Community discussions

MikroTik App
 
jvik
just joined
Topic Author
Posts: 2
Joined: Sun Nov 21, 2021 9:20 pm

NAT port forwarding no longer works

Fri Dec 02, 2022 10:08 pm

Port forwarding doesn't work anymore. Anyone mind taking a look?

Did a lot of changes in the process of setting up VLANs and I've broken something. Also open to other feedback. I'm sure it's far from fantastic. Quite new to networking and mikrotik.
[admin@MikroTik-hEX-S] > export hide-sensitive
# dec/02/2022 20:59:15 by RouterOS 7.5
# software id = 7KG8-9573
#
# model = RB760iGS
/interface bridge
add admin-mac=DC:2C:6E:0B:34:89 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-inet
set [ find default-name=ether2 ] comment=WiFi
set [ find default-name=ether5 ] comment=VMHost
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether2 name=vlan-iot vlan-id=101
add interface=ether5 name=vlan-server vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=server ranges=10.0.0.2-10.0.0.250
add name=l2tp_pool ranges=10.0.1.100-10.0.1.150
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.254
add name=iot ranges=10.0.2.5-10.0.2.100
add name=LAN-pool ranges=10.0.1.1-10.0.1.150
/ip dhcp-server
add address-pool=LAN-pool interface=bridge name=LAN-dhcp
add address-pool=iot interface=vlan-iot name=iot-dhcp
add address-pool=server interface=vlan-server name=server-dhcp
/port
set 0 name=serial0
/ppp profile
add bridge=bridge dns-server=1.1.1.1 local-address=10.0.0.1 name=L2TP-Profile \
    remote-address=l2tp_pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge disabled=yes vlan-ids=10
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-inet list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
hidden
/ip address
add address=10.0.1.1/24 interface=bridge network=10.0.1.0
add address=192.168.100.1/24 comment="Guest address space" disabled=yes \
    interface=*B network=192.168.100.0
add address=192.168.200.1/24 interface=wireguard1 network=192.168.200.0
add address=10.0.2.1/24 interface=vlan-iot network=10.0.2.0
add address=10.0.0.1/24 interface=vlan-server network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1-inet use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
add address=10.0.1.0/24 dns-server=10.0.1.1 gateway=10.0.1.1 netmask=24
add address=10.0.2.0/24 dns-server=1.1.1.1 gateway=10.0.2.1 netmask=24
add address=192.168.100.0/24 dns-server=1.1.1.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=hidden list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=input comment="allow VPN" dst-port=\
    500,1701,4500 in-interface=ether1-inet protocol=udp
add action=accept chain=input in-interface=ether1-inet protocol=ipsec-esp
add action=accept chain=input comment=WIREGUARD dst-port=13231 in-interface=\
    ether1-inet protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=IPTV disabled=yes protocol=igmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=IPTV disabled=yes protocol=udp
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Block IOT to LAN Bridge" in-interface=\
    vlan-iot out-interface=bridge
add action=drop chain=forward comment="DROP server to bridge" in-interface=\
    vlan-server out-interface=bridge
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="block LAN TO IOT" disabled=yes \
    in-interface=bridge out-interface=vlan-iot
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" disabled=yes \
    dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.1.0/24 \
    src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment="LAN out" out-interface-list=WAN \
    src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment="server network out" ipsec-policy=\
    out,none out-interface-list=WAN src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="IOT network out" \
    out-interface-list=WAN packet-mark="" src-address=10.0.2.0/24
add action=masquerade chain=srcnat comment="Guest network out" \
    out-interface-list=WAN src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.200.0/24
add action=dst-nat chain=dstnat comment=test dst-address-list="" dst-port=8000 \
    protocol=tcp to-addresses=10.0.1.10 to-ports=8000
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 protocol=\
    tcp to-addresses=10.0.0.25 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=10.0.0.25 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=22 protocol=\
    tcp to-addresses=10.0.0.25 to-ports=22
add action=dst-nat chain=dstnat dst-port=3999 in-interface=ether1-inet \
    protocol=tcp to-addresses=10.0.0.100 to-ports=3999
add action=dst-nat chain=dstnat comment=torrents dst-port=13337 \
    in-interface-list=WAN protocol=tcp src-address-list="" to-addresses=\
    10.0.0.100 to-ports=13337
add action=dst-nat chain=dstnat comment=plex dst-port=32400 protocol=tcp \
    to-addresses=10.0.0.100 to-ports=32400
add action=dst-nat chain=dstnat comment=csgo dst-port=27015 protocol=tcp \
    to-addresses=10.0.0.106 to-ports=27015
add action=dst-nat chain=dstnat dst-port=27015 protocol=udp to-addresses=\
    10.0.0.106 to-ports=27015
add action=dst-nat chain=dstnat comment="csgo client" dst-port=27020 protocol=\
    udp to-addresses=10.0.0.106 to-ports=27020
add action=dst-nat chain=dstnat dst-port=27005 protocol=udp to-addresses=\
    10.0.0.106 to-ports=27005
add action=dst-nat chain=dstnat dst-port=51840 protocol=udp to-addresses=\
    10.0.0.106 to-ports=51840
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether1-inet upstream=yes
add interface=bridge
 
jvik
just joined
Topic Author
Posts: 2
Joined: Sun Nov 21, 2021 9:20 pm

Re: NAT port forwarding no longer works  [SOLVED]

Sun Dec 04, 2022 12:24 am

Actually the solution was dumber than I thought. Seems like my ISP modem has caused this. Even though it should be in bridge mode my Mikrotik router is suddenly not getting a public WAN IP. Possibly a firmware update gone wrong.

Who is online

Users browsing this forum: CGGXANNX, Google [Bot] and 43 guests