Port forward not working for me

dkz · Wed Jan 10, 2018 5:28 pm

Please help me adding a port forwarding rule in my Mikrotik Router. I have tried lots of different configurations but I can’t make it work.

I have a local webserver running behind NAT IP: 192.168.10.16 on port 8123. I would like to access this server from internet. Please help me out how the rules should be to make it work. My internet/WAN port = ether1. If other information needed please let me know so that i can add this to this forum thread.

/ip firewall nat print

Code: Select all


0    ;;; defconf: masquerade

      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

1    ;;; masq. vpn traffic

      chain=srcnat action=masquerade src-address=192.168.89.0/24 

2    ;;; OpenVPN Masquerade

      chain=srcnat action=masquerade src-address=192.168.20.0/24 log=no log-prefix=""

/ip firewall filter print

Code: Select all


 2    chain=forward action=accept connection-nat-state=srcnat,dstnat protocol=igmp in-interface=ether1 

      in-interface-list=all out-interface-list=all log=no log-prefix="" 

 3    ;;; allow IPsec NAT

      chain=input action=accept protocol=udp dst-port=4500 

 4    ;;; allow IKE

      chain=input action=accept protocol=udp dst-port=500 log=yes log-prefix="VPN" 

 5    ;;; allow l2tp

      chain=input action=accept protocol=udp dst-port=1701 

 6    ;;; allow pptp

      chain=input action=accept protocol=tcp dst-port=1723 log=yes log-prefix="VPN" 

 7    ;;; allow sstp

      chain=input action=accept protocol=tcp dst-port=443 

 8    chain=input action=accept protocol=ipsec-esp 

 9    chain=input action=accept protocol=ipsec-ah 

10    ;;; Allow Established connections

      chain=input action=accept connection-state=established 

11    ;;; Allow ICMP

      chain=input action=accept protocol=icmp 

12    chain=input action=accept src-address=192.168.10.0/24 in-interface=!ether1 log=no log-prefix="" 

13    ;;; Drop Invalid connections

      chain=input action=drop connection-state=invalid 

14    ;;; Drop everything else

      chain=input action=drop 

15    chain=forward action=accept in-interface=bridge out-interface=bridge log=no log-prefix=""

matiaszon · Wed Jan 10, 2018 7:22 pm

I assume, that you have apublic address from your ISP.

There is no rule pointing to your server.
You need to add:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Webserver dst-port=8123 in-interface-list=ether1 protocol=tcp to-addresses=192.168.10.16 to-ports=8123

More to read here:
https://wiki.mikrotik.com/wiki/Manual:I ... forwarding

dkz · Wed Jan 10, 2018 8:51 pm

Thanks for your fast reply matiaszon

Yes i have an public IP from my ISP.

I have now added the NAT rule to my router that now looks like this (Rule:3)

Code: Select all


 0    ;;; defconf: masquerade

      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 1    ;;; masq. vpn traffic

      chain=srcnat action=masquerade src-address=192.168.89.0/24 

 2    ;;; OpenVPN Masquerade

      chain=srcnat action=masquerade src-address=192.168.20.0/24 log=no log-prefix="" 

 3   chain=dstnat action=dst-nat to-addresses=192.168.10.16 to-ports=8123 protocol=tcp 

      in-interface-list=WAN dst-port=8123 log=yes log-prefix="HomeAssistanWebLogin"

But when i try to access the URL https://(masked).duckdns.org:8123 i get the message from Chrome: ERR_CONNECTION_TIMED_OUT and from Chome on my mobile: Site cant be reached. Server IP address could not be found DNS_PROBE_FINISHED_NXDOMAIN.

