Problem to connect to server through mikrotik router

rado3105 · Wed May 07, 2008 7:55 pm

I have problem to connect to my server from internet outside my home internet(my public ip: 213.151.203.22)
When I am home and want connect to server using https://213.151.203.22:10000 it works, but everywhere outside my local network it is not possible.
Also I have it natted:

43   chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=22 dst-address=213.151.203.22 
     dst-port=22 protocol=tcp

(this is to connect from outsid using putty, ssh 22, on mikrotik ssh is disabled)

44   chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=10000 dst-address=213.151.203.22 
     dst-port=10000 protocol=tcp

this is for connecting using webmin(Linux)

I have no idea where is the problem, when I connect to my router using 213.151.203.22 in web browser it works from anywhere, but to connect to my server is not possible.
Any idea how to solve it?

jwcn · Wed May 07, 2008 8:40 pm

You need to post all your firewall rules.

rado3105 · Wed May 07, 2008 8:56 pm

 0   ;;; drop invalid connections
     chain=forward action=drop connection-state=invalid 

 1   ;;; allow already established connections
     chain=forward action=accept connection-state=established 

 2   ;;; allow related connections
     chain=forward action=accept connection-state=related 

 3   ;;; SSH block(7lines)
     chain=input action=accept connection-state=new dst-port=22 protocol=tcp src-address-list=sshaccept 

 4   chain=input action=drop connection-state=new dst-port=22 protocol=tcp src-address-list=sshdrop 

 5   chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp 
     src-address-list=stage4 address-list=sshdrop address-list-timeout=0s 

 6   chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp 
     src-address-list=stage3 address-list=stage4 address-list-timeout=20s 

 7   chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp 
     src-address-list=stage2 address-list=stage3 address-list-timeout=20s 

 8   chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp 
     src-address-list=stage1 address-list=stage2 address-list-timeout=20s 

 9   chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp 
     address-list=stage1 address-list-timeout=20s 

10   ;;; drop ftp brute forcers
     chain=input action=drop in-interface=internet dst-port=21 protocol=tcp 
     src-address-list=ftp_blacklist 

11   ;;; auto-firewall ftp - stage 5
     chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage4 
     address-list=ftp_blacklist address-list-timeout=1w 

12   ;;; auto-firewall ftp - stage 4
     chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage3 
     address-list=ftp_stage4 address-list-timeout=1m 

13   ;;; auto-firewall ftp - stage 3
     chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage2 
     address-list=ftp_stage3 address-list-timeout=1m 
14   ;;; auto-firewall ftp - stage 2
     chain=output action=add-dst-to-address-list content=530 Login incorrect dst-address-list=ftp_stage1 
     address-list=ftp_stage2 address-list-timeout=1m 

15   ;;; auto-firewall ftp - stage 1
     chain=input action=add-src-to-address-list in-interface=internet dst-port=21 protocol=tcp 
     address-list=ftp_stage1 address-list-timeout=1m 

16   ;;; BLOCK SPAMMERS AND INFECTED USERS
     chain=forward action=drop dst-port=25 protocol=tcp src-address-list=spammer 

17   ;;; IDENTIFY SPAMMERS AND INFECTED USERS
     chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp connection-limit=30,32 
     limit=50,5 address-list=spammer address-list-timeout=1d 

18   ;;; telnet
     chain=input action=drop dst-port=23 protocol=tcp 

19 X ;;; S-AP
     chain=forward action=accept src-address=192.168.76.55 src-mac-address=00:0E:2E:93:AF:1F 

20 X ;;; R-C
     chain=forward action=accept src-address=192.168.76.99 src-mac-address=00:C0:9F:C0:73:45 

21 X ;;; S-PC
     chain=forward action=accept src-address=192.168.76.56 src-mac-address=00:0E:2E:93:AF:1F 

22 X chain=forward action=log src-address=192.168.76.0/24 log-prefix="" 

23   ;;; p2p_den
     chain=forward action=drop p2p=all-p2p src-address-list=STAHOVACI P2P 

24   ;;; Call of Duty
     chain=forward action=accept dst-port=28959-28961 protocol=udp src-address-list=STAHOVACI P2P 

25   chain=forward action=accept dst-port=8291 protocol=tcp src-address-list=STAHOVACI P2P 

26   ;;; ICQ
     chain=forward action=accept dst-port=5190 protocol=tcp src-address-list=STAHOVACI P2P 

27   ;;; Jabber
     chain=forward action=accept dst-port=5222 protocol=tcp src-address-list=STAHOVACI P2P 

28   ;;; stahovaci_p2p_block_udp
     chain=forward action=drop dst-port=2000-65535 protocol=udp src-address-list=STAHOVACI P2P 

29   ;;; stahovaci_p2p_block_tcp
     chain=forward action=drop dst-port=1000-65535 protocol=tcp src-address-list=STAHOVACI P2P 

