Hello,
I have a mikrotik RB951 and i need to open a port to my alarm comunicate with my phone
In alarm i have a fixed IP and the port is 33000

in NAT i made a DMZ first... doesn´t work!
after, again in NAT, i redirect the port 33000 to the IP... nothing again!

i turn off the mikrotik and i connect directily to router of my ISP and work well...

the alarm is an Eletronic Line and the error is "XML fail"

any idea?

Thanks for your time

Can you paste the configuration of your router here, with the rules that you used?

# mar/17/2017 15:47:15 by RouterOS 6.34.3
# software id = XMKE-GZ3Q
#
/interface bridge
add arp=proxy-arp name=bridge-corporate protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=eth1-LAN
set [ find default-name=ether2 ] master-port=eth1-LAN name=eth2-LAN
set [ find default-name=ether3 ] master-port=eth1-LAN name=eth3-LAN
set [ find default-name=ether4 ] master-port=eth1-LAN name=eth4-LAN
set [ find default-name=ether5 ] name=eth5-WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country=portugal disabled=no frequency=2467 mode=ap-bridge name=\
wlan-corporate ssid=MOTOMETRIA-Corporate wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=guest supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4E:5E:0C:16:95:78 \
master-interface=wlan-corporate multicast-buffering=disabled name=\
wlan-guest security-profile=guest ssid=MOTOMETRIA-Guest wds-cost-range=0 \
wds-default-cost=0
/ip pool
add name=dhcp_pool1 ranges=192.168.100.100-192.168.100.150
add name=dhcp_pool2 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-corporate name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=wlan-guest name=dhcp2
/ppp profile
add change-tcp-mss=yes local-address=192.168.100.1 name=LAN2PC remote-address=\
dhcp_pool1 use-compression=yes use-encryption=required use-mpls=no \
use-upnp=no
/interface bridge port
add bridge=bridge-corporate interface=wlan-corporate
add bridge=bridge-corporate interface=eth1-LAN
/interface pptp-server server
set default-profile=LAN2PC enabled=yes
/ip address
add address=192.168.1.2/24 interface=eth5-WAN network=192.168.1.0
add address=192.168.100.1/24 interface=bridge-corporate network=192.168.100.0
add address=10.0.0.1/24 interface=wlan-guest network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=\
192.168.1.1,8.8.8.8,208.67.222.222,8.8.4.4,208.67.220.220
/ip dns static
add address=192.168.1.1 name=vodafonemobile.cpe
/ip firewall address-list
add address=192.168.0.0/16 list=bogons
add address=172.16.0.0/12 list=bogons
add address=10.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.0.0.0/24 list=bogons
add address=0.0.0.0/8 list=bogons
/ip firewall filter
add chain=input protocol=gre
add chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add chain=input dst-port=1723 protocol=tcp
add chain=input src-address=212.13.32.0/19
add action=drop chain=input in-interface=eth5-WAN
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=jump chain=forward in-interface=wlan-guest jump-target=fw-guest
add action=drop chain=forward dst-address=!192.168.1.0/24 dst-address-list=\
bogons out-interface=eth5-WAN
add action=drop chain=fw-guest dst-address-list=bogons
add chain=in-guest dst-port=53 protocol=udp
add action=drop chain=in-guest
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth5-WAN
add action=dst-nat chain=dstnat comment="DVR Hik" dst-port=58000 protocol=tcp \
to-addresses=192.168.100.10 to-ports=8000
add chain=dstnat comment="Comunicacao DVR Externos" dst-port=37777 protocol=tcp \
to-addresses=192.168.100.0/24 to-ports=83
add action=dst-nat chain=dstnat comment="Alarme Montra TCP" disabled=yes \
dst-port=33000 protocol=tcp to-addresses=192.168.100.129 to-ports=33000
add action=dst-nat chain=dstnat comment="Alarme Montra UDP" disabled=yes \
dst-port=33000 protocol=udp to-addresses=192.168.100.129 to-ports=33000
add action=dst-nat chain=dstnat comment="Alarme Montra DMZ" disabled=yes \
to-addresses=192.168.100.129
add action=dst-nat chain=dstnat comment="DVR MColos1" dst-port=37778 protocol=\
udp to-addresses=192.168.100.12 to-ports=37778
add action=dst-nat chain=dstnat comment="DVR MColos3" dst-port=84 protocol=tcp \
to-addresses=192.168.100.11 to-ports=80
add action=dst-nat chain=dstnat comment="DVR MColos1" dst-port=37779 protocol=\
tcp to-addresses=192.168.100.12 to-ports=37779
add action=dst-nat chain=dstnat comment=Asterisk dst-port=38511 protocol=udp \
to-addresses=192.168.100.6 to-ports=5060
add action=dst-nat chain=dstnat comment=DR-Hikivis1 dst-port=48000 protocol=tcp \
to-addresses=192.168.100.11 to-ports=8000
add action=dst-nat chain=dstnat comment=DR-Hikivis1 dst-port=48000 protocol=udp \
to-addresses=192.168.100.11 to-ports=8000
add action=dst-nat chain=dstnat comment="Ktronic expo" dst-port=8186 protocol=\
tcp to-addresses=192.168.100.199 to-ports=80
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.100.245/32 gateway=*9 pref-src=192.168.100.1 \
scope=10
/ppp secret
add name=jmoliveira profile=LAN2PC service=pptp
add name=filipe profile=LAN2PC service=pptp
/system clock
set time-zone-name=Europe/Lisbon
/system leds
set 5 interface=wlan-corporate
/system ntp client
set enabled=yes primary-ntp=88.157.128.22 secondary-ntp=193.136.164.4
/system package update
set channel=bugfix
/system routerboard settings
set protected-routerboot=disabled
/system scheduler
add interval=5m name="Renew DynDNS" on-event="/ip cloud force-update" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
startup
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add

