Community discussions

MikroTik App
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Port Forwarding Problem

Wed Jun 09, 2021 9:28 am

Hi, I have webserver and already setup the port forwarding in NAT, it seems doesnt work at all still refusing the connection and already check the port its open but cant browse.
I use my 2nd ISP because its IP is static, nvm the 1st ISP i just include it in the image because just to be clear. following the map. I need your help and it will be appreciate alot guys. Thank you.

Image
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Forwarding Problem

Wed Jun 09, 2021 10:16 am

Now for each devce put the
/export hide-sensitive file=devicex
on forum for see all missing details not presents on picture.
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Wed Jun 09, 2021 10:37 am

Now for each devce put the
/export hide-sensitive file=devicex
on forum for see all missing details not presents on picture.

/interface bridge
add admin-mac=08:55:31:40:3D:0C auto-mac=no comment=defconf name=88bridge
add name=178bridge
/interface ethernet
set [ find default-name=ether2 ] arp=disabled
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes default-route-distance=2 dial-on-demand=yes \
    disabled=no interface=ether2 keepalive-timeout=30 name=PLDTEnterprise \
    user=
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=home-dhcp ranges=192.168.88.20-192.168.88.254
add name=enterprise-dhcp ranges=192.168.178.10-192.168.178.254
/ip dhcp-server
add address-pool=home-dhcp interface=88bridge lease-time=52w1d name=\
    defconfHOME
add address-pool=enterprise-dhcp interface=178bridge lease-time=52w1d name=\
    defconENT
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,sniff,sensitive,api,romon,tikapp,!web,!dude"
/interface bridge port
add bridge=88bridge comment=defconf interface=ether3
add bridge=88bridge comment=defconf interface=ether4
add bridge=88bridge comment=defconf interface=ether5
add bridge=88bridge comment=defconf interface=ether6
add bridge=88bridge comment=defconf interface=ether7
add bridge=88bridge comment=defconf interface=sfp-sfpplus1
add bridge=178bridge comment=defconf178 interface=ether9
add bridge=178bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=88bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=178bridge list=LAN
add interface=PLDTEnterprise list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=88bridge network=\
    192.168.88.0
add address=192.168.178.1/24 interface=178bridge network=192.168.178.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.178.0/24 gateway=192.168.178.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=192.168.88.0/24 list=support
add address=192.168.88.10 list=support
add address=192.168.0.0/24 list=support
add address=192.168.178.0/24 list=support
add address=192.168.188.0/24 list=support
add address=192.168.178.0/24 list="178 Network"
add address=192.168.88.0/24 list="88 Network"
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=202.84.114.0/24 list=support
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward dst-address=192.168.178.122 dst-port=9101 \
    in-interface=ether2 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
    src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall mangle
add action=mark-routing chain=prerouting comment="LAN1 TO WAN 1" \
    new-routing-mark=LAN1_TO_WAN1 passthrough=yes src-address-list=\
    "88 Network"
add action=mark-routing chain=prerouting comment="LAN2 TO WAN 2" \
    new-routing-mark=LAN2_TO_WAN2 passthrough=yes src-address-list=\
    "178 Network"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
    PLDTEnterprise
add action=dst-nat chain=dstnat comment=SalesServer dst-address=1.1.1.1 \
    dst-port=9101 in-interface=ether2 log=yes protocol=tcp to-addresses=\
    192.168.178.122 to-ports=9101
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target \
    src-address-list=ddos-attackers
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=LAN1_TO_WAN1
add distance=1 gateway=PLDTEnterprise routing-mark=LAN2_TO_WAN2
add distance=1 dst-address=192.168.178.0/24 gateway=PLDTEnterprise
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=XX
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Forwarding Problem

Wed Jun 09, 2021 10:56 am

Sorry, one clarification,
only ONE router are mikrotik?
if 1.1.1.1 are assigned to ISP2 router, if MikroTik router do not have one public IP address, configuration MUST start on ISP2 router
like on ISP2 router must add a "virtual server"/NAT to redirect from TCP 1.1.1.1:9101 to ip_of_mikrotik_router:9101 and use ip_of_mikrotik_router on the rule you have writed on picture
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Wed Jun 09, 2021 11:59 am

Sorry, one clarification,
only ONE router are mikrotik?
if 1.1.1.1 are assigned to ISP2 router, if MikroTik router do not have one public IP address, configuration MUST start on ISP2 router
like on ISP2 router must add a "virtual server"/NAT to redirect from TCP 1.1.1.1:9101 to ip_of_mikrotik_router:9101 and use ip_of_mikrotik_router on the rule you have writed on picture
yes, I have only 1 Mikrotik router I just changed the public address to 1.1.1.1 hehe for the forum
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Forwarding Problem

