Community discussions

MikroTik App
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

DDNS Port Forwarding RouterOS ver 6.48.1 not working

Thu Apr 29, 2021 1:01 pm

Hi Experts

I need help on port forwarding. I need to access to alarm system on public\website\app on port 10001. I have setup port forwarding\natting on Mikrotik and Mikrotik DDNS. Port forwarding not working, cant access ddns name on port number 10001. Works fine on LAN

WAN cronjehome.sn.mynetname.net:10001 = Not working
LAN 192.168.0.3:10001 = working

Network Diagram
Image[/url]
Image[/url]
Image[/url]

Config
# apr/29/2021 11:24:39 by RouterOS 6.48.1
# software id = KQAL-TRIU
#
# model = RB941-2nD
# serial number =
/interface bridge
add admin-mac=C4:AD:34:F4:4F:1A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country="south africa" disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
ap-bridge ssid=CronjeWireless station-roaming=enabled wireless-protocol=\
802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password= service-name=Vodacom user=
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret= use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
#error exporting /interface ovpn-server server
#interrupted

Firewall\natting
# apr/29/2021 11:29:26 by RouterOS 6.48.1
# software id = KQAL-TRIU
#
# model = RB941-2nD
# serial number =
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10001 \
in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10000 \
in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=\
udp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=\
udp to-addresses=192.168.0.3 to-ports=10001
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.3 to-ports=10001
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
You do not have the required permissions to view the files attached to this post.
Last edited by JRJakkals on Thu Apr 29, 2021 1:43 pm, edited 7 times in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Port Forwarding ver 6.48.1

Thu Apr 29, 2021 1:10 pm

Are you really really really sure you want your alarm directly available through the Internet!?
Can you connect/test on the LAN?
What is the exact problem you are running into?

Instead of using ether1, shouldn't you be using the pppoe interface for the forward?
Last edited by erlinden on Thu Apr 29, 2021 1:13 pm, edited 1 time in total.
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: Port Forwarding ver 6.48.1

Thu Apr 29, 2021 1:12 pm

Yes I can access alarm on Lan and yes I want to access alarm from external.
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: Port Forwarding ver 6.48.1

Thu Apr 29, 2021 1:27 pm

Port forwarding not working.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDNS Port Forwarding ver 6.48.1  [SOLVED]

Thu Apr 29, 2021 1:41 pm

Okay, good to know, because many times people try to reach the server from behind the router using the public IP (vice the LANIP) and thats a loopback scenario that requires extra nat rules.
However you are clearly indicating a valid external access attempt.

(1) These rules do not belong in the forward chain as they are NAT type rules, so they should be removed.
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10001 \
in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.3 dst-port=10000 \
in-interface=ether1 protocol=tcp


(2) This default firewall rule in the forward chain is in place which is GOOD because this is the only firewall rule you need to allow destination natted packets to get to the LAN.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


(3) FInally change all your ether1 entries to in-interface-list=WAN (or in-interface=pppoe-out1)
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=\
udp to-addresses=192.168.0.3 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=\
udp to-addresses=192.168.0.3 to-ports=10001
add action=dst-nat chain=dstnat dst-port=10001 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.3 to-ports=10001
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: DDNS Port Forwarding RouterOS ver 6.48.1 not working

Thu Apr 29, 2021 1:55 pm

Thank you very much anav

Its working now. I have been watching your post and you are really good. You should start charging a fee and do remote support. Or start creating a youtube channel

Kind Regards
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDNS Port Forwarding RouterOS ver 6.48.1 not working

Thu Apr 29, 2021 2:03 pm

Thank you very much anav

Its working now. I have been watching your post and you are really good. You should start charging a fee and do remote support. Or start creating a youtube channel

Kind Regards
If do that, probably do not help you on this forum... ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDNS Port Forwarding RouterOS ver 6.48.1 not working

Thu Apr 29, 2021 4:34 pm

Kind words, but I am no expert!! All my knowledge has been from picking the brains of the real experts here.
They know who they are LOL.
My goal is to bridge the gap between home owners and the expert advice that assumes way to much knowledge and cannot relate to ordinary people LOL.

Who is online

Users browsing this forum: Amazon [Bot], Guntis, sch and 91 guests