Hi all,

I am very new to all this router settings and read up a lot before writing this, found a couple of things already which I added but stuck now and wondered if some more experienced people could perhaps show me the way out of my problem

I have a wireless router connected to 8-port switch which is connected to 4 pc's. all is fine with my network. I use winbox to log into my router.

I have a current setting on the router as follows for the masquerade .....

/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 out-interface=pppoe-out1
action=masquerade

my PC's internal IP is 192.168.1.16 and the router is 192.168.1.1

so far NO ports are open except the standard ports (25, 110, etc) and this is where the problems come in .... I would like to open ONE port for incoming connections on my router. I would like nothing to stop this port as I need it for use of a program. It doesn't matter what port it is because I can set the program to use which ever port. For example I would like to open port 5005 for incoming connections to my PC. My firewall on my PC already has the exception in it for port 5005 but now I need to make port 5005 totally open on my router and I am not sure exactly where I should add and what I should add and how I should add it. Should it be before the masquerade or after the masquerade as I read it matters sometimes where the stuff is in the list of Mikrotik RouterOS.

Thanx so long for any help you guys can give me. should you need to know anything more specific please feel free to ask and I will try to find out whatever you need in order to help me.

Regards,
Z

Hi guys, my friend put the masquerade on for me .... if I disable that rule .... will ALL my ports be open again and will I have internet access still ??

I don't want to disable it and then get locked out of my router .... like I said I am still new at this ...

Thanx for whatever help you guys can offer.

Regards,
Z

Hi

I am new myself. But I got as far as getting the routing going.

You need to set up the gateway in order to have connection to the internet. change the IP's to whatever you are using. Open the terminal in winbox and copy and paste the following into the terminal.

Setup NAT and Gateway

/ip firewall nat add chain=srcnat action=masquerade out-interface=bridge
/ip route add gateway=10.0.0.1

10.0.0.1 being the ISP gateway

if you want the router to assign IP's to the PC's you connect to your LAN. The set up the DHCP.

Setup of a DHCP-Server fot the local network with the IP range 192.168.0.50 to 192.168.0.200

/ ip pool add name=dhcp-pool ranges=192.168.0.50-192.168.0.200
/ ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1
/ ip dhcp-server add interface=ether1 address-pool=dhcp-pool

Again just modify the IP's to whatever you want to use.

The next big thing is the firewall. And that is where I am stocked for the moment. But I am looking for some help and I will get there

rgs Pilgrim

P.S.

These has been very helpfull for me.

http://www.mikrotik.com/documentation/rosmE.pdf

http://wiki.mikrotik.com/wiki/How_to_Co ... _xDSL_Line


rgs Pilgrim

Thanx Pilgrim ...

I have connected everything up and my internet works 100% .... I can do everything except for this one program that needs a totally open port to send me information. it needs a open port for incoming connection .... because the error comes to me from the program .... port 5005 not open for incoming connections

otherwise everything works and I can download and browse easily without problems ..... just this one thing left to figure out not sure if I should do the whole forwarding port thing or how to do it if I have to OR if there is something where I can just make this port 5005 totally open.

Thanx for the help so far though and I am busy looking at the links you sent me.

thanx again.
Regards,
Z

I had a similar problem and was adviced to do the port forwarding in NAT.

to make 5005 open from the outside do this:

/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5005 \
action=dst-nat to-addresses=192.168.1.101 to-ports=5005

69.69.69.69 being your public IP and 192.168.1.101 being the lan computer with the service you want to provide through port 5005.

rgs Pilgrim

http://wiki.mikrotik.com/wiki/Forwardin ... nternal_IP

that's awesome I will try what you told me and I am also reading the link you gave at the bottom, as I would like to understand it and not just do it, if that makes sense

so the 69.69.69.69/69 is then actually my public's IP ?? from my example the 192.168.1.0 or is it my actually IP of the router which would be 192.168.1.1 ??

I am going to read that piece in 5 min and will write here if I get the above question right myself .... but THANK YOU SO MUCH for the help given .... really I am sure it will help a lot

Regards,
Z

Okay I have tried the following:
Where 192.168.1.1 = my router IP
and where 192.168.1.16 = my PC where the program will run on.


/ip firewall nat add chain=dstnat dst-address=192.168.1.1 protocol=tcp dst-port=5005 \
action=dst-nat to-addresses=192.168.1.16 to-ports=5005

AND

/ip firewall nat add chain=dstnat dst-address=192.168.1.1/24 protocol=tcp dst-port=5005 \
action=dst-nat to-addresses=192.168.1.16 to-ports=5005

AND

/ip firewall nat add chain=dstnat dst-address=192.168.1.0 protocol=tcp dst-port=5005 \
action=dst-nat to-addresses=192.168.1.16 to-ports=5005

and it still on all 3 attempts it says that the port is closed off ... I even installed a port scanner to check and it says the port is closed off as well.
So that didn't work so nice .... perhaps any other idea I could try to make this port open for incoming connections???

Regards,
Z

192.168.1.1 is correctly the router IP and will be the IP used if you want to communicate with your router from the LAN side. However, a package from the outside addressed to you from the outside is of course addressed to your public IP i.e. dest addr = your public IP.

goto http://www.myip.dk or another similar site and the site will tell you what your public IP is, if you do not already have this.

If you have a dynamic IP and it change .... weel, I don't know how to handle that in the router. But if you have a fixed IP then just put in the public IP instead of 192.168.1.1

rgs Pilgrim

hmmmm

I just made a small test on my router. You can actually just leave out the dst-address. Then you don't have any problems if your public IP changes. I made two tests one just removing the dst-address and one test replacing the dst-address with the input interface and both of the worked.

e.g. if you have assigned interface "ether1" as public port port the just put in:

/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=5005 \
action=dst-nat to-addresses=192.168.1.16 to-ports=5005

I don't know how to thank you ..... I will try it quickly and see if it works.... thanx so much. ... will let you know whether it works or not.

Regards,
Z

AWESOME !!!!!!!! it worked .... thanx man ..... this is great ... will just test the program now ..... I used the interface option and it worked ... port scanner reporter the port to be open ....

thanx for ALL your help!!!

Regards,
Z

No Problem. Glad that it worked out.

rgs Pilgrim