Port forwarding UDP (factorio)

bombcar · Fri Jan 13, 2023 8:48 pm

I have a Mikrotik that's been working for years, and I'm now trying to port forward 34197 UDP to an internal server.

 /ip/firewall/nat print
Flags: X - disabled, I - invalid; D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

 1    ;;; factorio
      chain=dstnat action=dst-nat to-addresses=198.168.88.139 to-ports=34197 protocol=udp dst-address=xx.xx.xx.250
      dst-port=34197 log=no log-prefix=""

Watching it on the web config shows that the NAT rule is incrementing each time I send a packet from outside.

I have a firewall rule:

/ip/firewall/filter print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    chain=forward action=accept protocol=udp dst-port=34197 log=no log-prefix=""

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1
      chain=input action=accept dst-address=127.0.0.1

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

And the rule 2 increments also; but nothing is received on the server.

I'm using:

nc -ul -p 34197

on the server, and sending to it from inside the LAN works great, but from outside I get nothing. What am I missing?

optio · Fri Jan 13, 2023 9:19 pm

xx.xx.xx.250 is your public static IP?
Try without setting dst-address if you dont care from which public ip connection is coming.
Also make sure that your ISP is not filtering that port and your local network is not behind double nat (ISP nat).

bombcar · Fri Jan 13, 2023 9:55 pm

xx.xx.xx.250 is your public static IP?
Try without setting dst-address if you dont care from which public ip connection is coming.
Also make sure that your ISP is not filtering that port and your local network is not behind double nat (ISP nat).

Yeah, that's my eternal IP. I removed it, and it stopped upping the count; I added the exact interface, it started upping the count again.

The ISP isn't filtering (the Mikrotik sees it as the count goes up) but something else is missing. The IPv6 firewall wouldn't be involved, right?

/ipv6/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 2    ;;; defconf: accept ICMPv6
      chain=input action=accept protocol=icmpv6

 3    ;;; defconf: accept UDP traceroute
      chain=input action=accept protocol=udp port=33434-33534

 4    ;;; defconf: accept DHCPv6-Client prefix delegation.
      chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546
 5    ;;; defconf: accept IKE
      chain=input action=accept protocol=udp dst-port=500,4500

 6    ;;; defconf: accept ipsec AH
      chain=input action=accept protocol=ipsec-ah

 7    ;;; defconf: accept ipsec ESP
      chain=input action=accept protocol=ipsec-esp

 8    ;;; defconf: accept all that matches ipsec policy
      chain=input action=accept ipsec-policy=in,ipsec

 9    chain=forward action=accept src-address=2600:......:7ed7/128 log=no log-prefix=""

10    chain=forward action=accept src-address=2600:.......:f391/128 log=no log-prefix=""

19    ;;; defconf: accept IKE
      chain=forward action=accept protocol=udp dst-port=500,4500

20    ;;; defconf: accept ipsec AH
      chain=forward action=accept protocol=ipsec-ah log=no log-prefix=""

21    ;;; defconf: accept ipsec ESP
      chain=forward action=accept protocol=ipsec-esp

22    ;;; defconf: accept all that matches ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

23    ;;; defconf: drop everything else not coming from LAN
      chain=forward action=drop in-interface-list=!LAN

optio · Fri Jan 13, 2023 10:16 pm

Remove firewall rule 23, it's droping dstnat forwards from non LAN interfaces, your public connection is from WAN interface.
You had good rule in your first post:

12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

bombcar · Fri Jan 13, 2023 10:22 pm

Remove firewall rule 23, it's droping dstnat forwards from non LAN interfaces, your public connection is from WAN interface.
You had good rule in your first post:
Code: Select all
12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

Rule 23 was on IPv6, but even so, disabling that didn't change anything

optio · Fri Jan 13, 2023 10:24 pm

Correction, change that rule 12 to input chain, that rule actually exists by defconf, but chain is input.
You should have it to block connections to router that are not dstnat forward from WAN, so both rules are needed for that.

optio · Fri Jan 13, 2023 10:36 pm

Rule 23 was on IPv6, but even so, disabling that didn't change anything

True, did not notice /ipv6/...., I thought that you changed your firewall rules for ipv4. Ipv6 firewall rules will not apply for ipv4 connections.

bombcar · Fri Jan 13, 2023 10:40 pm

Rule 2 is catching it, as I see the counter increasing; what else could it be? Is it not "masking" and the recipient system is dropping it for some reason? It's a linux box with no firewall rules at all, and it works fine on UPD on the same port on LAN.

Do I need to tell it to stop processing after it hits rule 2?

optio · Fri Jan 13, 2023 10:55 pm

That rule 2 is not needed actually if you not blocking all forward rules, which you not (rule 12), if packets counter on nat rule is growing it should work if you can access it from LAN.

bombcar · Fri Jan 13, 2023 11:15 pm

Then I'm flummoxed; maybe I should try TCP instead.