30   ;;; CA(MAC+IP)
     chain=forward action=accept src-address=192.168.76.88 src-mac-address=00:19:DB:E5:35:0F 

31   chain=forward action=drop src-mac-address=00:19:DB:E5:35:0F 

32   ;;; CL(MAC+IP)
     chain=forward action=accept src-address=192.168.76.86 src-mac-address=00:18:F3:3C:25:E0 

33   chain=forward action=drop src-mac-address=00:18:F3:3C:25:E0 

34   ;;; jump to the virus chain
     chain=forward action=jump jump-target=virus 

35   ;;; Drop Blaster Worm
     chain=virus action=drop dst-port=135-139 protocol=tcp 

36   ;;; Drop Messenger Worm
     chain=virus action=drop dst-port=135-139 protocol=udp 

37 X ;;; Drop Blaster Worm(blokuje MS samba)
     chain=virus action=drop dst-port=445 protocol=tcp 

38 X ;;; Drop Blaster Worm
     chain=virus action=drop dst-port=445 protocol=udp 

39   ;;; ________
     chain=virus action=drop dst-port=593 protocol=tcp 

40   ;;; ________
     chain=virus action=drop dst-port=1024-1030 protocol=tcp 

41   ;;; Drop MyDoom
     chain=virus action=drop dst-port=1080 protocol=tcp 

42   ;;; ________
     chain=virus action=drop dst-port=1214 protocol=tcp 

43   ;;; ndm requester
     chain=virus action=drop dst-port=1363 protocol=tcp 

44   ;;; ndm server
     chain=virus action=drop dst-port=1364 protocol=tcp 

45   ;;; screen cast
     chain=virus action=drop dst-port=1368 protocol=tcp 

46   ;;; hromgrafx
     chain=virus action=drop dst-port=1373 protocol=tcp 

47   ;;; cichlid
     chain=virus action=drop dst-port=1377 protocol=tcp 

48   ;;; Worm
     chain=virus action=drop dst-port=1433-1434 protocol=tcp 

49   ;;; Bagle Virus
     chain=virus action=drop dst-port=2745 protocol=tcp 

50   ;;; Drop Dumaru.Y
     chain=virus action=drop dst-port=2283 protocol=tcp 

51   ;;; Drop Beagle
     chain=virus action=drop dst-port=2535 protocol=tcp 

52   ;;; Drop Beagle.C-K
     chain=virus action=drop dst-port=2745 protocol=tcp 
53   ;;; Drop MyDoom
     chain=virus action=drop dst-port=3127-3128 protocol=tcp 

54   ;;; Drop Backdoor OptixPro
     chain=virus action=drop dst-port=3410 protocol=tcp 

55   ;;; Worm
     chain=virus action=drop dst-port=4444 protocol=tcp 

56   ;;; Worm
     chain=virus action=drop dst-port=4444 protocol=udp 

57   ;;; Drop Sasser
     chain=virus action=drop dst-port=5554 protocol=tcp 

58   ;;; Drop Beagle.B
     chain=virus action=drop dst-port=8866 protocol=tcp 

59   ;;; Drop Dabber.A-B
     chain=virus action=drop dst-port=9898 protocol=tcp 

60   ;;; Drop Dumaru.Y
     chain=virus action=drop dst-port=10000 protocol=tcp 

61   ;;; Drop MyDoom.B
     chain=virus action=drop dst-port=10080 protocol=tcp 

62   ;;; Drop NetBus
     chain=virus action=drop dst-port=12345-12346 protocol=tcp 

63   ;;; Drop Kuang2
     chain=virus action=drop dst-port=17300 protocol=tcp 

64   ;;; Drop SubSeven
     chain=virus action=drop dst-port=27374 protocol=tcp 

65   ;;; Drop PhatBot, Agobot, Gaobot
     chain=virus action=drop dst-port=65506 protocol=tcp

hulk-bd · Wed May 07, 2008 9:46 pm

rado3105

Basically Admins block the 10000 port in their router firewall for few reasons so when you can't logon to your MT from out side(Internet) then I think port 10000 is blocked by the router(other ISP) and for that you can't logon to your MT.

Thanks

rado3105 · Wed May 07, 2008 9:47 pm

Also I cant get there from port 22, and that shouldnt be blocked(using putty and ssh)

hulk-bd · Wed May 07, 2008 10:32 pm

Disable your this firewall filter rule and try again

60 ;;; Drop Dumaru.Y
chain=virus action=drop dst-port=10000 protocol=tcp

Thanks

rado3105 · Wed May 07, 2008 11:08 pm

I changed it to port 8080 and still it is not able to get there, and that port is not blocked in my firewall

hilton · Thu May 08, 2008 2:31 pm

You'll need to specify the In Interface.

So this should do it;

chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=22 dst-address=213.151.203.22
in-interface=adsl_pppoe dst-port=22 protocol=tcp

adsl_pppoe=whatever your internet ppp profile is set to.

