Community discussions

MikroTik App
 
luckhermsen
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 4:43 pm

No incoming traffic (Game Ports)

Tue Jul 27, 2021 6:10 pm

Hi everyone,

For some reason I can't get Generals Zero Hour Online to work.
According to various websites the following ports need to be forwarded.
TCP: 6667, 16000, 28910, 29900, 29920
UDP: 4321, 16000, 27900

I have created the following rules:
  0    ;;; defconf: masquerade
      chain=srcnat action=masquerade log=no log-prefix="" ipsec-policy=out,none 
 1 X  ;;; DMZ test
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 in-interface=ether1 log=no log-prefix="" 
 2 X  ;;; Generals Zero Hour
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix="" 
 3    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=4321 protocol=udp in-interface=ether1 dst-port=4321 log=no log-prefix="" 
 4    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=6667 protocol=tcp in-interface=ether1 dst-port=6667 log=no log-prefix="" 
 5    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=16000 protocol=tcp in-interface=ether1 dst-port=16000 log=no log-prefix="" 
 6    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=16000 protocol=udp in-interface=ether1 dst-port=16000 log=no log-prefix="" 
 7    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=27900 protocol=udp in-interface=ether1 dst-port=27900 log=no log-prefix="" 
 8    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=28910 protocol=tcp in-interface=ether1 dst-port=28910 log=no log-prefix="" 
 9    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=29900 protocol=tcp in-interface=ether1 dst-port=29900 log=no log-prefix="" 
10    chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=29920 protocol=tcp in-interface=ether1 dst-port=29920 log=no log-prefix="" 
I can connect to the lobby, view and communicate with other players, create or join a game, but once the game starts there is an error saying there was no response to some probe that was sent.
What I find interesting is that the packet counters don't show any traffic on the above ports (except for a few packets on 80).
As if the traffic is not coming through.

I have also added some allow rules for these ports (not sure if necessary), these also don't show traffic:
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; Generals Zero Hour
      chain=input action=accept protocol=tcp in-interface=ether1 dst-port=6667,16000,28910,29900,29920 log=no log-prefix="" 
 2    chain=input action=accept connection-state=invalid,established,related,new,untracked protocol=udp in-interface=ether1 dst-port=4321,27900 log=no log-prefix="" 
 3    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 
 4 X  ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 
 5    ;;; VPN Rule 1
      chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix="" 
 6    chain=input action=accept protocol=gre log=no log-prefix="" 
 7    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 8 X  ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 
 9    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 
10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 
11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked  
12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
13    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 
14    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 
[luck@MikroTik] >  
 
I'm aware this may not be very safe. Just wanted to try and isolate the problem.
I have tried the same game on another computer, same issue. Also tried disabling fasttrack.

Am I doing something wrong here? All my other forwarding rules are working okay (nginx for example).
What am I missing?

All help appreciated, thanks!
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: No incoming traffic (Game Ports)

Tue Jul 27, 2021 9:43 pm

You are missing a rule on the FORWARD chain!
Making DNAT work required 2 things :

1) The DNAT entries offcourse, which you have created
2) Allow the flow in the forward chain to proceed to the final backend host.

You have this :

1 ;;; Generals Zero Hour
chain=input action=accept protocol=tcp in-interface=ether1 dst-port=6667,16000,28910,29900,29920 log=no log-prefix=""

Better make some rule in the FORWARD chain to allow ALL traffic that passed DNAT to flow through.

30 ;;; Accept any packet with valid DNAT entry
chain=forward action=accept connection-state=established,related,new connection-nat-state=dstnat in-interface=ether1

Should do the trick I guess. Make sure this rule is positioned above drop rules ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No incoming traffic (Game Ports)

Wed Jul 28, 2021 5:13 pm

Well it drives me bonkers when people post rules in that format butt ugly and useless,
and the proof is JV-Belg you missed that he already has such a rule........
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[luck@MikroTik] >


To the OP please please, simply paste the export file here

/export hide-sensitive file=anynameyouwish

The point being is that we need to see the whole config to properly diagnose the issues.
Then we can better see the state of firewall rules, routing, interfaces etc...........

As JV-Belg pointed out RULE order is very important.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: No incoming traffic (Game Ports)

Wed Jul 28, 2021 5:40 pm

>I can connect to the lobby, view and communicate with other players, create or join a game, but once the game starts there is an error saying there was no response to some probe that was sent.
>What I find interesting is that the packet counters don't show any traffic on the above ports (except for a few packets on 80).
>As if the traffic is not coming through.

Perhaps your ISP is filtering this ? You have a public routable IP ? As suggested, please post the full config here to get the complete picture.

I stand corrected on my previous post on forward-chain DNAT like anav pointed out, you do seem to have the forward-chain entry on your list.
If you say nginx works (80/443 TCP), there might be some other (upstream) filtering at play here ?
 
luckhermsen
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 4:43 pm

Re: No incoming traffic (Game Ports)

Thu Jul 29, 2021 1:23 pm

Thanks for your replies, and sorry for posting it like that!
Here's the export file.

Regarding the ISP filtering, I highly doubt this is the case, but nevertheless I will try to contact them and ask.
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: No incoming traffic (Game Ports)

Thu Jul 29, 2021 4:36 pm

You have quite some DNAT's, what is working and what not ?
You wrote about counters not incrementing on some.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No incoming traffic (Game Ports)

Thu Jul 29, 2021 5:38 pm

My first comment not based on the config but reading earlier posts.

1. Are you running a game server or are you just playing?
Any modern game worth its salt for strictly playing does not require you to forward ports, you reach out to and connect to either a gaming portal site (steam) or a game site directly and thus all negotiations are done within that initial outgoing connection which you initiated (all return traffic and corresponding back and forth is thus automatically permitted).

