I am trying to set up port forwarding for Killing floor.
I followed this guide to set up ports, but when I attempt to check them using http://ping.eu/port-chk/, it says port closed for either of them.

The rule for one of the port ranges looks like this:



Ping checker returns closed regardless of whether I put my public DHCP IP address into the destination field or not. What am I doing wrong?

In dst address you must put 192.168.88.1
In to addres you can not put the router IP 192.168.88.1, but the IP of the PC.

What do you mean? How do I find the IP of the PC? On my previous router, it allowed me to set the number for each PC, for example PC with #10 would have internal IP 192.168.0.10 and so on. But this MikroTik, I can't figure out how to set to do the same. And the "IP" I have for my PC right now is 192.168.88.1/21 which is not something I can enter, it says "Expected IP address".

Edit:
Ok I went into neighbours setting and the only LAN one was with the number 254 at the end, I assumed that was the PC I have connected to the router on which I am trying to host Killing Floor, so I put that into forward address and 192.168.88.1 into the Dst. Address like you said, and it still reports as being closed.

Another edit:
Also what I noticed is while all ports report closed, those configured under TCP protocol do recieve the packet. The service still reports them as closed, but the Bytes and Packet counters go up every check. The UDP don't even seem to recieve the packets, although it might be because of the actual port checking service.

Try this:
Then check the log to see if the firewall is not dropping the traffic.

You are telling me to do the exact same thing through the terminal that I just spent the whole day doing via GUI and which didn't work, which is why I made this thread.
As far as log goes, no there is nothing about NAT in there, it does not even log when it receives a packet, like what happens on TCP ports.

You can check what ip the router has given to your pc by going to DHCP Server -> Leases
And then adjust the rule accordingly :
This should be the ip of the pc, for example 192.168.88.254, and not 192.168.88.1.

To make sure that the dhcp server will always give the same ip to that pc you can click on the lease and press "Make Static", that way the ip will be reserved for this pc.

Yes I did just that. My PC address is 254 and I made it static so it doesn't change at some point. Still doesn't work. The port checkers report the ports as closed.
My settings for NAT look like this:

And the forward address is now for my PC: 192.168.88.254. I tried putting the LAN IP (192.168.88.1) into the Dst. Address like rextended advised, but if I did that even the TCP packet counts stopped going up so switched it back to the public IP. Oh and: no, my Windows Firewall is turned off, and Avast does not block any ports.

Put that port checker...

UDP do not estabilish connection between two devices.
You can not see any port open, only using UDP.

You must put one CLIENT of the game, for see packet reply.

The software reply only on packets containing "game" data, the others are discarded.
Now I see other ports on your rules.

Are you sure that the online port scanner you are using can check udp ports ?

Are you sure that the online port scanner you are using can check udp ports ?

I'm just writed that, only expected traffic get a "reply".
Can't exist one generic UDP port scanner...

Fair enough, I suspected that it was something to do with the UDP and the port checkers, but the problem is still there, I can not get ANY port checkers to show that the ports are open for any of those rules I have tried
http://www.portcheckers.com/
http://ping.eu/port-chk/
http://www.canyouseeme.org/

Neither of them show any ports are open, both UDP AND TCP.
The settings are exactly like rextended posted. dst-nat on my public IP, forwarded to my PC. I checked all Avast Firewall logs, and it doesn't block anything.

BTW the last one, if I check port 8075 which is TCP it will say "Connection refused" for some reason.

Edit:
I went to the UDP port scanner and checked 7707-7717 range there and it told me that the host at my public IP (I assume this is the router?) is down. WTF...

Edit (again, just trying to help understand what's happening):
I added a log rule to one of the ports (8075, just copied the forwarding rule and changed action to log), and it posted this in log:

Nothing else logged about this. Dunno if it will help, but there you go. It's from the http://www.canyouseeme.org/ port checker. The one that says "Connection refused".

So um noone knows what's wrong? I still have no idea how to forward with this router...

In your very first post you had it right.

Just make the 192.168.88.1 to 192.168.88.254 (you said thats the ip of the server hosting killing floor)

But that is local network IP, how could I create rule by that if whatever services I am trying to forward for don't even see this address?

DNAT will do that for you. The dst-address is the address to which you want to forward incoming traffic to.

