Hi guys,

I'm trying to forward port ports 1701, 500, and 4500 to internal IP 10.0.1.89

I have a NAT rule set up to forward both TCP and UDP for the ports but no matter what I do I simply cannot get the ports to show as open through a port tester, nor can I access them.

I've even tried adding filter rules to accept all three ports, and still nada. Adding screenshots to show what I have set up.

Am I doing something wrong? I can see the packages and data coming in but it just won't go through for some reason. Please help! I'm at the end of my wits

This is the full export of all of my NAT rules:
/ip firewall nat
add action=dst-nat chain=dstnat comment="Winbox Temple" dst-port=8292 protocol=\
tcp to-addresses=10.0.1.4 to-ports=8291
add action=dst-nat chain=dstnat comment="VPN for the temple" dst-port=1723 \
protocol=tcp to-addresses=10.0.1.4 to-ports=1723
add action=dst-nat chain=dstnat comment="Sonicwall CFG" dst-port=88 protocol=\
tcp to-addresses=10.0.1.9 to-ports=88
add action=dst-nat chain=dstnat comment="Temple From RDP" disabled=yes \
dst-port=3389 protocol=tcp to-addresses=10.0.1.4 to-ports=3389
add action=dst-nat chain=dstnat comment="Temple From RDP" disabled=yes \
protocol=tcp src-port=3389 to-ports=3389
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=4008 protocol=tcp \
to-addresses=10.0.1.9 to-ports=3389
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=4008 protocol=udp \
to-addresses=10.0.1.9 to-ports=3389
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=9001 protocol=tcp \
to-addresses=10.0.1.89 to-ports=9001
add action=dst-nat chain=dstnat comment="EXT BANA UBNT" dst-port=1014 protocol=\
tcp to-addresses=10.0.1.14 to-ports=1014
add action=dst-nat chain=dstnat comment="UniFi Controller" dst-port=8443 \
protocol=tcp to-addresses=10.0.1.9 to-ports=8443
add action=dst-nat chain=dstnat comment=Spiceworks dst-port=9675 protocol=tcp \
to-addresses=10.0.1.89 to-ports=9675
add action=dst-nat chain=dstnat comment="Mfi Controller" dst-port=2323 \
protocol=tcp to-addresses=10.0.1.9 to-ports=2323
add action=dst-nat chain=dstnat comment="Mfi Controller" dst-port=6443 \
protocol=tcp to-addresses=10.0.1.9 to-ports=6443
add action=dst-nat chain=dstnat comment="EXT ROCKET UBNT" dst-port=1002 \
protocol=tcp to-addresses=10.0.1.12 to-ports=1002
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT" dst-port=1003 \
protocol=tcp to-addresses=10.0.1.13 to-ports=1003
add action=dst-nat chain=dstnat comment="EXT TEMPLE MT" dst-port=1008 protocol=\
tcp to-addresses=10.0.1.13 to-ports=1003
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT ROCKET" dst-port=1041 \
protocol=tcp to-addresses=10.0.1.4 to-ports=1041
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT GIFT SHOP" dst-port=\
1042 protocol=tcp to-addresses=10.0.1.4 to-ports=1042
add action=dst-nat chain=dstnat comment="SERVER ALA" dst-port=1278 protocol=tcp \
to-addresses=10.0.1.9 to-ports=1278
add action=dst-nat chain=dstnat comment="EXT BANA Cams" dst-port=7071 protocol=\
tcp to-addresses=10.0.1.21 to-ports=7071
add action=dst-nat chain=dstnat dst-port=7072 protocol=tcp to-addresses=\
10.0.1.21 to-ports=7072
add action=dst-nat chain=dstnat dst-port=7073 protocol=tcp to-addresses=\
10.0.1.21 to-ports=7073
add action=dst-nat chain=dstnat comment="EXT TEMPLE UBNT GUEST HOUSE" dst-port=\
10411 protocol=tcp to-addresses=10.0.1.4 to-ports=10411
add action=dst-nat chain=dstnat comment="EXT BANA CISCO" dst-port=10141 \
protocol=tcp to-addresses=10.0.1.21 to-ports=10141
add action=dst-nat chain=dstnat dst-port=3389 protocol=udp to-addresses=\
10.0.1.4 to-ports=3389
add action=dst-nat chain=dstnat comment="Temple Power" dst-port=8085 protocol=\
tcp to-addresses=10.0.1.4 to-ports=8085
add action=dst-nat chain=dstnat comment="Temple C Cam" dst-port=8081 protocol=\
tcp to-addresses=10.0.1.4 to-ports=8081
add action=dst-nat chain=dstnat comment="Temple W Cam" dst-port=8082 protocol=\
tcp to-addresses=192.168.1.10 to-ports=8082
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=6666 protocol=tcp to-addresses=\
10.0.1.9 to-ports=6666
add action=dst-nat chain=dstnat comment="ALA RDP" dst-port=9002 protocol=tcp \
to-addresses=10.0.1.89 to-ports=9002
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=1701 \
in-interface=ether1-gateway protocol=udp to-addresses=10.0.1.89 to-ports=\
1701
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-address=\
173.187.29.170 dst-port=1701 in-interface=ether1-gateway log=yes protocol=\
tcp to-addresses=10.0.1.89 to-ports=1701
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 \
in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89 \
to-ports=500
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.0.1.89 to-ports=\
500
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 \
in-interface=ether1-gateway protocol=udp to-addresses=10.0.1.89 to-ports=\
4500
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.0.1.89 to-ports=\
4500