Wed Jun 09, 2021 12:19 pm

again, 1.1.1.1 is inside ISP2 router or is inside MikroTik?

if 1.1.1.1 are inside MikroTik router
ISP2 router must have firewall rules to accept connection to 1.1.1.1 port 9101
or are blocked
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding Problem

Wed Jun 09, 2021 1:34 pm

The way I understand it, ISP2 is pppoe with a fixed static IP address. ISP1 is a dynamic WANIP which does not come into play for this.

In terms of NAT settings , couple of changes but not sure will make a difference.......
The first one reflects a more accurate sourcenat rule for Static/Fixed WANIPs and the second is to change eth2 (which is not the "functional" interface)
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
PLDTEnterprise
add action=dst-nat chain=dstnat comment=SalesServer dst-address=1.1.1.1 \
dst-port=9101 in-interface=ether2 log=yes protocol=tcp to-addresses=\
192.168.178.122 to-ports=9101


TO
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
add action=srcnat chain=srcnat ipsec-policy=out,none out-interface=\
PLDTEnterprise to-addressses=1.1.1.1
add action=dst-nat chain=dstnat comment=SalesServer dst-address=1.1.1.1 \
dst-port=9101 in-interface=PLDEnterprise log=yes protocol=tcp to-addresses=\
192.168.178.122 to-ports=9101[/i]
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Thu Jun 10, 2021 4:37 am

again, 1.1.1.1 is inside ISP2 router or is inside MikroTik?

if 1.1.1.1 are inside MikroTik router
ISP2 router must have firewall rules to accept connection to 1.1.1.1 port 9101
or are blocked
inside the Mikrotik router, it was bridge in Mikrotik router through PPPOE,
so Im gonna use NAT rules to accept the src-address to dst-address connection?

by the way I just migrated in Mikrotik router. we usually use the old normal Wireless Dlink router to bridge and port forward the webserver as easy 123 working fine. We migrated in the new Mikrotik router to handle the speed and security reason. Somehow setting it up may hard on this router or missing some steps to set it up right.
Last edited by Eduardo25 on Thu Jun 10, 2021 4:57 am, edited 2 times in total.
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Thu Jun 10, 2021 4:38 am

The way I understand it, ISP2 is pppoe with a fixed static IP address. ISP1 is a dynamic WANIP which does not come into play for this.

In terms of NAT settings , couple of changes but not sure will make a difference.......
The first one reflects a more accurate sourcenat rule for Static/Fixed WANIPs and the second is to change eth2 (which is not the "functional" interface)
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
PLDTEnterprise
add action=dst-nat chain=dstnat comment=SalesServer dst-address=1.1.1.1 \
dst-port=9101 in-interface=ether2 log=yes protocol=tcp to-addresses=\
192.168.178.122 to-ports=9101


TO
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
add action=srcnat chain=srcnat ipsec-policy=out,none out-interface=\
PLDTEnterprise to-addressses=1.1.1.1
add action=dst-nat chain=dstnat comment=SalesServer dst-address=1.1.1.1 \
dst-port=9101 in-interface=PLDEnterprise log=yes protocol=tcp to-addresses=\
192.168.178.122 to-ports=9101[/i]
thanks for correcting it sir
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Thu Jun 10, 2021 9:01 am

again, 1.1.1.1 is inside ISP2 router or is inside MikroTik?

if 1.1.1.1 are inside MikroTik router
ISP2 router must have firewall rules to accept connection to 1.1.1.1 port 9101
or are blocked
This is the result in the logs There is no ACK response I think
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding Problem

Thu Jun 10, 2021 5:52 pm

Please post your latest complete config.

/export hide-sensitive file=anynameyouwish
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Fri Jun 11, 2021 6:58 am

Please post your latest complete config.