Disable all DROP rules under the firewall "Filter Rules" and test again. Don't forget to re-enable afterwards.

Well I did that and it doesn't work again. Also I tried entering my local PC IP with this port in the browser and it said Connection refused. That with Windows Firewall off and Avast Firewall not logging any blocked traffic. What might be going on?

I'd say that at some point you had it correct, at least part of it.

For example, one of the rules:

Chain: dstnat
Dst. Address: 91.156.57.138
Protocol: tcp
Dst. Port: 8075
Action: dst-nat
To Addresses: 192.168.88.254
To Ports: 8075 (or nothing, you can leave it out if you just want to keep Dst.Port)

The packet counter for this rule should increase, when you try the port testers. It still doesn't mean that it must work, because the packets can be stopped later by some filter rule (check Filter Rules tab). Make sure that you accept packets matching the following:

Dst. Address: 192.168.88.254
Protocol: tcp
Dst. Port: 8075

Use of logging rules is always a good idea if you want to be sure what's going on. And of course you must have the server software running, if you want the port to show as open.

The connection is definitely getting rejected somewhere, I have these settings set correctly as I understand now, it just gets refused for some reason anyway. And no logs say anything. I havent changed any filter rules or anything like that. I had the default configuration and went to forward ports straight away. Avast Firewall also doesnt show anything blocked. It does say that Windows Firewall "Domain Profile" is on, despite the firewall being off. I have no idea what this Domain profile is and how to turn it off, could it be blocking the connection?

Also could it have anything to do with the fact that I am using DHCP instead of a static IP? The IP is not changing for now, so I assumed it should not make a difference, but maybe there's something else there. I don't know much about network configuration, I am oblivious to many of the places where the packet could be refused. But the NAT is configured correctly, KF is running when I am checking and Windows Firewall is off, with Avast being configured to let the packets on those ports through.

You must go step by step and make sure that something is correct, before moving on to next thing. I'd start at the router.

As a minimal config, you have outgoing NAT:

ros code

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Internet

Then you need port forwarding rule. This one will work even with WAN IP from DHCP (assuming it's public and not filtered by ISP in any way). Server's LAN IP (192.168.88.254) should be either set in router's DHCP server as static lease or it can be set static on server.

ros code

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8075 \
    protocol=tcp to-addresses=192.168.88.254

If there are no other rules (especially filter ones), this will forward the port. To help with debugging, add following rules:

ros code

/ip firewall filter
add action=log chain=forward connection-state=new dst-port=8075 log-prefix=\
    "step2, forwarding" protocol=tcp
/ip firewall mangle
add action=log chain=prerouting connection-state=new dst-port=8075 \
    log-prefix="step1, incoming" protocol=tcp
add action=log chain=postrouting connection-state=new dst-port=8075 \
    log-prefix="step3, forwarded" protocol=tcp

If you connect from outside to <your public ip>:8075, you must see all three steps logged. If you do, connection was successfully forwarded and your problem is not on the router.

You must go step by step and make sure that something is correct, before moving on to next thing. I'd start at the router.

As a minimal config, you have outgoing NAT:

ros code

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Internet

Then you need port forwarding rule. This one will work even with WAN IP from DHCP (assuming it's public and not filtered by ISP in any way). Server's LAN IP (192.168.88.254) should be either set in router's DHCP server as static lease or it can be set static on server.

ros code

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8075 \
    protocol=tcp to-addresses=192.168.88.254

If there are no other rules (especially filter ones), this will forward the port. To help with debugging, add following rules:

ros code

/ip firewall filter
add action=log chain=forward connection-state=new dst-port=8075 log-prefix=\
    "step2, forwarding" protocol=tcp
/ip firewall mangle
add action=log chain=prerouting connection-state=new dst-port=8075 \
    log-prefix="step1, incoming" protocol=tcp
add action=log chain=postrouting connection-state=new dst-port=8075 \
    log-prefix="step3, forwarded" protocol=tcp

If you connect from outside to <your public ip>:8075, you must see all three steps logged. If you do, connection was successfully forwarded and your problem is not on the router.

That was really nice post, you da real MVP *Sobs* huehuehue....

Ok looks like router is not a problem. Seems like something is blocking the packet in the system, though with the Firewall off and Avast not saying it blocked anything, no I idea what it might be. Anyway thanks, that is at least some progress.