Here's the filter rules. They were originally set to forward but I changed them to input to see if that would help.
/ip firewall filter
add action=accept chain=input src-address=71.31.249.84
add action=accept chain=input disabled=yes dst-port=1701 in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input disabled=yes dst-port=500 in-interface=ether1-gateway log=yes protocol=udp
add action=accept chain=input disabled=yes dst-port=500 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=forward dst-port=1701 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related disabled=yes
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1-gateway
add action=accept chain=forward dst-address=10.0.1.89 dst-port=5309 protocol=tcp src-port=5309

When you create dst-nat rule, is not important to specify in interface, but need to specify destination address (WAN IP [Public])

Are you sure that firewall on 10.0.1.89 is not freaking out on inbound VPN connections?

Affirmative. I'm SSHed into the USG pro at 10.0.1.89 and am running a sniff on those three ports and I don't see any packets coming in

Hi,

Please specify your right destination address in general tab.

Thank you! I've updated the dst address but they still wont show as open

I've tried everything I can think of and can't get the traffic to passthrough. Does anyone have any ideas?

Your NAT rules do not need a to-port unless your are changing ports. They should look like this: Or you can combine them in one rule like:
And your Filter rule need to be for chain=forward: (or enable the default drop rule)
Here is some other things that might be a factor

• If your USG's WAN is behind NAT and has a private IP, it is necessary to configure port forwarding on the upstream router to forward UDP ports 500, 1701, and 4500 to the USG's WAN address.

• In pre-4.3.41 USG firmware, L2TP remote access VPN will not work if there are already one or more site-to-site IPsec VPNs configured. Please update to the latest firmware.

• In controller versions prior to 5.7.22, if UPnP is configured on the USG, an ACL will need to be created to deny UDP ports 500/4500. See this Community post for more. This community post is in the Early access section of our Community, see this article to learn How to Sign Up for Early Access.

https://help.ubnt.com/hc/en-us/articles ... Access-VPN

Thank you! I've consolidated the rules as you recommended.

I also changed the filter rule to chain=forwrad.

I also did follow that ubiiquiti guide. Actually those parts are what I'm trying to configure forwarding for.

The USG and controller firmware is up to date so those two warnings shouldnt apply

I would echo 2frogs recommendation for dst-nat rules.
/ip firewall nat
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=1701 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89

However I do not agree with his assessment of moving them to forward filter rules. They are dst nat rules period.
What is correct is with these dst nat rules in place you still need a forward filter rules to allow that traffic past the firewall.
This can be accomplished by:
/firewall filter
{forward chain}
add chain=forward action=accept comment="Allow port forwarding" /
in-interface=wan connection-state=new connect-nat-state=dstnat

This single rule permits all port forwarding rules from dst-nat to get through the firewall.
So get rid of any other filter rules you have in the forward chain for port forwarding.

@anav
hmm, so glad we can agree it could be done with a single rule:
"And your Filter rule need to be for chain=forward: (or enable the default drop rule)"

So did the OP get it working?

That should be really simple. All my other NAT rules work (with port forwarding or not)

But no matter what I can not connect to Softether VPN server (Windows) behind Mikrotik

In log I can see:
xx:xx:xx:xx:xx is MAC address of Miktotik pppoe-out1 interface
??.??.??.?? is public static IP v4 on Mikrotik
!!.!.!!.!! is public IP v4 on iOS device

sebus post your complete config please.

REMOVED

Gave up on this, and simply configured VPN server on Mikrotik itself using these instructions

to-ports=0 is clearly wrong, it shouldn't be there at all. It does exactly what it says, sends packets to port 0.

REMOVED

SOLVED for me!!!

....
What is correct is with these dst nat rules in place you still need a forward filter rules to allow that traffic past the firewall.
This can be accomplished by:
/firewall filter
{forward chain}
add chain=forward action=accept comment="Allow port forwarding" /
in-interface=wan connection-state=new connect-nat-state=dstnat

This single rule permits all port forwarding rules from dst-nat to get through the firewall.
So get rid of any other filter rules you have in the forward chain for port forwarding.

........
Perfect!! This tip from anav SOLVED my problem which was the same of topic author's gavinyo. Thank you so much, anav !!!
I also had a dozen NAT port forwarding rules and none of them was working. I simply created this one new filter permitting "Port Forwarding" and all rules started working fine now.
I have read several blogs, forum posts, etc, and I find strange that nobody had given this tip so far:

add chain=forward action=accept comment="Allow port forwarding" /
in-interface=ether1 connection-state=new connect-nat-state=dstnat

Hi there, glad its working for you. Normally its covered by default firewall rules and when people stray from them at all, things can get messed up pretty fast.

I have read several blogs, forum posts, etc, and I find strange that nobody had given this tip so far:

add chain=forward action=accept comment="Allow port forwarding" /
in-interface=ether1 connection-state=new connect-nat-state=dstnat

The reason might be that a similar rule has been present in factory-default firewall rules of RouterOS versions released since a few years ago, so few people bump into this issue.