Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Need help with port forwarding, complete noob

Post Reply
 
Australis192
just joined
Topic Author
Posts: 3
Joined: Sun May 01, 2022 2:42 pm

Need help with port forwarding, complete noob

Mon Jul 11, 2022 7:26 pm

Hey, so I'm trying to forward a port needed for playing Subnautica co-op mod. I followed this video https://www.youtube.com/watch?v=a_8AV6vIDYQ but I had no success, it still shows that my port is closed when I check it either in game or port checker website.

Here is my config:
Code: Select all
# jul/11/2022 19:22:02 by RouterOS 6.49.6
# software id = KBW6-858X
#
# model = RBD52G-5HacD2HnD
# serial number = E5780E671B76
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name=channe24 reselect-interval=1d \
    save-selected=yes
add band=5ghz-a/n/ac extension-channel=XXXX name=channel50 reselect-interval=\
    1d save-selected=yes
/interface bridge
add admin-mac=2C:C8:1B:67:2A:A1 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=u178462
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-672AA5 wireless-protocol=802.11
# managed by CAPsMAN
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-672AA6 wireless-protocol=802.11
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security1
/caps-man configuration
add channel=channe24 datapath=datapath1 mode=ap name=cfg24 rx-chains=0,1,2 \
    security=security1 ssid=MomoKL tx-chains=0,1,2
add channel=channel50 channel.band=2ghz-b country=no_country_set datapath=\
    datapath1 mode=ap name=cfg50 rx-chains=0,1,2 security=security1 ssid=\
    MomoKL5 tx-chains=0,1,2
add channel.band=5ghz-n/ac channel.control-channel-width=20mhz \
    channel.extension-channel=XXXX country=no_country_set \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    name=cfg-5ghz-ac security=security1 ssid=""
add channel.band=5ghz-onlyn channel.control-channel-width=20mhz \
    channel.extension-channel=XX country=no_country_set \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    name=cfg-5ghz-an security=security1 ssid=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man aaa
set mac-mode=as-username-and-password
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=a,ac,an \
    master-configuration=cfg50 name-format=prefix-identity name-prefix=5G
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
    master-configuration=cfg24 name-format=prefix-identity name-prefix=2G
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=bridge,wlan1,wlan2 enabled=yes \
    interfaces=wlan1,wlan2
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.10.11 client-id=1:4c:11:bf:7c:e8:35 mac-address=\
    4C:11:BF:7C:E8:35 server=defconf
add address=192.168.10.12 client-id=1:4c:11:bf:7c:e8:33 mac-address=\
    4C:11:BF:7C:E8:33 server=defconf
add address=192.168.10.20 client-id=1:bc:32:5f:af:99:ab mac-address=\
    BC:32:5F:AF:99:AB server=defconf
add address=192.168.10.23 client-id=1:6c:1c:71:68:7f:f8 mac-address=\
    6C:1C:71:68:7F:F8 server=defconf
add address=192.168.10.24 client-id=1:6c:1c:71:a3:9:db mac-address=\
    6C:1C:71:A3:09:DB server=defconf
add address=192.168.10.22 client-id=1:6c:1c:71:80:1:53 mac-address=\
    6C:1C:71:80:01:53 server=defconf
add address=192.168.10.29 client-id=1:6c:1c:71:a3:9:c7 mac-address=\
    6C:1C:71:A3:09:C7 server=defconf
add address=192.168.10.30 client-id=1:6c:1c:71:a3:9:e1 mac-address=\
    6C:1C:71:A3:09:E1 server=defconf
add address=192.168.10.28 client-id=1:6c:1c:71:a3:9:f1 mac-address=\
    6C:1C:71:A3:09:F1 server=defconf
add address=192.168.10.27 client-id=1:24:52:6a:1b:c9:de mac-address=\
    24:52:6A:1B:C9:DE server=defconf
add address=192.168.10.26 client-id=1:6c:1c:71:68:82:7e mac-address=\
    6C:1C:71:68:82:7E server=defconf
add address=192.168.10.25 client-id=1:6c:1c:71:68:7f:e9 mac-address=\
    6C:1C:71:68:7F:E9 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf disabled=yes name=router.lan
add address=192.168.10.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept WINBOX" dst-port=38291 \
    protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    192.168.10.1
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=192.168.1.1
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Sub nautica" dst-port=xxxxx \
    protocol=udp to-addresses=194.44.57.80 to-ports=xxxxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api port=38728
set winbox port=38291
set api-ssl port=38729
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=MikroTikIKK
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
Like I mentioned, I am a complete noob when it comes to any things internet, so talk to me like I'm 5. Thanks
Last edited by Australis192 on Mon Jul 11, 2022 8:51 pm, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need help with port forwarding, complete noob