Any thoughts or suggestions?

matiaszon · Wed Jan 10, 2018 11:36 pm

I made a small mistake in the code. It should be:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Webserver dst-port=8123 in-interface=ether1 protocol=tcp to-addresses=192.168.10.16 to-ports=8123

However, I can see, that you changed it to "in-interface-list=WAN". I believe that you have a list called "WAN" configured, and there is ether1 on that list. I gues this is OK.
There still can be a few reasons. From where are you trying to get to your server - from the same network where the server is located, or outside of this network?

dkz · Wed Jan 10, 2018 11:59 pm

I changed from in-interface-list to in-interface and there it was possible to use ether1 as port. I have tried to access the page both from within my LAN and also externally from my phone with wifi turned off. But still without success. Any more thoughts?

The NAT rule now looks like this:

Code: Select all


 3    chain=dstnat action=dst-nat to-addresses=192.168.10.16 to-ports=8123 protocol=tcp in-interface=ether1 

      dst-port=8123 log=yes log-prefix="HomeAssistanWebLogin"

matiaszon · Thu Jan 11, 2018 2:01 am

Export your settings here hiding sensitive

export hide-sensitive

Wysłane z iPhone za pomocą Tapatalk

dkz · Thu Jan 11, 2018 8:57 am

Code: Select all


# jan/11/2018 07:50:28 by RouterOS 6.42rc6

# software id = I415-ZLXP

#

# model = CRS125-24G-1S-2HnD

# serial number = xxxxxxxxxxxxxx

/interface bridge

add fast-forward=no name=EXT

add admin-mac=6C:1B:1B:7D:18:51 auto-mac=no fast-forward=no name=bridge

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce comment="WIFI XXXXXX_2G" disabled=no \

    distance=indoors frequency=auto mode=ap-bridge ssid=XXXXXX1_2GHz wireless-protocol=802.11 wps-mode=\

    disabled

/interface ethernet

set [ find default-name=ether1 ] comment="BBB WAN"

set [ find default-name=ether2 ] name=ether2-master

set [ find default-name=ether11 ] comment="External IP to TV-Box"

/interface wireless manual-tx-power-table

set wlan1 comment="WIFI XXXXXX_2G"

/interface wireless nstreme

set wlan1 comment="WIFI XXXXXX_2G"

/interface list

add name=mactel

add name=mac-winbox

add exclude=dynamic name=discover

add name=WAN

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=\

    MikroTik

add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=profile supplicant-identity=MikroTik

/interface wireless

add comment="GUEST WIFI" disabled=no mac-address=6E:3B:6B:7D:08:19 master-interface=wlan1 name=wlan2 \

    security-profile=profile ssid=XXXXXX_GUEST1 wps-mode=disabled

/interface wireless manual-tx-power-table

set wlan2 comment="GUEST WIFI"

/interface wireless nstreme

set wlan2 comment="GUEST WIFI"

/ip pool

add name=dhcp ranges=192.168.10.10-192.168.10.199

add name=vpn ranges=192.168.89.2-192.168.89.255

add name=OpenVPN ranges=192.168.20.2-192.168.20.255

/ip dhcp-server

add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf

/ppp profile

set *FFFFFFFE bridge=bridge local-address=192.168.89.1 remote-address=vpn

/system logging action

set 0 memory-lines=100

set 1 disk-lines-per-file=100

/caps-man manager

set ca-certificate=auto certificate=auto

/interface bridge filter

add action=accept chain=forward disabled=yes in-bridge=bridge in-interface=ether1 out-bridge=bridge \

