROUTE connection-mark=200 in-interface="ether3- LAN" new-routing-mark=to200 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=100 in-interface="ether3- LAN" new-routing-mark=to100 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat out-interface="ether1 - 200"
add action=masquerade chain=srcnat out-interface="ether2 - 100"
add action=accept chain=dstnat disabled=yes
add action=dst-nat chain=dstnat dst-address=119.92.135.194 dst-address-list=PortF dst-port=5240 protocol=tcp to-addresses=10.0.0.31 to-ports=\
    5240
add action=dst-nat chain=dstnat dst-address=119.92.135.194 dst-address-list=PortF dst-port=22 protocol=tcp src-address-list="" to-addresses=\
    10.0.0.31 to-ports=22
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to200
add check-gateway=ping distance=2 gateway=192.168.0.2 routing-mark=to100
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.0.2
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=DOST10
/tool graphing interface
add
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need to do Port Forwarding to make server accessible over the internet

Mon May 24, 2021 1:25 pm

(1) Recommend proper firewall rules.......
Forget the extra crap you have added and stick with the defaults.
If you find you are having issues then slowly start to add 'extra rules'. Most people dont need them.

/ip firewall filter
add action=drop chain=forward disabled=yes dst-port=22 in-interface="ether1 - 200" protocol=tcp
add action=drop chain=forward disabled=yes dst-port=23 in-interface="ether1 - 200" protocol=tcp
add action=add-src-to-address-list address-list="PortScan Attackers" address-list-timeout=1d chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="PortScan Attackers" address-list-timeout=1d chain=forward protocol=tcp psd=21,3s,3,1
add action=drop chain=input src-address-list="PortScan Attackers"
add action=accept chain=input connection-state=established,related,new
add action=accept chain=forward connection-state=established,related,new
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat

Put these rules in instead and in a proper order. They do everything you need!
/ip firewall
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

(2) Next Fix your dstnat rules you have the destination address added twice??
FROM
add action=dst-nat chain=dstnat dst-address=119.92.135.194 dst-address-list=PortF dst-port=5240 protocol=tcp to-addresses=10.0.0.31 to-ports=\
5240
add action=dst-nat chain=dstnat dst-address=119.92.135.194 dst-address-list=PortF dst-port=22 protocol=tcp src-address-list="" to-addresses=\
10.0.0.31 to-ports=22
TO
add action=dst-nat chain=dstnat dst-address=119.92.135.194 protocol=tcp dst-port=22,5240 to-addresses=10.0.0.31

(3) Remove rule that does nothing or nothing good!
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat out-interface="ether1 - 200"
add action=masquerade chain=srcnat out-interface="ether2 - 100"
add action=accept chain=dstnat disabled=yes
Top
 
User avatar
wjak
just joined
Topic Author
Posts: 7
Joined: Fri May 21, 2021 6:28 am

Re: Need to do Port Forwarding to make server accessible over the internet

Tue May 25, 2021 7:01 am

Code: Select all
# may/25/2021 11:52:15 by RouterOS 6.45.9
# software id = 662H-04I9
#
# model = RBD52G-5HacD2HnD
# serial number = CDFC0CE271C8
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full,5000M-full,10000M-full name="ether1 - 200"
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-full,5000M-full name="ether2 - 100"
set [ find default-name=ether3 ] advertise=10M-full,100M-full,1000M-full name="ether3- LAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=philippines mode=station-pseudobridge ssid=MIS_MITHI wireless-protocol=\
    nv2-nstreme-802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.7.30-192.168.7.200
add name=dhcp_pool4 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface="ether3- LAN" name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=10.0.0.1/24 interface="ether3- LAN" network=10.0.0.0
add address=119.92.135.194 interface="ether1 - 200" network=119.92.135.194
/ip dhcp-client
add add-default-route=no disabled=no interface="ether1 - 200"
add add-default-route=no disabled=no interface="ether2 - 100"
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.1.1,192.168.0.2 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=119.92.135.194 list=PortF
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment=ACCEPT dst-address=192.168.1.0/24 in-interface="ether3- LAN"
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface="ether3- LAN"
add action=mark-connection chain=prerouting comment="INPUT REROUTE" connection-mark=no-mark in-interface="ether1 - 200" new-connection-mark=200 \
    passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="ether2 - 100" new-connection-mark=100 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC dst-address-type=!local in-interface="ether3- LAN" new-connection-mark=200 passthrough=\
    yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface="ether3- LAN" new-connection-mark=100 passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=ROUTE connection-mark=200 in-interface="ether3- LAN" new-routing-mark=to200 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=100 in-interface="ether3- LAN" new-routing-mark=to100 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat out-interface="ether1 - 200"
add action=masquerade chain=srcnat out-interface="ether2 - 100"
add action=dst-nat chain=dstnat dst-address=119.92.135.194 dst-port=22,5240 protocol=tcp to-addresses=10.0.0.31
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to200
add check-gateway=ping distance=2 gateway=192.168.0.2 routing-mark=to100
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.0.2
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=DOST10
/tool graphing interface
add
I made the changes but I still cant access public-ip:5240 outside our network. I also noticed that when im connected to the wifi in the Access Point under the Mikrotik router, and when I ping the the pubic-ip of the other server under our other internet modem, it says "request timed out". Our 2 networks dont see each other.
Top
 
User avatar
wjak
just joined
Topic Author
Posts: 7
Joined: Fri May 21, 2021 6:28 am

Re: Need to do Port Forwarding to make server accessible over the internet

Tue May 25, 2021 8:41 am

I also notice some special dummy rule to show fasttrack counters appearing in Mangle and Filter Rules.
Top
 
User avatar
wjak
just joined
Topic Author
Posts: 7
Joined: Fri May 21, 2021 6:28 am

Re: Need to do Port Forwarding to make server accessible over the internet

Tue May 25, 2021 10:21 am

Also noticed that browsing the internet got a bit slow. For example, we are using Slack and the messages arent loading. Also, our emails dont reach us. I sent an email from my personal gmail to our office email and it isnt getting received. and zoom is unable to run using its desktop application. Is this a coincidence from a different issue or from the new firewall rules i added?

Update: I disabled the firewall rules and things got better. Are the firewall rules affecting the internet speeds?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need to do Port Forwarding to make server accessible over the internet

Tue May 25, 2021 1:38 pm

I will have a look at the latest posted config. Improper or improperly implemented firewall; rules can have all sorts of effects.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need to do Port Forwarding to make server accessible over the internet

Tue May 25, 2021 1:47 pm

(1) This seems to be a problematic line in the config.
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.1.1,192.168.0.2 gateway=10.0.0.1

For NOW change this to
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1

(2) There is nothing wrong with the default firewall rules except you are mangling and therefore recommend you disable (red x) this rule as I believe fastrack and mangle do not mix.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

as per: https://help.mikrotik.com/docs/display/ ... -FastTrack
(after the example read the Caution symbol (black triangle with exclamation mark) associated text - its backlit with faded yellow)
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Fogga, gigabyte091, michael00, NightWolf and 36 guests
  4. RouterOS
  5. Beginner Basics