Community discussions

MikroTik App
 
CrazyFin
just joined
Topic Author
Posts: 2
Joined: Thu Sep 09, 2021 3:29 pm

Port forward setup wrong OR I might have a NATed IP address from my mobile broadband provider (Telia)? [SOLVED]

Thu Sep 09, 2021 4:54 pm

I recently bought the really nice Mikrotik Chateau LTE12.

I am using it with mobile broadband from Swedish operator Telia and my speed is excellent (150Mbit/s down and about 100Mbit/s up) so that part works just fine.
However, I am not able to access my surveillance cameras or my fileserver from outside my local lan.

I can access my router locally via webpage as well as via Winbox.
I am not able to access my router externally from outside my local net when using Winbox.

I am suspecting 2 issues:

1. I have a public IP address from my ISP that is NATed (most likely)
(I just realized that my "Public" IP when using for example whatismyip.org is for example 217.213.yyy.xx and when I look in the router interface for the modem I see an IP-address that is completely different: 100.99.yyyy.xxx?!)

2. I have done wrong when configuring port forward. I used the quick config page to "open" / port forward port 6601 to my local IP address.

However, I am not able to access the fileserver and I get "Connection timed out".

My config below. I used the command
export hide-sensitive file=mikrotik
but it shows for example MAC-addresses which I thought it would hide?
# sep/09/2021 15:45:10 by RouterOS 7.0.2
# software id = PJ8R-F8ZN
#
# model = D53G-5HacD2HnD
# serial number = <I have removed the serial no>
/interface bridge
add admin-mac=2C:C8:1B:9B:35:C2 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=sweden disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=MikroTik-9B35C7 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=sweden disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-9B35C8 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=public
add apn=static.telenor.se
add apn=services.telenor.se
add apn=internet.telenor.se
add apn=public.telenor.se
add apn=online.telia.se name=Telia
/interface lte
set [ find ] allow-roaming=no apn-profiles=Telia name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip arp
add address=192.168.10.99 interface=bridge mac-address=68:05:CA:36:94:FF
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FILESERVER dst-address=192.168.10.99 \
    dst-port=6601 protocol=tcp to-addresses=192.168.10.99 to-ports=6601
/ip service
set www-ssl disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="CrazyFin Router"
/system routerboard settings
set cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

CASE CLOSED!

It was my ISP Telia that had configured it wrong.... After 3 calls to tech support at Telia that took me the whole day the 3rd person at their 2nd line tech support finally configured it right!
It works fine now and I can access my fileserver from outside of my local network.
Last edited by CrazyFin on Fri Sep 10, 2021 6:10 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forward setup wrong OR I might have a NATed IP address from my mobile broadband provider (Telia)?

Fri Sep 10, 2021 5:42 pm

Good work!
Typically selecting what is my IP is a good way to see if it matches your WANIP in IP DHCP client etc.
Also one can look at their IP cloud settings as well!!

Who is online

Users browsing this forum: No registered users and 46 guests