    out-interface=ether11

add action=drop chain=forward in-interface=wlan2

add action=drop chain=forward out-interface=wlan2

/interface bridge port

add bridge=bridge comment=defconf interface=ether2-master

add bridge=bridge comment=defconf hw=no interface=wlan1

add bridge=bridge hw=no interface=wlan2

add bridge=bridge interface=ether3

add bridge=bridge interface=ether4

add bridge=bridge interface=ether5

add bridge=bridge interface=ether6

add bridge=bridge interface=ether7

add bridge=bridge interface=ether8

add bridge=bridge interface=ether9

add bridge=bridge interface=ether10

add bridge=bridge interface=ether11

add bridge=bridge interface=ether12

add bridge=bridge interface=ether13

add bridge=bridge interface=ether14

add bridge=bridge interface=ether15

add bridge=bridge interface=ether16

add bridge=bridge interface=ether17

add bridge=bridge interface=ether18

add bridge=bridge interface=ether19

add bridge=bridge interface=ether20

add bridge=bridge interface=ether21

add bridge=bridge interface=ether22

add bridge=bridge interface=ether23

add bridge=bridge interface=ether24

add bridge=bridge interface=sfp1

/ip neighbor discovery-settings

set discover-interface-list=discover

/ip settings

set rp-filter=strict

/interface ethernet switch multicast-fdb

add ports=ether11

/interface l2tp-server server

set enabled=yes use-ipsec=yes

/interface list member

add interface=ether2-master list=mactel

add interface=wlan1 list=mactel

add interface=ether2-master list=mac-winbox

add interface=wlan2 list=mactel

add interface=wlan1 list=mac-winbox

add interface=wlan2 list=mac-winbox

add interface=wlan1 list=discover

add interface=ether2-master list=discover

add interface=ether3 list=discover

add interface=ether4 list=discover

add interface=ether5 list=discover

add interface=ether6 list=discover

add interface=ether7 list=discover

add interface=ether8 list=discover

add interface=ether9 list=discover

add interface=ether10 list=discover

add interface=ether11 list=discover

add interface=ether12 list=discover

add interface=ether13 list=discover

add interface=ether14 list=discover

add interface=ether15 list=discover

add interface=ether16 list=discover

add interface=ether17 list=discover

add interface=ether18 list=discover

add interface=ether19 list=discover

add interface=ether20 list=discover

add interface=ether21 list=discover

add interface=ether22 list=discover

add interface=ether23 list=discover

add interface=ether24 list=discover

add interface=sfp1 list=discover

add interface=bridge list=discover

add interface=wlan2 list=discover

add interface=EXT list=discover

add interface=bridge list=WAN

/interface pptp-server server

set enabled=yes

/interface sstp-server server

set default-profile=default-encryption enabled=yes

/interface wireless access-list

add comment="xxx Mobil" mac-address=4C:66:41:48:A1:12

add comment="xxxxxxx Mobil" mac-address=E8:50:8B:04:F3:1F

add comment="xxxxxxx Laptop" mac-address=7C:D1:C3:E9:E2:47

add comment="Chromebook 1" mac-address=AC:89:95:DB:5A:C5

add comment="xxxxx Mobil" mac-address=AC:5F:3E:26:C9:97

add comment=CC-Music mac-address=54:60:09:EA:D4:4A

add comment="xxxxxxxx Mobil" mac-address=D4:61:2E:93:63:69

add comment="xxxxxxxxxxxxxx" mac-address=6C:AD:F8:A4:33:19

add mac-address=B8:EE:65:F0:FD:CB

add mac-address=48:51:B7:61:1D:6D

add mac-address=1C:AF:05:77:D6:95

add mac-address=F4:F5:D8:DC:C5:92

add mac-address=44:85:00:CB:17:DB

add mac-address=28:56:5A:A0:0B:06

add mac-address=50:C7:BF:59:F5:A6

add mac-address=B8:27:EB:E6:97:32

add mac-address=6C:AD:F8:D0:0F:69

add mac-address=54:60:09:5C:AE:30

add mac-address=E4:58:B8:5E:81:DF

/ip address

add address=192.168.10.1/24 comment=defconf interface=ether2-master network=192.168.10.0