Hope this works.

rado3105 · Fri May 09, 2008 11:22 am

Still doesnt work, how to find out if it is blocked by my internet provider. I dont think that port 22 should be blocked and 8080.

jwcn · Fri May 09, 2008 5:20 pm

You need to disable all your firewall rules and get it working without them. Then bring them back one by one until you figure out which is causing the problem.

radocicala · Sat May 10, 2008 12:15 am

I have the same problem my public ip is 213.192.20.61, i have no firewall rule and disabled port 21 in ip-services, i cant connect to my ftp box with ip 192.168.2.236, loccaly using ftp://192.168.2.236 i can connect there but using public ip no. When I enable port 21 in ip-services i can connect using ftp://213.192.20.61 to mikrotik ftp. So it shouldnt be blocked by my provider. Wlan1 is interface from which i am supported by internet connectiviy by my provider. Can you help?

1 chain=dstnat in-interface=wlan1 src-address=213.192.20.61 protocol=tcp
src-port=21 action=dst-nat to-addresses=192.168.2.236 to-ports=21

radocicala · Sat May 10, 2008 1:48 am

Could it be problem that I am using masquerade? Because I have no idea where is the problem

gimmepatiencequickly · Thu May 15, 2008 1:52 pm

My contribution to this VERY helpful forum

You'll need to specify the In Interface.

So this should do it;

chain=dstnat action=dst-nat to-addresses=192.168.76.4 to-ports=22 dst-address=213.151.203.22
in-interface=adsl_pppoe dst-port=22 protocol=tcp

adsl_pppoe=whatever your internet ppp profile is set to.

Hope this works.

Excellent!!!!
Thank you Hilton

I got stuck on the in-interface part!!!

I have an ADSL router -- NETGEAR router DG834 with internal IP 10.0.0.1, connected to it is my MT Router at 10.0.0.254 on ether1.
On ether2 is my Server PC with IP 10.254.0.6

On my adsl router, I use port forwarding to 10.0.0.254, when somebody accesses my public ip it will show the mikrotik web access page, all I do then is to add the NAT rules on the MT router as follows...

My configuration:

/ ip firewall nat 
add chain=srcnat action=masquerade comment="" disabled=no 
add chain=dstnat action=dst-nat to-addresses=10.254.0.6 to-ports=80 \
    in-interface=ether1 dst-address=10.0.0.254 dst-port=80 protocol=tcp comment="" \
    disabled=no

and it then changes from the MT Router access page to the server web page as expected.

The same can be said for any other access like SMTP or whatever Eg:

add chain=dstnat action=dst-nat to-addresses=10.254.0.6 to-ports=25 \
    in-interface=ether1 dst-address=10.0.0.254 dst-port=25 protocol=tcp comment="" \
    disabled=no

jwcn · Thu May 15, 2008 11:51 pm

Move the rules to the top of the list. They are down too far.

radocicala · Tue Dec 02, 2008 5:08 pm

I cant solve this problem, I have no idea what is wrong.

Internet is going from my provider to WAN port of rb1 to Bridge(rb1) and from bridge to WAN(rb2)
in rb1 I use masquerade to local network 192.168.1.0/24:

chain=srcnat action=masquerade src-address=192.168.1.0/24

and also the same in rb2(to get there internet).

When i put 215.55.76.88 in winbox(outside of my network, internet), I get to rb1, despite that I have this rule:

chain=dstnat action=dst-nat to-addresses=192.168.76.99 to-ports=8291 
     in-interface=internet dst-address=215.55.76.88 dst-port=8291
     protocol=tcp

and using that rue in nat, I should get to rb2, not to rb1.

Can you help me what can be wrong. Can it be caused using bridge? I use router os v2.9.51 in borth rb1 and rb2.
I am solving this prety long and I have no Idea how to solve it and what can be wrong.

hilton · Tue Dec 02, 2008 5:34 pm

Port 8291 is already assigned to RB1 so in order to get to RB2 you need to stipulate another port number in your dstnat rule.

Something like this;

chain=dstnat action=dst-nat to-addresses=192.168.76.99 to-ports=8292
in-interface=internet dst-address=215.55.76.88 dst-port=8291
protocol=tcp

Then connect to the router like this in winbox;

215.55.76.88:8292

radocicala · Tue Dec 02, 2008 8:24 pm

Still cant connect using ip:port
writes: couldnt connect to ip(port 8292) - connection refused!

and I dont have any firewall rule to block that port.

rado3105 · Sat Mar 26, 2011 11:17 am

The problem was in using dst-address, it cant be use.
dst-address=213.151.203.22(rules without these), and everything works fine

jwcn · Sun May 29, 2011 4:45 am

And I'm sure that after three years the question is still relevant. Aren't there enough recent threads for you? Geeze, don't resurrect dead threads.

Problem to connect to server through mikrotik router

Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router

Re: Problem to connect to server through mikrotik router