Hi,

Try first to accept incoming connections on 33000 port since you have a rule that drops in input on your WAN interface. * NOTE: if eth5-WAN has static ip put it like dst-address={static_ip_of_wan}; i have noticed that it is 192.168.1.2.

Hope it helps.

kind regards,

"expected end of command (line 1 column 88)"

Hi,

Maybe copy&paste mistake... try again, please:

/ip firewall filter
add action=accept chain=input comment="Accept external port to be forwarded #tcp" dst-address=192.168.1.2 dst-port=33000 in-interface=eth5-WAN log=yes log-prefix=fwd-acc-tcp protocol=tcp
add action=accept chain=input comment="Accept external port to be forwarded #udp" dst-address=192.168.1.2 dst-port=33000 in-interface=eth5-WAN log=yes log-prefix=fwd-acc-udp protocol=udp

kind regards,

unfortunately, i have the same problem :/

i need to have any more rule in NAT with the code if you send to me??

hi,

Sorry, i forgot to mention that you should move my suggested rules near top after first drop rule..
Please, move rules #13 and #14 after rule #2 ( add action=drop chain=input connection-state=invalid ) and try again.

P.S. Also your 2nd rule was it a typo when you post your config here, i mean is missing "action" parameter ? I would modify it to be
add action=accept chain=input connection-state=established,related
( double click the rule, into Action tab on action field select "accept" )


kind regards,

hi,

P.S. Also your 2nd rule

Code: Select all

add chain=input connection-state=established,related

was it a typo when you post your config here, i mean is missing "action" parameter ? I would modify it to be
add action=accept chain=input connection-state=established,related
( double click the rule, into Action tab on action field select "accept" )

kind regards,

Hi janus20,

By default, filter rules are always "action=accept", isn't it? When I use cli to add some firewall rules that the action is accept, I don't mention "action=accept".

Your mikrotik router is behind another router, so you are basically double nat-ing.
The first router must have a nat config which sends the request to mikrotik IP 192.168.1.2 on port 33000. Is it so?
Also, from your posted rules looks like the ones for this port are disabled. Have you enabled them when testing?

add action=dst-nat chain=dstnat comment="Alarme Montra TCP" disabled=yes \
dst-port=33000 protocol=tcp to-addresses=192.168.100.129 to-ports=33000
add action=dst-nat chain=dstnat comment="Alarme Montra UDP" disabled=yes \
dst-port=33000 protocol=udp to-addresses=192.168.100.129 to-ports=33000
add action=dst-nat chain=dstnat comment="Alarme Montra DMZ" disabled=yes \
to-addresses=192.168.100.129

Port forwarding via DNAT is controlled by the "Forward" chain after actual DNAT, not by "Input", so something like this would be correct:

Hello,
now i try to move the rules, after change the "chain" to forward... in the end i post the result...

#Caci99
the router behind is the router of my ISP and i only connect the first port to mikrotik in DMZ mode... so. i think that problem isn´t in first router...

Well, unfortunately anything result... the alarm stay offline... if i connect to the ISP router work well without any configuration... but when i connect to mikrotik stay offline... in filter rules, the counters stay at 0...

i don't know what to do anymore! I'm already despairing!

any more ideas?