/ip cloud

set ddns-enabled=yes

/ip dhcp-client

add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server lease

add address=192.168.10.253 always-broadcast=yes client-id=1:4c:66:41:48:a1:12 mac-address=4C:66:41:48:A1:12 \

    server=defconf

add address=192.168.10.125 client-id=1:48:51:b7:61:1d:6d mac-address=48:51:B7:61:1D:6D server=defconf

add address=192.168.10.117 client-id=1:f0:1f:af:3:2b:51 mac-address=F0:1F:AF:03:2B:51 server=defconf

add address=192.168.10.136 client-id=1:b8:ac:6f:b0:5:3f mac-address=B8:AC:6F:B0:05:3F server=defconf

add address=192.168.10.113 mac-address=54:60:09:EA:D4:4A server=defconf

add address=192.168.10.104 always-broadcast=yes client-id=1:ac:5f:3e:26:c9:97 mac-address=AC:5F:3E:26:C9:97 \

    server=defconf

add address=192.168.10.106 mac-address=6C:AD:F8:A4:33:19 server=defconf

add address=192.168.10.11 always-broadcast=yes mac-address=D4:61:2E:93:63:69 server=defconf

add address=192.168.10.14 always-broadcast=yes comment="IOT-IKEA Gateway" mac-address=B0:72:BF:27:86:D5 server=\

    defconf

add address=192.168.10.13 mac-address=F4:F5:D8:DC:C5:92 server=defconf

add address=192.168.10.15 mac-address=A4:77:33:6D:38:B2 server=defconf

add address=192.168.10.227 client-id=1:70:8b:cd:ab:ec:fd mac-address=70:8B:CD:AB:EC:FD server=defconf

add address=192.168.10.17 mac-address=00:17:88:2B:01:71 server=defconf

add address=192.168.10.18 client-id=1:44:85:0:cb:17:db mac-address=44:85:00:CB:17:DB server=defconf

add address=192.168.10.19 mac-address=B4:A5:EF:E7:51:8D server=defconf

add address=192.168.10.16 mac-address=B8:27:EB:9C:9C:25 server=defconf

add address=192.168.10.10 client-id=1:30:7:4d:8d:2c:9a mac-address=30:07:4D:8D:2C:9A server=defconf

add address=192.168.10.22 mac-address=28:56:5A:A0:0B:06 server=defconf

add address=192.168.10.20 client-id=1:b8:27:eb:e6:97:32 mac-address=B8:27:EB:E6:97:32 server=defconf

add address=192.168.10.12 always-broadcast=yes mac-address=6C:AD:F8:D0:0F:69 server=defconf

add address=192.168.10.26 client-id=1:f0:9f:c2:1d:b:5 mac-address=F0:9F:C2:1D:0B:05 server=defconf

add address=192.168.10.27 always-broadcast=yes mac-address=E4:F0:42:48:CF:B2 server=defconf

add address=192.168.10.28 mac-address=48:D6:D5:E1:21:29 server=defconf

add address=192.168.10.24 always-broadcast=yes mac-address=54:60:09:5C:AE:30 server=defconf

/ip dhcp-server network

add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24

/ip dns

set allow-remote-requests=yes servers=8.8.8.8,195.54.122.200,8.8.4.4,195.54.122.204

/ip dns static

add address=192.168.10.1 name=router

add address=8.8.8.8 name="Google DNS 1"

add address=8.8.4.4 name="Google DNS 2"

/ip firewall address-list

add address=192.168.10.0/24 list=PrivateIPs

add address=192.168.10.0/24 list=support

add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons

add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" \

    list=bogons

add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons

add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons

add address=172.16.0.0/12 comment=\

    "Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons

add address=192.168.0.0/16 comment=\

    "Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" list=bogons

add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons

add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons

add address=198.18.0.0/15 comment="NIDB Testing" list=bogons

add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons

add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons

/ip firewall filter

add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related disabled=\

    yes

add action=accept chain=forward connection-nat-state=srcnat,dstnat in-interface=ether1 in-interface-list=all \

    out-interface-list=all protocol=igmp

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp

add action=accept chain=input comment="allow IKE" dst-port=500 log=yes log-prefix=VPN protocol=udp

