Community discussions

MikroTik App
 
tartangeek
just joined
Topic Author
Posts: 3
Joined: Mon May 16, 2022 8:59 am

Port Forwarding issue

Mon May 16, 2022 9:28 am

Hi
I am trying to port forward to 2 ports, 1212 and 1250 so that a customers software will connect externally to the server on 192.168.1.64
The REALLY frustrating thing is I configured it and tested the ports and they worked but now won't.
I have spoken to the ISP and they are not blocking it at all. I amntearing my hair out so please help
Config attached
[admin@MikroTik] > export
# may/10/2022 16:20:40 by RouterOS 6.47.9
# software id = AH1F-487G
#
# model = RB760iGS
/interface bridge
add admin-mac=DC:2C:6E:01:61:AE auto-mac=no \
    comment=defconf name=bridge
/interface vlan
add interface=ether1 name=ufb-vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=\
    MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=\
    flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
add name=dhcp_pool1 ranges=\
    192.168.1.10-192.168.1.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=\
    bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=\
    ether2
add bridge=bridge comment=defconf interface=\
    ether3
add bridge=bridge comment=defconf interface=\
    ether4
add bridge=bridge comment=defconf interface=\
    ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ufb-vlan10 list=\
    WAN
/ip address
add address=192.168.1.1/24 comment=defconf \
    interface=ether2 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=\
    ufb-vlan10
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf \
    dns-server=103.212.xx.x,8.8.8.8 gateway=\
    192.168.1.1 netmask=24
/ip dns static
add address=192.168.1.1 comment=defconf name=\
    router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=103.212.xx.0/24 list=WAN
/ip firewall filter
add action=accept chain=forward comment=\
    "defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: a\
    ccept established,related,untracked" \
    connection-state=\
    established,related,untracked
add action=accept chain=forward \
    connection-state=established
add action=accept chain=forward \
    connection-nat-state=dstnat \
    connection-state=""
add action=accept chain=forward comment="defconf:\
    \_accept established,related, untracked" \
    connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: a\
    ccept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 \
    protocol=tcp
add action=fasttrack-connection chain=forward \
    comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=input comment=\
    "defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment=\
    "defconf: drop all not coming from LAN" \
    in-interface-list=LAN
add action=drop chain=forward comment=\
    "defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
    "allow port forwarding" \
    connection-nat-state=dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=\
    "Software allow from home" dst-port=1212 \
    in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.64 to-ports=1212
add action=dst-nat chain=dstnat comment=\
    "Software allow from home" dst-port=1212 \
    in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.64 to-ports=1212
add action=dst-nat chain=dstnat comment=\
    "Software allow from home SSL" disabled=yes \
    dst-port=8443 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.1.64 \
    to-ports=1212
add action=dst-nat chain=dstnat comment=\
    "Software allow from home" dst-port=1250 \
    in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.64 to-ports=1250
add action=dst-nat chain=dstnat comment=\
    "Software allow from home SSL" disabled=yes \
    dst-port=8443 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.1.64 \
    to-ports=1250
add action=dst-nat chain=dstnat comment=\
    "Software allow from home" dst-port=1250 \
    in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.64 to-ports=1250
add action=dst-nat chain=dstnat disabled=yes \
    dst-address=139.5.166.151 to-addresses=\
    192.168.1.64
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN 
Last edited by tartangeek on Mon May 16, 2022 11:22 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Port Forwarding issue

Mon May 16, 2022 1:16 pm

Not an answer to your question, but

[*] never open opp 8192 from internet to admin your router. You asking for problems.
add action=accept chain=input dst-port=8291 protocol=tcp
See this post: viewtopic.php?p=870631#p870631

set winbox address=192.168.1.0/24 This helps some. Edit FW rule to only accept LAN

[*] Inside IP should be bound to bridge, not to an interface part of the bridge:
wrong
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
correct (same as you already has bound your DHCP server to)
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
[*] Edit and remove serial number from your post, with that I found your ip to be 103.x.x.x3 du to cloud service, and with Winbox open, I can just start hacking.

[*] Nothing wrong but, to-ports are not needed in NAT if its the same as dst-port


To test your NAT (tcp part) visit https://canyouseeme.org/ and type in port 1212
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding issue

Mon May 16, 2022 2:46 pm

YOu need to organize your firewall rules better so input and forward chain rules are not intermingled.
As well you have some mess, duplicates in the forward chain that need to be cleaned up including the order of rules.
Its clear you dont have a clue of what the rules are actually saying/doing and thus more important than port forwarding is learning about the config.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port Forwarding issue

Tue May 17, 2022 2:08 am

As long as ISP really isn't blocking anything and you're testing it from internet (not from LAN), it should work. If you look at dstnat rules' counters, do they get any hits when you test those ports?
 
tartangeek
just joined
Topic Author
Posts: 3
Joined: Mon May 16, 2022 8:59 am

Re: Port Forwarding issue

Wed May 18, 2022 2:54 am

As long as ISP really isn't blocking anything and you're testing it from internet (not from LAN), it should work. If you look at dstnat rules' counters, do they get any hits when you test those ports?
Yes that is the strange thing as the counters do move but then it stops there. I have checked that the Firewall on the server is allowing those ports and it does so am lost.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port Forwarding issue

Wed May 18, 2022 3:37 am

Keep looking at server, because router doesn't block it. You can try to add e.g.:
/ip firewall mangle
add chain=postrouting dst-address=192.168.1.64 protocol=tcp dst-port=1212 action=log log-prefix="request"
add chain=prerouting src-address=192.168.1.64 protocol=tcp src-port=1212 action=log log-prefix="response"
You should see some requests logged, but responses will probably be tcp resets or none at all.
 
tartangeek
just joined
Topic Author
Posts: 3
Joined: Mon May 16, 2022 8:59 am

Re: Port Forwarding issue

Wed May 18, 2022 4:35 am

yeah after tidying up everything and firewall rules etc it still does not work yet it gets packets when you try to telnet to it. Must be on server. Thanks all for your help
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Port Forwarding issue

Wed May 18, 2022 8:51 am

Remove the router, setup a linux pc where you change ssh port from 22 to 1212. Connect it to your IPS and test it you can reach that from internet.
If yes, some is wrong with RouterOS config, if no, ISP problems.

Who is online

Users browsing this forum: Ahrefs [Bot], rjuho and 34 guests