Community discussions

MikroTik App
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

PC Gaming, unable to connect to servers  [SOLVED]

Sat Sep 11, 2021 6:00 pm

[SOLVED]
Seems you can't port forward and masquerade at the same time.

3 weeks ago I moved my router over to a hEX s alongside a CSS326. Since then we've been unable to connect to certain gaming servers. Minecraft and Valorant are 2 big ones. CSGO works, as well as Hearthstone. I haven't messed with any others. I've been attempting to get this fixed for about a week with no such luck. I've attempted portforwards without any luck. My other port forwards/open ports work just fine.My firewall is stock.

export here
https://pastebin.com/0aCzEPUY

Before with OpenWRT we were able to connect and play
OpenWRT firewall rules can be found here
https://pastebin.com/ttxaRAnV

I see there is a difference in an output chain (I'm not well versed in all that is firewall) but this was the default config on that as well.

Is it possible to adjust so we can game again?

thanks
Last edited by forsquirel on Sun Sep 12, 2021 2:23 am, edited 1 time in total.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: PC Gaming, unable to connect to servers

Sat Sep 11, 2021 6:21 pm

Minecraft ... big ones
Try to telnet minecraft server's port. Is it connecting, rejecting or nothing happens (aka "dropping")? This might give you an idea which Mikrotik rule is rejecting traffic.

Also I am not sure about DNS servers. Tried using 1.1.1.1?
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: PC Gaming, unable to connect to servers

Sat Sep 11, 2021 6:33 pm

Minecraft ... big ones
Try to telnet minecraft server's port. Is it connecting, rejecting or nothing happens (aka "dropping")? This might give you an idea which Mikrotik rule is rejecting traffic.

Also I am not sure about DNS servers. Tried using 1.1.1.1?
Its rejecting if I telnet, but its not showing in the server list in the MC client. The client is working because I can see my local server. I can also reach it when it I'm not home and everything works fine through port forwarding. DNS is via pihole right now and has been for years. I've tried OpenDNS, Google, all the big ones and its no change. Valorant can only tell me its an ISP problem and to reboot my computer.

If Windows Firewall on the machines is disabled its the same. Windows/Linux yield same results.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: PC Gaming, unable to connect to servers

Sat Sep 11, 2021 11:56 pm

Hi there, two items.

(1) Primary issue is that you have no port forwarding rules. There are no DST nat rules on your config ???

(2) Describe the purpose of each of these rules please!! For educational learning purposes
add action=accept chain=input comment="Allow Vlan" in-interface=vlan_lan
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: PC Gaming, unable to connect to servers

Sun Sep 12, 2021 12:14 am

Hi there, two items.

(1) Primary issue is that you have no port forwarding rules. There are no DST nat rules on your config ???
which port forwards? They weren't working so I took them out. Plus I've taken out the rules that expose services I run.
(2) Describe the purpose of each of these rules please!! For educational learning purposes
add action=accept chain=input comment="Allow Vlan" in-interface=vlan_lan
Assuming it allows access to the lan from vlans? From viewtopic.php?t=143620
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
Its a default rule that was included in the default config.

edit: I should add that gaming has not worked since plugging in the Mikrotik. Even before adding any rules.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: PC Gaming, unable to connect to servers

Sun Sep 12, 2021 3:49 am

The point of the exercise was to demonstrate to you that you dont know what you are doing yet.

The right answer is that the second rule does the same thing as the first rule (allows vlan_lan to the router) but also allows all lan subnets to the router plus also stops wan to router traffic
Hence a decent default rule for startup. However it can be improved as seen below.
In other words the first rule is redundant and not required because you allow the full LAN to your router already in the second rule. (every subnet identified as a LAN interface member).

What you should aim for is the following
add chain=input action=accept in-interface=MGMT (and optional source-address-list=adminaccess)

Where
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

add name=MGMT

/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan_cameras list=LAN
add interface=vlan_guest list=LAN
add interface=vlan_lan list=LAN

add interface=vlan_lan list MGMT

Thus only those on the interface vlan_lan will have full access to the router.
The optional use of the firewall address list can be used to further reduce access by IP addresses of admin devices (desktop pc, laptop, ipad, smartphone).

If you go this route ensure you change mac server winbox server interface from LAN to MGMT.

After you put this rule in place then as the last rule in the input chain put:
add chain=input action=drop; (drop all else)

This blocks all other WAN/LAN to router and router to WAN/LAN

So whats missing.......... If you know how MT OS works one will realize that LAN users still need access but limited access and that is to the services the router provides, typically this is only
DNS (some also have NTP servers running)

ex (AND PLACE THese JUST BEFORE THE LAST DROP ALL RULE)
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

Okay lets get to other issues
and I QUOTE
"Seems you can't port forward and masquerade at the same time."

BULL PUCKY! A very incorrect statement and the two functionalities are separate
Sourcenat or masquerade ( a source nat variant) instruct the router to perform NAT on the outgoing traffic, that ORIGINATES, behind the router, on the particular WAN interface. Be careful here, it does not tell the router to send the traffic out a specific WAN interface, that is done by your IP routing rules.
A on a LAN initiates a session, the router knows that the session which is going out that interface should leave the router with the public IP of that interface but will keep track of which LANIP sent the outgoing traffic so upon the return traffic the router can send that traffic back to the right LANIP.
Destination NAT (or portforwarding) in your case tells the router what to do for TRAFFIC originating OUTSIDE the router and hitting your public IP with a specific port it wants to connect to.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: PC Gaming, unable to connect to servers

Sun Sep 12, 2021 3:52 am

Yes, port forwarding will not work if you dont put any dst-nat rules.
Yes typically you do not need to port forward to connect to gaming servers or stream or anything else......
One will need port forwarding if one is hosting servers of any ilk.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: PC Gaming, unable to connect to servers

Sun Sep 12, 2021 4:19 am

Yes, port forwarding will not work if you dont put any dst-nat rules.
I actually had dst-nat rules. Unfortunately they don't work if you put them in before nat? I've had the dstnat rules since day one. I thought I hadn't but I had to keep my local services running.
Yes typically you do not need to port forward to connect to gaming servers or stream or anything else......
correct, if NAT is working.
One will need port forwarding if one is hosting servers of any ilk.
and I do. I figured out what was wrong. I hadn't selected interfaces on my port-forwards.

edit:
If you know how MT OS works
I've had this for around 4 weeks. It isn't windows, it isn't linux. I've spent more time learning this OS and the way it operates more in the last month than I do my coursework. I'm still learning.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: PC Gaming, unable to connect to servers

Sun Sep 12, 2021 2:27 pm

The learning will continue as they keep adding functionality!!
 
begeve6630
just joined
Posts: 1
Joined: Sun Nov 07, 2021 3:10 pm

Re: PC Gaming, unable to connect to servers

Sun Nov 07, 2021 3:27 pm

Also I am not sure about DNS servers. Tried using 1.1.1.1?

minecraftcolorcodes.info

Who is online

Users browsing this forum: dmconde, JDF, Scoox and 51 guests