add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp

add action=accept chain=input comment="allow pptp" dst-port=1723 log=yes log-prefix=VPN protocol=tcp

add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

add action=accept chain=input protocol=ipsec-esp

add action=accept chain=input protocol=ipsec-ah

add action=accept chain=input comment="Allow Established connections" connection-state=established

add action=accept chain=input comment="Allow ICMP" protocol=icmp

add action=accept chain=input in-interface=!ether1 src-address=192.168.10.0/24

add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid

add action=drop chain=input comment="Drop everything else"

add action=accept chain=forward in-interface=bridge out-interface=bridge

add action=accept chain=input disabled=yes dst-address=192.168.10.16 dst-port=8123 in-interface=ether1 \

    protocol=tcp src-port=443

add action=accept chain=input disabled=yes dst-address=192.168.10.16 dst-port=8123 in-interface=ether1 \

    protocol=tcp src-port=8123

/ip firewall nat

add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 log=yes log-prefix=\

    HomeAssistantWebLogin protocol=tcp to-addresses=192.168.10.16 to-ports=8123

add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 protocol=tcp src-port=443 \

    to-addresses=192.168.10.16 to-ports=8123

add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

add action=masquerade chain=srcnat comment="OpenVPN Masquerade" src-address=192.168.20.0/24

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set irc disabled=yes

set sip disabled=yes

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www address=192.168.10.0/24 disabled=yes

set ssh disabled=yes

set winbox address=192.168.10.0/24

set api-ssl disabled=yes

/ip smb

set allow-guests=no comment=Router domain=WORKGROUP

/ip ssh

set strong-crypto=yes

/ip upnp

set show-dummy-rule=no

/ip upnp interfaces

add interface=bridge type=internal

add interface=ether1 type=external

/ppp secret

add name=vpn

/routing igmp-proxy interface

add alternative-subnets=1.2.3.0/24,2.3.4.0/24 interface=ether1 upstream=yes

add interface=ether11

/routing igmp-proxy mfc

add downstream-interfaces=ether11 group=224.10.10.11 source=192.168.10.1 upstream-interface=wlan1

/routing pim bsr-candidates

add disabled=yes interface=ether11

/routing pim interface

add disabled=yes interface=ether11

/routing pim rp-candidates

add interface=ether11

/snmp

set enabled=yes location=HOME trap-version=3

/system clock

set time-zone-name=Europe/Stockholm

/system identity

set name=Router

/system leds

set 0 disabled=yes

set 1 disabled=yes

/system logging

set 0 disabled=yes

set 3 action=disk

add action=disk topics=ipsec

add action=disk topics=account

/system note

set note="XXXXXX Network Architecture - Authorized administrators only. Access to this device is monitored."

/system ntp client

set enabled=yes primary-ntp=79.138.40.123 secondary-ntp=62.209.166.40 server-dns-names=\

    0.se.pool.ntp.org,1.se.pool.ntp.org,2.se.pool.ntp.org,3.se.pool.ntp.org

/system package update

set channel=release-candidate

/system scheduler

add interval=13m name=Update_DDNS on-event=Update_DDNS policy=\

    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup

add interval=12h name=Update_RouterOS on-event=Auto_Update_RouterOS policy=\

    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/23/2017 start-time=03:00:00

add interval=1w name=Send_ConfigFile_email on-event=Send_ConfigFile_email policy=\

    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/26/2017 start-time=02:00:00

add interval=10m name=RUN_UPDATE_DUCK_DNS on-event=UPDATE_DUCK_DNS policy=\

    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/09/2018 start-time=15:00:00

/system script

add name=Update_DDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \

    source="#  This script will update a ChangeIP.com dynamic dns hostname\r\

    \n:local ddnsuser \"xxx.kretz@gmail.com\"\r\

    \n:local ddnspass \"AlfaLaval!1991!\"\r\

    \n:local ddnshost \"kretzarna.ddns.info\"\r\

    \n:local ddnsinterface \"ether1\"\r\

    \n\r\

    \n:global ddnslastip\r\

    \n:global ddnsip [ /ip address get [find interface=\$ddnsinterface disabled=no] address ]\r\