/export hide-sensitive file=anynameyouwish
okay here I trust you all gonna post also the public IP
/interface bridge
add admin-mac=08:55:31:40:3D:0C auto-mac=no comment=defconf name=88bridge
add name=178bridge
/interface ethernet
set [ find default-name=ether2 ] arp=disabled
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes default-route-distance=2 dial-on-demand=yes \
    disabled=no interface=ether2 keepalive-timeout=30 name=PLDTEnterprise \
    user=
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=home-dhcp ranges=192.168.88.20-192.168.88.254
add name=enterprise-dhcp ranges=192.168.178.10-192.168.178.254
/ip dhcp-server
add address-pool=home-dhcp interface=88bridge lease-time=52w1d name=\
    defconfHOME
add address-pool=enterprise-dhcp interface=178bridge lease-time=52w1d name=\
    defconENT
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,sniff,sensitive,api,romon,tikapp,!web,!dude"
/interface bridge port
add bridge=88bridge comment=defconf interface=ether3
add bridge=88bridge comment=defconf interface=ether4
add bridge=88bridge comment=defconf interface=ether5
add bridge=88bridge comment=defconf interface=ether6
add bridge=88bridge comment=defconf interface=ether7
add bridge=88bridge comment=defconf interface=sfp-sfpplus1
add bridge=178bridge comment=defconf178 interface=ether9
add bridge=178bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=88bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=178bridge list=LAN
add interface=PLDTEnterprise list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=88bridge network=\
    192.168.88.0
add address=192.168.178.1/24 interface=178bridge network=192.168.178.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.178.0/24 gateway=192.168.178.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=192.168.88.0/24 list=support
add address=192.168.88.10 list=support
add address=192.168.0.0/24 list=support
add address=192.168.178.0/24 list=support
add address=192.168.188.0/24 list=support
add address=192.168.178.0/24 list="178 Network"
add address=192.168.88.0/24 list="88 Network"
add address=202.84.114.0/24 list=support
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
    src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall mangle
add action=mark-routing chain=prerouting comment="LAN1 TO WAN 1" \
    new-routing-mark=LAN1_TO_WAN1 passthrough=yes src-address-list=\
    "88 Network"
add action=mark-routing chain=prerouting comment="LAN2 TO WAN 2" \
    new-routing-mark=LAN2_TO_WAN2 passthrough=yes src-address-list=\
    "178 Network"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
    PLDTEnterprise
add action=dst-nat chain=dstnat comment=SalesServer dst-address=122.53.63.134 \
    dst-port=9101 in-interface=PLDTEnterprise log=yes protocol=tcp \
    to-addresses=192.168.178.122 to-ports=9101
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target \
    src-address-list=ddos-attackers
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=LAN1_TO_WAN1
add distance=1 gateway=PLDTEnterprise routing-mark=LAN2_TO_WAN2
add distance=1 dst-address=192.168.178.0/24 gateway=PLDTEnterprise
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=Graphic
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding Problem

Fri Jun 11, 2021 4:32 pm

Working top to bottom dont see much yet but need to add servers, allow DNS and get rid of the default static entry.......
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=192.168.88.1
add address=192.168.178.0/24 gateway=192.168.178.1 dns-server=192.168.178.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
(or whatever public DNS servers you prefer)

/ip dns static {remove this entry}
add address=192.168.88.1 comment=defconf name=router.lan

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Next up Firewall Rules: WHY DO YOU SEPARATE CHAINS.. hard to read and prone to making matching error as ORDER COUNTS, besides the duplicates you have going,, a mess!!!
HERE IS WHAT I SUGGEST, DISABLE EVERY RULE THAT is not shown below, which is what you need the rest is extra, for now.......... to get things working.

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

MANGLING - Not required, you can route lan1 to wan1 and lan2 to wan2 without mangling.
Suggesting removing mangling and put fasstrack rule back at the top of the forward chain.
add chain=forward action=fasttrack-connection connection-state=established,related

FROM
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=LAN1_TO_WAN1
add distance=1 gateway=PLDTEnterprise routing-mark=LAN2_TO_WAN2
add distance=1 dst-address=192.168.178.0/24 gateway=PLDTEnterprise

TO:
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 gateway=PLDTEnterprise
add distance=1 gateway=192.168.1.1 routing-mark=88_Subnet
add distance=1 gateway=PLDTEnterprise routing-mark=178_Subnet

Route Rules
/ip route rule
add action=lookup-only-in-table src-address=\
192.168.88.0/24 table=88_Subnet
add action=lookup-only-in-table src-address=\
192.168.178.0/24 table=178_Subnet

Note: If you want any usage of the other subnet (failover) then use Action: lookup-in-table (and not lookup-only-in-table).
Last edited by anav on Sat Jun 12, 2021 4:09 pm, edited 1 time in total.
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Sat Jun 12, 2021 10:54 am

Working top to bottom dont see much yet but need to add servers, allow DNS and get rid of the default static entry.......
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=192.168.88.1
add address=192.168.178.0/24 gateway=192.168.178.1 dns-server=192.168.178.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
(or whatever public DNS servers you prefer)

/ip dns static {remove this entry}
add address=192.168.88.1 comment=defconf name=router.lan

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Next up Firewall Rules: WHY DO YOU SEPARATE CHAINS.. hard to read and prone to making matching error as ORDER COUNTS, besides the duplicates you have going,, a mess!!!
HERE IS WHAT I SUGGEST, DISABLE EVERY RULE THAT is not shown below, which is what you need the rest is extra, for now.......... to get things working.

