Hello, I'm very new to MicroTik routers and I just recently set up my own hAP AX3. As far as the internet says, my client devices on my LAN using just the default configuration should be able to access my jellyfin server hosted on my desktop at 192.168.0.254:8096 (I changed the subnet's 3rd octet to 0), but no matter what I've tried I just cant get other clients on the router's LAN to be able to connect to it. I've tried setting a route, I've tried disabling firewall rules, I've tried adding firewall rules, and now I'm pretty much at the end of my rope here. And yes, all my devices can ping each other too, its just the JellyFin server that I cant access, which I could before using my old TP-link router. And yes, UPnP is on, if that helps. Though I think you only need that if you want the server accessible from the WAN, right?
Anyway, please help! I will provide details when/if requested
Re: Accessing Jellyfin Server on the LAN?
At least the config seems necessary:
Remove serial and any other private info, post between code tags by using the </> button.
Is the Jellyfin Server in a different network segment? Then your problem isn't the MikroTik.
Code: Select all
/export file=anynameyoulikeIs the Jellyfin Server in a different network segment? Then your problem isn't the MikroTik.
The Internet is wrong, at least in this case.As far as the internet says
Re: Accessing Jellyfin Server on the LAN?
Apologies, I dont understand what you mean by the </> button. I dont see that.At least the config seems necessary:
Remove serial and any other private info, post between code tags by using the </> button.Code: Select all/export file=anynameyoulike
Is the Jellyfin Server in a different network segment? Then your problem isn't the MikroTik.
The Internet is wrong, at least in this case.As far as the internet says
<
Code: Select all
# 2025-01-20 08:48:27 by RouterOS 7.17
# software id = 72F3-F7UQ
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country="United States" .mode=ap .ssid=\
"Sneeds Feed and Seed" disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country="United States" .mode=ap .ssid=\
"Sneeds Feed and Seed" disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.254 comment="Zekes Desktop" mac-address=\
04:7C:16:B7:20:4B server=defconf
add address=192.168.0.11 client-id= mac-address=\
28:C2:1F:CD:9E:45 server=defconf
add address=192.168.0.12 mac-address= server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.254 dst-port=8096 \
protocol=tcp src-address=192.168.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=192.168.0.254/32 gateway=192.168.0.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
p\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
No, the JellyFin Server is on the same subnet as everyone else. Basically all my devices are on the wireless network, either wifi1 or wifi2.
Re: Accessing Jellyfin Server on the LAN?
No need to do anything about routing 192.168.0.0, no routing involved. So, no routes and no firewall changes (default filter rules are better).
Are you approaching the server through IP or name?
UPnP is evil,
, please don't enable if unless you know what it is for (and then also don't).
Are you approaching the server through IP or name?
UPnP is evil,
, please don't enable if unless you know what it is for (and then also don't).Re: Accessing Jellyfin Server on the LAN?
I'm trying to access it via IP address, so, http://192.168.0.254:8096
Re: Accessing Jellyfin Server on the LAN?
And before you ask, I just tried and I can't access it via host name either. 
Re: Accessing Jellyfin Server on the LAN?
Is it accessable on the computer itself (hosting Jellyfin)?I'm trying to access it via IP address, so, http://192.168.0.254:8096
Sure the service is running?
Sure there is no firewall on the machine blocking?
What does netstat -na | find "8096" return on the Jellyfish host?
Re: Accessing Jellyfin Server on the LAN?
I've verified it is running and it is accessible from itself. Hell, I can access it from outside the network using tailscale. But from anywhere on the LAN that isn't itself, no dice. It's weird. Do you still want the netstat output despite this info?
Re: Accessing Jellyfin Server on the LAN?
No longer needed. From your config, remove:
After that, reboot the router (if possible) to make sure all caches are emptied.
Consider restoring default firewall rules and adding a dstnat rule for port forwarding. This together with disabling UPnP.
https://help.mikrotik.com/docs/spaces/R ... forwarding
Code: Select all
/ip route
add distance=1 dst-address=192.168.0.254/32 gateway=192.168.0.1Consider restoring default firewall rules and adding a dstnat rule for port forwarding. This together with disabling UPnP.
https://help.mikrotik.com/docs/spaces/R ... forwarding
Re: Accessing Jellyfin Server on the LAN?
Should I just straight up follow the guide and forward to port 80 or forward to port 8096? Also, won't this only be used for traffic coming in from the WAN? My primary concern is fixing access from the LAN.adding a dstnat rule for port forwarding. This together with disabling UPnP.
https://help.mikrotik.com/docs/spaces/R ... forwarding
I should also add that on my previous router, a TP-link, all my LAN devices were able to get to the Jellyfin Server on my desktop just fine. I havent chyanged any configurations on the jellyfin server, the only thing I've done is swap out the TP-link with a new MicroTik
Re: Accessing Jellyfin Server on the LAN?
Hello again folks. Thanks for your help, but I found the solution. My Firewall settings on the JellyFin server were only set up to allow connections on what Windows thinks is a Private connection. I changed the firewall rule to be less restrictive and it started working.
Re: Accessing Jellyfin Server on the LAN?
It helps reading all remarks and questions posting. Glad it is working now.Sure there is no firewall on the machine blocking?
Hope you can fix your firewall on the MikroTik as well.