Community discussions

MikroTik App
 
qazasd
just joined
Topic Author
Posts: 2
Joined: Thu Oct 14, 2021 3:46 pm

Another Port Forwarding issue

Thu Oct 14, 2021 4:08 pm

Hi All,
Hopefully someone can help me with my predicament, I am trying to setup the port forwarding to get open NAT and getting some really weird results. using the latest release, also tried a lot of the fixes from the forum and net, so quite stuck now.

Before this I was trying to manually add NAT entries for port forwarding, but weird things when I run the game that requires the port, the game not continue further but displays a black screen, however when I disable the rule, the game will continue to load. Other weird output were sometimes it will show the bytes and packets, other times nothing.

So the rule below, I setup uPnP to see what ports are being used, however, to see if I could get an open NAT, however it is also not working.

Any help would be appreciated, thanks.
vincent
# oct/14/2021 20:39:12 by RouterOS 6.49
# software id = UX2G-130B
#
# model = RB750Gr3
# serial number = CC210EACEFA3
/interface bridge
add admin-mac=zzzzzzzzzzzzzzz auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/queue interface
set ether2 queue=ethernet-default
set ether3 queue=wireless-default
set ether4 queue=wireless-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.113 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.113 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=MisterT
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another Port Forwarding issue  [SOLVED]

Fri Oct 15, 2021 4:44 pm

(1) Not sure why you use .113 as a gateway. Probably not wrong but not something I see often.
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.113 netmask=24

(2) REMOVE UPNP settings, not required.

(3) What you are missing is a Port Forward Rule, and we use the destination nat rules for that.

To Recap:
a. The mikrotik devices require one to allow port forwarded traffic from the WAN to the LAN. This is done in one generic firewall rule, in the forward chain, which states allow WAN to LAN traffic if of the type destination NAT (unsolicited traffic coming in on the WAN with a specific port that is identified in the destination nat rules). This is covered by the default rule:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


Which states drop all WAN to LAN traffic unless its dst-nat traffic.

b. Now we have to provide the router with the info what to do with this incoming traffic and that is through the use of destination nat rules.
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=xxxx protocol=??? \
to-addresses=LAN-IP-of-Server
{to-ports=xxxx Note: to-ports is NOT required if the same as dst-port, it has to be used if doing port translation}
 
qazasd
just joined
Topic Author
Posts: 2
Joined: Thu Oct 14, 2021 3:46 pm

Re: Another Port Forwarding issue

Fri Oct 15, 2021 5:50 pm

Hi Anav,
Thanks for the reply, somehow, it sorted itself out, I reset the Mikrotik unit to its default (not once though), only this time I use the default settings, not with my weird gateway settings :p, and enable Upnp, (Upnp appears in the NAT tab), and I could get open NAT.

So knowing it will work, will take your advice to put in the forward (dstnat) rule manually.

Thanks for your help.
rgds,
vincent.

Who is online

Users browsing this forum: cmmike, itsbenlol, SanchoHa, svh79 and 46 guests