    \n:if ([ :typeof \$ddnslastip ] = nil ) do={ :global ddnslastip 0.0.0.0/0 }\r\

    \n\r\

    \n:if ([ :typeof \$ddnsip ] = nil ) do={\r\

    \n:log info (\"DDNS: No ip address present on \" . \$ddnsinterface . \", please check.\") } else={\r\

    \n:if (\$ddnsip != \$ddnslastip) do={\r\

    \n:log info \"DDNS: Sending UPDATE!\"\r\

    \n:log info [ /tool dns-update name=\$ddnshost address=[:pick \$ddnsip 0 [:find \$ddnsip \"/\"] ] key-name=\

    \$ddnsuser key=\$ddnspass ]\r\

    \n:global ddnslastip \$ddnsip } else={\r\

    \n:log info \"DDNS: No change\" }\r\

    \n}"

add name=Send_ConfigFile_email owner=admin policy=read,write,test source="/system backup save name=email_backup\

    \r\

    \n/tool e-mail send file=email_backup.backup to=\"kretzarna@gmail.com\" body=\"See attached backup file\" su\

    bject=\"\$[/system identity get name] \$[/system clock get time] \$[/system clock get date] RouterOS Backup\

    \")\r\

    \n"

add name=Auto_Update_RouterOS owner=admin policy=\

    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/system package update\r\

    \ncheck-for-updates once\r\

    \n:delay 1s;\r\

    \n:if ( [get status] = \"New version is available\") do={ install }"

add name=UPDATE_DUCK_DNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \

    source=":global actualIP value=[/ip address get [find where interface=ether1] value-name=address];\r\

    \n:global actualIP value=[:pick \$actualIP -1 [:find \$actualIP \"/\" -1] ];\r\

    \n:if ([:len [/file find where name=ipstore.txt]] < 1 ) do={\r\

    \n /file print file=ipstore.txt where name=ipstore.txt;\r\

    \n /delay delay-time=2;\r\

    \n /file set ipstore.txt contents=\"0.0.0.0\";\r\

    \n};\r\

    \n:global previousIP value=[/file get [find where name=ipstore.txt ] value-name=contents];\r\

    \n:if (\$previousIP != \$actualIP) do={\r\

    \n :log info message=(\"Try to Update DuckDNS with actual IP \".\$actualIP.\" -  Previous IP are \".\$previo\

    usIP);\r\

    \n /tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt address=[:resolve www.duckdns.org] por\

    t=443 host=www.duckdns.org src-path=(\"/update\?domains=kretzarna&token=17300a3e-5686-4bc0-a82a-eab0f73825f4\

    &ip=\".\$actualIP);\r\

    \n /delay delay-time=5;\r\

    \n :global lastChange value=[/file get [find where name=duckdns-result.txt ] value-name=contents];\r\

    \n :global previousIP value=\$actualIP;\r\

    \n /file set ipstore.txt contents=\$actualIP;\r\

    \n :if (\$lastChange = \"OK\") do={:log warning message=(\"DuckDNS update successfull with IP \".\$actualIP)\

    ;};\r\

    \n :if (\$lastChange = \"KO\") do={:log error message=(\"Fail to update DuckDNS with new IP \".\$actualIP);}\

    ;\r\

    \n};"

/system watchdog

set auto-send-supout=yes send-email-to=kretzarna@gmail.com watch-address=8.8.8.8

/tool e-mail

set address=74.125.127.109 from=RouterOS@kretzarna.ddns.info port=587 start-tls=yes user=xxx.kretz@gmail.com