If you have to forward ports just to play, then the game is poorly constructed or decades old???
If you are running a game server you are ill equipped to deal with issues of running a game server and is why the majority of users use game portal sites.
Last edited by anav on Thu Jul 29, 2021 6:02 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No incoming traffic (Game Ports)

Thu Jul 29, 2021 5:39 pm

(1) WRONG: /ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0

should be
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0

(2) Where is dns-server=192.168.0.1 ??
( /ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24 )


(3) INPUT CHAIN RULES WRONG!!!
Input chain is for traffic to and from the router, mainly to config the router for the admin and also to provide router services such as DNS, NTP and to capture initial incoming VPN packets to estalish a secure connection BUT NOT THIS

/ip firewall filter
add action=accept chain=input comment="Generals Zero Hour" dst-port=\
6667,16000,28910,29900,29920 in-interface=ether1 protocol=tcp


Remove it not required and remember port forwarding is for UNSOLICITED INCOMING PACKETS that are originated on the internet and is handled in destination NAT firewall rules not input chain firewall rules. Further to my question in the previous post, unless you are hosting a server even a dst nat rule would make little sense for a modern game.

(4) THis rule is an abortion of the standard default rule and needs to be removed.
add action=accept chain=input connection-state=\
invalid,established,related,new,untracked dst-port=4321,27900 \
in-interface=ether1 protocol=udp



(6) Order of rules a bit confusing, best not to mix up forward chain and input chain together but not wrong just untidy and hard to read and troubleshoot.

(7) Why is fastrack disabled?

(8) SOURCENAT rule is Incomplete!!
From
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none
TO:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out--interface-list=WAN (or out-interface=ether1

(9) game Dstnat rules could be simplified
TO:
add action=dst-nat chain=dstnat dst-port=4321,16000,27900 in-interface=ether1 protocol=\
udp to-addresses=192.168.0.100
add action=dst-nat chain=dstnat dst-port=6667, 16000, 28910, 29900, 29920 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.100

(10) Near the end of your dstnat rules, I Dont understand this rule, is it supposed to be a DESTINATION NAT RULE??

add action=masquerade chain=srcnat comment="Nginx Local NAT" dst-address=\
192.168.0.110 dst-port=80,443 protocol=tcp


(11) You seem to be running serveral servers...................
Do they all have encrypted login (either https or FTPS etc)??
None of them have source address lists associated so anyperson, bot, etc can access your servers?

Hint, all your users should provide you with their
a. static WANIP
b. dynamic WANIP by giving you their dyndns name. (There are free dyndns name providers so cost is not an object and the router will ensure they are resolved to the correct public IP)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No incoming traffic (Game Ports)

Thu Jul 29, 2021 6:09 pm

 
luckhermsen
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 4:43 pm

Re: No incoming traffic (Game Ports)

Tue Nov 23, 2021 10:13 pm

Hi Anav,

I kinda forgot about this thread as I stopped playing the game for a while. Just read through your posts, thanks for the help and advising on how to improve my config.

I am kind of hosting a server. I start/host a Multiplayer game and my friend joins from his home. He has to enter my public IP in the game.
It's not like I'm hosting a server that's running 24/7, but I'd still need the port forwards so my friend can connect 'from the internet'.

1. changed it to bridge, Not sure why this was on eth2
2. Set to 8.8.8.8
3. So for forwarding ports I only need to add NAT rules as long as I'm not blocking specific services or IP's?
4. True, removed
5.
6. Tried to tidy things up a bit
7. Tried disabling it to see if game would work, still didn't connect.
8. Makes sense, added the out port
9. True. I did that to try and see what happened with to counters to see on what ports the traffic was coming in.
10. Not sure where I got this from, but without this rule I'm not able to locally use my reverse proxy addresses, e.g. nas.myaddress.com
11. Yes, using HTTPS only.

Again, thanks for your help, much appreciated.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No incoming traffic (Game Ports)

Tue Nov 23, 2021 11:05 pm

What I recommend is that your friend either.
a.. has a static fixed WANIP he can give you
b. if dynamic he gets a domain name or more accurately a free dyndns name available at many sites............. and then

you will ensure that the dst-nat rules for the game has a component
of src-address-list=authorized

where the firewall address list consists of
add IP=fixedIP of friend A name=authorized
add IP=fixedIP of friend B name=authorized
add IP=dyndns url of friend C name=authorized
add IP-dyndns url of friend D name=authorized
etc...

FIrewall rules need some tweaking, some missing some duplication and the order in terms of mixing input and forward just makes things difficult to read and troubleshoot. etc......
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="VPN Rule 1" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment="Accept forwarded dstnat" \
connection-nat-state=dstnat connection-state=established,related,new \
in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="VPN Rule 1" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=drop chain=input comment=\
"defconf: drop all from WAN in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN \
comment="Allow internet traffic"
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat connection-state=established,related,new \
in-interface=ether1
add action=drop chain=forward comment="drop all else"

For security reasons best to disable or turn off or set to none.

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=18780
set ssh port=18722
set www-ssl disabled=no port=18443
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN

Is your ISP a static/fixed wanip or a dynamic WANIP??

These two rules I dont understand the purpose??
add action=masquerade chain=srcnat comment="Nginx Local NAT" dst-address=\
192.168.0.110 dst-port=80,443 protocol=tcp
add action=dst-nat chain=dstnat comment="NAS Phone Apps to Nginx" dst-port=\
5001 protocol=tcp to-addresses=192.168.0.110 to-ports=443

Who is online

Users browsing this forum: No registered users and 26 guests