Beginner fail to port forwarding

bastiennv · Tue Sep 10, 2024 12:18 pm

Hello !
I got a hEX router from my ISP
The network is very basic with the router behind an optical modem and a switch connected to "interface=ether2"
I'm trying to do port forwarding for some services of my nas.
I tried to follow this https://help.mikrotik.com/docs/display/ ... forwarding to forward 5510 to 192.168.2.107 and 53975 to 5001 of 192.168.2.107
but they remain closed when I test them after a reboot.
I would be very grateful if someone is able to guide me !
Thanks

# sep/10/2024 14:33:32 by RouterOS 6.49.8
# software id = 95FC-39E1
#
# model = RB750Gr3
#
/interface vlan
add interface=ether1 name=vlan2900 vlan-id=2900
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan2900 keepalive-timeout=\
    disabled name=pppoe-out1 user=############
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.2.100-192.168.2.200
add name=dhcp_pool3 ranges=192.168.3.100-192.168.3.200
add name=dhcp_pool4 ranges=192.168.4.100-192.168.4.200
add name=dhcp_pool5 ranges=192.168.5.100-192.168.5.200
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether2 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=ether3 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=ether4 name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=ether5 name=dhcp5
/user group
add name=Utilisateur policy="local,reboot,read,write,policy,web,!telnet,!ssh,!\
    ftp,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp" \
    skin=utilisateur
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0
add address=192.168.5.1/24 interface=ether5 network=192.168.5.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.2.107 client-id=1:90:9:d0:32:36:2f mac-address=\
    ##:##:##:##:##:## server=dhcp2
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1
add address=192.168.4.0/24 gateway=192.168.4.1
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" \
    in-interface-list=LAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp \
    src-address=!##.###.##.###
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN port=2000 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=5510 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.2.107 to-ports=5510
add action=dst-nat chain=dstnat dst-port=53975 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.2.107 to-ports=5001
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address="192.168.2.0/24,192.\
    168.3.0/24,192.168.4.0/24,192.168.5.0/24" port=2222
set www-ssl certificate=Hotspot disabled=no port=48443
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

peternz · Tue Sep 10, 2024 1:33 pm

Hi,
A couple of questions about your setup.
How are you testing whether the ports are open?
I see that you have only configured the dst-nat for tcp. Are you using UDP and therefore need a rule for that?

Cheers

bastiennv · Tue Sep 10, 2024 2:22 pm

Hi !
I tested with https://www.portchecktool.com/ and the services failed anyway
The services uses TCP that's why there's no UDP rule

TheCat12 · Tue Sep 10, 2024 2:33 pm

Looking at the NAT masquerade rule, I assume you connect to the internet via PPPoE and some questions arise like: Do you have a default route pointing to it? Have you added the PPPoE interface to the WAN interface list? Do you receive a public IP at all? Should the answer to any of the questions be "no", then that would be where your problem is

bastiennv · Tue Sep 10, 2024 2:49 pm

I haven't touch to the config the ISP made, i added only the port forwarding rule
There's a default PPPoE route
the PPPoE interface is in the WAN interface list
I do have a public ip

mkx · Tue Sep 10, 2024 3:41 pm

This combination of rules is dangerous:

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
...
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN port=2000 protocol=tcp

The first one is actually default (as per Mikrotik's default rules), but disabled. The second one seems to be adaptation of the first one but only blocks access to router's port 2000 for clients not in LAN. But allows connectivity to all other services that router might run (www, DNS, winbox, etc.) One has to wonder what's so special about port 2000 on this router that it has to be explicitly blocked but everything else can be open to the whole world.

As to the port forwarding ... does your ISP actually allow incoming connections to random ports of their customers' CPEs? Not all do ...

MTNick · Wed Sep 11, 2024 5:24 pm

Greetings. Below are cleaned up firewall rules for input & forward chains. I also added a Hairpin NAT rule just in case you're trying to use a web address vs an IP address within your network. Start with editing your firewall rules with the below.

Also, like MKX mentioned, the ISP may be blocking port forwarding. For example, T-Mobile 5G home internet blocks port forwarding at the ISP level. Only business class allows port forwarding.

For the 2 NAT rules below, you're missing the dst-address for each rule, which should be your ISP address.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=???? dst-port=5510 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.107 to-ports=5510
add action=dst-nat chain=dstnat dst-address=???? dst-port=53975 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.107 to-ports=5001

Edited the code below to reflect the icmp rule from:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=LAN protocol=icmp

to:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept all coming from LAN" in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.2.0/24 out-interface-list=LAN protocol=tcp src-address=192.168.2.0/24
add action=dst-nat chain=dstnat dst-address=ISP_IP dst-address-type=local dst-port=5510 protocol=tcp to-addresses=192.168.2.107 to-ports=5510
add action=dst-nat chain=dstnat dst-address=ISP_IP dst-address-type=local dst-port=53975 protocol=tcp to-addresses=192.168.2.107 to-ports=5001

bastiennv · Wed Sep 25, 2024 4:21 pm

After a few weeks doing something else, thank you so very much @MTNick it works

Very much appreciated !

MTNick · Wed Sep 25, 2024 9:09 pm

After a few weeks doing something else, thank you so very much @MTNick it works
Very much appreciated !

No problem. Glad to help & know it resolved your issue. Can you mark this thread as "solved" to help others out please.

CGGXANNX · Thu Sep 26, 2024 7:59 am

Greetings. Below are cleaned up firewall rules for input & forward chains. I also added a Hairpin NAT rule just in case you're trying to use a web address vs an IP address within your network. Start with editing your firewall rules with the below.

Also, like MKX mentioned, the ISP may be blocking port forwarding. For example, T-Mobile 5G home internet blocks port forwarding at the ISP level. Only business class allows port forwarding.

For the 2 NAT rules below, you're missing the dst-address for each rule, which should be your ISP address.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=???? dst-port=5510 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.107 to-ports=5510
add action=dst-nat chain=dstnat dst-address=???? dst-port=53975 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.107 to-ports=5001
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=LAN protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept all coming from LAN" in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.2.0/24 out-interface-list=LAN protocol=tcp src-address=192.168.2.0/24
add action=dst-nat chain=dstnat dst-address=ISP_IP dst-address-type=local dst-port=5510 protocol=tcp to-addresses=192.168.2.107 to-ports=5510
add action=dst-nat chain=dstnat dst-address=ISP_IP dst-address-type=local dst-port=53975 protocol=tcp to-addresses=192.168.2.107 to-ports=5001

Why are you only allowing ICMP from LAN. If you block ICMP from WAN you break Path MTU Discovery. ICMP should not be blocked for a properly functioning network. If you want to block ping, then only block ICMP echo request.

MTNick · Thu Sep 26, 2024 3:47 pm

Why are you only allowing ICMP from LAN. If you block ICMP from WAN you break Path MTU Discovery. ICMP should not be blocked for a properly functioning network. If you want to block ping, then only block ICMP echo request.

Oof. Good catch CGGXANNX. Didn't notice that. I took the ops rules & edited/reordered them. No excuse, I should've paid more attention. Code above in post viewtopic.php?p=1096658#p1096658 is fixed.

That rule should be:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

Beginner fail to port forwarding [SOLVED]

Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding

Re: Beginner fail to port forwarding [SOLVED]