How would I DMZ the machine and forward EVERYTHING to it?

optio · Fri Jan 13, 2023 11:30 pm

Then I'm flummoxed; maybe I should try TCP instead.

How would I DMZ the machine and forward EVERYTHING to it?

Forwarding TCP if factorio is using UDP will not help even if TCP forward will work.

Setting DMZ if different thing... You can search forum for examples, topics like: viewtopic.php?t=158080

bombcar · Fri Jan 13, 2023 11:34 pm

Then I'm flummoxed; maybe I should try TCP instead.

How would I DMZ the machine and forward EVERYTHING to it?
Forwarding TCP if factorio is using UDP will not help even if TCP forward will work.

Setting DMZ if different thing... You can search forum for examples, topics like: viewtopic.php?t=158080

yeah, I'm just trying to prove that ANY forwarding can work, and I don't know what else to try

anav · Sat Jan 14, 2023 4:02 am

post complete config for analysis,,,,,,
/export file=anynameyouwish ( minus router serial# and any public WANIP information )

bombcar · Sat Jan 14, 2023 8:12 am

# jan/14/2023 00:08:25 by RouterOS 7.7
# software id = AICP-V6XM
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxx
/interface bridge add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet set [ find default-name=ether1 ] mac-address=xxxxx
/interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united states" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-frequency=auto ssid=xxxxx wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="united states" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=xxxxx wireless-protocol=802.11
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server add address-pool=dhcp interface=bridge name=defconf
/ipv6 dhcp-server option add code=23 name=dnsserver value="'fe80::xxx:f186'"
/port set 0 name=serial0
/port set 1 name=serial1
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf instance add disabled=no name=default-v3 version=3
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/routing ospf area add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set max-neighbor-entries=8192
/ipv6 settings set max-neighbor-entries=8192
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server set auth=sha1,md5
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=xxxx.com gateway=192.168.88.1 ntp-server=192.168.88.1 wins-server=192.168.88.139
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward dst-port=34197 protocol=udp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward src-address=192.168.88.182
/ip firewall filter add action=drop chain=forward src-address=192.168.88.177
/ip firewall filter add action=drop chain=forward src-address=192.168.88.101
/ip firewall filter add action=drop chain=forward src-address=192.168.88.112
/ip firewall filter add action=drop chain=forward src-address=192.168.88.118
/ip firewall filter add action=drop chain=forward src-address=192.168.88.132
/ip firewall filter add action=drop chain=forward src-address=192.168.88.109
/ip firewall filter add action=drop chain=forward src-address=192.168.88.111
/ip firewall filter add action=drop chain=forward src-address=192.168.88.134
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment=factorio dst-port=34197 in-interface=ether1 protocol=udp to-addresses=198.168.88.139 to-ports=34197
/ip route add blackhole disabled=no dst-address=10.0.0.0/8
/ip route add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.100.1
/ip service set www-ssl certificate=fullchain.cer_0 disabled=no
/ip ssh set always-allow-password-login=yes strong-crypto=yes
/ip upnp set enabled=yes
/ip upnp interfaces add interface=bridge type=internal
/ip upnp interfaces add interface=ether1 type=external
/ipv6 address add address=::xxx:f186 eui-64=yes from-pool=ipv6-pool interface=bridge
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=ipv6-pool request=address,prefix
/ipv6 dhcp-server add address-pool="" dhcp-option=dnsserver interface=bridge name=dhcp6
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=accept chain=forward src-address=2600:xxxx:7ed7/128
/ipv6 firewall filter add action=accept chain=forward src-address=2600:xxxx:f391/128
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd set [ find default=yes ] advertise-dns=no interface=bridge
/system clock set time-zone-name=xxxxx
/system identity set name=basement-router
/system leds add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
/system leds add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
/system leds add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client set enabled=yes
/system ntp server set broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes manycast=yes multicast=yes
/system resource irq rps set sfp-sfpplus1 disabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

bombcar · Sat Jan 14, 2023 9:21 am

/ip firewall nat add action=dst-nat chain=dstnat comment=factorio dst-port=34197 in-interface=ether1 protocol=udp to-addresses=198.168.88.139 to-ports=34197

198.168.88.139

198.168.88.139

198

I die now

bombcar · Sat Jan 14, 2023 9:41 am

thanks for help; now if I just wasn't typoing it would have worked much earlier

works now

Znevna · Sat Jan 14, 2023 10:24 am

eternal copy pasta problem

Port forwarding UDP (factorio) [SOLVED]

Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio) [SOLVED]

Re: Port forwarding UDP (factorio)

Re: Port forwarding UDP (factorio)

Who is online