/tool graphing interface

add interface=bridge

add interface=wlan1

add interface=sfp1

/tool mac-server

set allowed-interface-list=mactel

/tool mac-server mac-winbox

set allowed-interface-list=mac-winbox

/tool sniffer

set file-limit=10000KiB file-name=NetScan.pcap filter-interface=ether1

/tool traffic-monitor

add interface=ether1 name=MON_Received threshold=0 traffic=received

add interface=ether1 name=MON_TRANSMITTED threshold=0

matiaszon · Thu Jan 11, 2018 10:04 am

I would put masquarades on top of the list (however don't think it has so much affect on port forwarding, but you can try after changing), and delete:

add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 protocol=tcp src-port=443 \
to-addresses=192.168.10.16 to-ports=8123

So your firewall nat looks like:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat comment="OpenVPN Masquerade" src-address=192.168.20.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 log=yes log-prefix=\
HomeAssistantWebLogin protocol=tcp to-addresses=192.168.10.16 to-ports=8123

Did you you try to temporarly turn off all "drop" rules in your firewall filter table?

JohnTRIVOLTA · Thu Jan 11, 2018 10:20 am

Just add accept rule for port tcp 8123 in filter section:
/ip fi fi add action=accept chain=input comment="allow WEB" dst-port=8123 protocol=tcp place-before=3

matiaszon · Thu Jan 11, 2018 10:46 am

Just add accept rule for port tcp 8123 in filter section:
/ip fi fi add action=accept chain=input comment="allow WEB" dst-port=8123 protocol=tcp place-before=3

If that would be the problem, you would have to add "accept" rules in the filter table for each forwarded port. I have like 10 ports forwarded and not a single accept rule in filter table. IMO the problem is in dropping/allowing rules that he already had defined.

JohnTRIVOLTA · Thu Jan 11, 2018 10:54 am

he just has to place up the rules and the last input rule must be - /add action=drop chain=input comment="Drop everything else"

dkz · Thu Jan 11, 2018 7:00 pm

I have tried all your suggestion JohnTRIVOLTA and matiaszon. I added the filter, inactivated the drop filter and removed the 443 nat-rule, but non of them makes it work

In Chrome i get ERR_CONNECTION_REFUSED when i'm trying to access the server from: https://xxxxxxxx.duckdns.org:8123

Any other suggestions that could be setup wrong in my configuration?

JohnTRIVOLTA · Thu Jan 11, 2018 7:13 pm

If you want to access it/web server/ from the local network , you must set Hairpin NAT , or if the board have DNS role you must add a static entry on DNS section !

dkz · Thu Jan 11, 2018 9:53 pm

I'm a bit noob. How do I do that?

JohnTRIVOLTA · Thu Jan 11, 2018 10:04 pm

I'm a bit noob. How do I do that?

https://wiki.mikrotik.com/wiki/Hairpin_NAT
or
/ip dns static add name=www.xxxxxxxx.duckdns.org address=192.168.10.16

dkz · Thu Jan 11, 2018 10:58 pm

JohnTRIVOLTA that did the trick!!! Now it works. Just added /ip dns static add name=www.xxxxxxxx.duckdns.org address=192.168.10.16

Thanks a million for your guys commitment.

matiaszon · Fri Jan 12, 2018 10:20 am

Just to remember: this will make problems, when you will have another server in LAN working on another port.

dkz · Fri Jan 12, 2018 8:14 pm

Thanks for letting me know. Shall I apply hairpin NAT if I have future needs to setup another server in my LAN?

matiaszon · Sun Jan 14, 2018 3:51 pm

You can apply HairPIN NAT for sa many as servers as you need. The only problem is to set up ports correctly. Let's say you have two different servers both working on port tcp 80. If you set up an external port for the firat one you have to choose another port number for the second server. For example:
1st server: external port tcp 80, internal tcp 80
2nd server: external port tcp 81, internal port tcp 80

Port forward not working for me [SOLVED]

Port forward not working for me [SOLVED]

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Re: Port forward not working for me

Who is online