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

MANGLING - Not required, you can route lan1 to wan1 and lan2 to wan2 without mangling.
Suggesting removing mangling and put fasstrack rule back at the top of the forward chain.
add chain=forward action=fasttrack-connection connection-state=established,related

FROM
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=LAN1_TO_WAN1
add distance=1 gateway=PLDTEnterprise routing-mark=LAN2_TO_WAN2
add distance=1 dst-address=192.168.178.0/24 gateway=PLDTEnterprise

TO:
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 gateway=PLDTEnterprise
add distance=1 gateway=192.168.1.1 routing-mark=88_Subnet
add distance=1 gateway=PLDTEnterprise routing-mark=178_Subnet

Route Rules
/ip route rule
add action=lookup-only-in-table interface=ether1 src-address=\
192.168.88.0/24 table=88_Subnet
add action=lookup-only-in-table interface=PLDEnterprise src-address=|
192.168.178.0/24 table=178_Subnet

Note: If you want any usage of the other subnet (failover) then use Action: lookup-in-table (and not lookup-only-in-table).
Thank you very much for simplifying my config.. by the way, the port forwarding is already working also in the old config that I used. What really happens through further troubleshooting is that I cant access the server in my own network using the public IP that used in Mikrotik ISP1 and ISP2 but locally I can access it through LAN Network. I confirmed it by accessing using my mobile phone telecom network provider.
Maybe I should make rules that accept the request in my own network? how I can achieve that? I really appreciate your help sir. Thanks in Advanced.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port Forwarding Problem

Sat Jun 12, 2021 11:03 am

You need hairpin nat.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding Problem  [SOLVED]

Sat Jun 12, 2021 3:21 pm

Lots of ways to skin the cat for hairpin nat.
The issue is caused when your server is on the same subnet as your LAN users.
The solutions are abundant.

The two easiest ones are:
(1) Quite simply get LAN users to use LANIP
(2) Move the server to its own subnet and quite frankly if you dont want your users to use LANIP, then it probably should be on a different subent/vlan.

IF above is not doable,
then the rest depends upon
a. which ISP are you using to access the SERVER (from external)? and
b. is the IP static or dynamic?

Regardless the one essential step is that you will need to add a sourcenat rule at the top of sourcenat rules.
add action=src-nat chain=masquerade src-address=192.168.178.0/24 dst-address=192.168.178.0/24

If you consider your WANIP on ether2 static then basically no change is required on the dst-nat rule.
add action=dst-nat chain=dstnat comment=SalesServer dst-address=staticwanip \
dst-port=9101 log=yes protocol=tcp to-addresses=192.168.178.122

(to port NOT required if same as dst-port, in-interface not required as you have stated the dst-address already)
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: Port Forwarding Problem

Mon Jun 14, 2021 4:28 am

Lots of ways to skin the cat for hairpin nat.
The issue is caused when your server is on the same subnet as your LAN users.
The solutions are abundant.

The two easiest ones are:
(1) Quite simply get LAN users to use LANIP
(2) Move the server to its own subnet and quite frankly if you dont want your users to use LANIP, then it probably should be on a different subent/vlan.

IF above is not doable,
then the rest depends upon
a. which ISP are you using to access the SERVER (from external)? and
b. is the IP static or dynamic?

Regardless the one essential step is that you will need to add a sourcenat rule at the top of sourcenat rules.
add action=src-nat chain=masquerade src-address=192.168.178.0/24 dst-address=192.168.178.0/24

If you consider your WANIP on ether2 static then basically no change is required on the dst-nat rule.
add action=dst-nat chain=dstnat comment=SalesServer dst-address=staticwanip \
dst-port=9101 log=yes protocol=tcp to-addresses=192.168.178.122

(to port NOT required if same as dst-port, in-interface not required as you have stated the dst-address already)
Noted sir, Thank you very much :)

Who is online

Users browsing this forum: baragoon, FlowerShopGuy, onnyloh, rplant and 78 guests