Mon Jul 11, 2022 8:29 pm

(1) I dont thing you need this entered as the DHCP CLient settings are done in the pppoe part of the menu.
/ip dhcp-client {remove}
add comment=defconf interface=ether1

(2) HUGE SECURITY RISK, do this right away, to limit router access to at least the LAN.!!
add action=accept chain=input comment="defconf: accept WINBOX" dst-port=38291 \
protocol=tcp in-interface-list=LAN

***** also change the port number to something we dont know!! and dont post it on any public config just put XXXXX.

Later slightly modify the rule and add two more and replace one rule.........
add action=accept chain=input comment="defconf: accept WINBOX" dst-port=38291 \
protocol=tcp in-interface-list=LAN source-address=list=IP of admin PC (or src-address-list=Authorized, where Authorized is a firewall address list of admin devices, PC, laptop, ipad, smartphone etc
add action=accept chain=input protocol=tcp dst-port=53 in-interface-list=LAN
add action=accept chain=input protocol=udp dst=port=53 in-interface-list=LAN

Finally replace this
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
With this, which blocks all unwanted or unknown wan to router and lan to router!
add action=drop chain=input comment="drop all else"

Basically we are ensuring only the admin has access to the router, and the rest of the LAN has access to DNS services which commonly is the only service required.
Finally we block all else.

(4) Similarly making the forward chain cleaner and with better security
Modify this rule and add two more........
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat \
add action=drop chain=forward comment="drop all else"

Again we block all unknown and other traffic not previously accepted.
Thus we have to ensure we add internet bound traffic and we simplify the port forwarding or dst-nat rule.

(5) What is missing in terms of port forwarding is a properly formatted dst nat rule.
Please read this reference...............
viewtopic.php?t=179343
Top
 
Australis192
just joined
Topic Author
Posts: 3
Joined: Sun May 01, 2022 2:42 pm

Re: Need help with port forwarding, complete noob

Mon Jul 11, 2022 9:24 pm

Aight, I must be honest and say that this much info doesn't help me at all. If I try doing everything you said I will probably do more harm. I managed to open the desired port by using the game mod client, where it force opens it for me, (still appears as Closed on portchecker website, is there any other way to confirm if it's opened?) but I still wanna know if following the instruction given in the video should work? If it's so complicated to open one port I'll just buy a different router where it's as easy as "put the port number you want forwarded"
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need help with port forwarding, complete noob

Mon Jul 11, 2022 9:40 pm

You need to learn about the basics of MT networking and FORGET that particular youtube video
and start reading and using the noggin!

viewtopic.php?t=182373

Suggest starting at para M. for example.
Then B,
Then E,
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with port forwarding, complete noob

Tue Jul 12, 2022 3:06 am

Obvious mistake, usually when you want to forward a port because some game needs it, it's meant for incoming connections that should be able to reach your device in LAN. In other words, address in to-addresses should be some 192.168.10.x (whatever the target device has).

Possible problem, even when you do it correctly, it will only work if your router has public address (i.e. not 10.x.x.x, 100.64-127.x.x, 172.16-31.x.x, 192.168.x.x), and that's not always the case.

And no, nothing "force opened" the port for you. There's a way how to let devices in LAN open ports automatically (UPnP), but you don't have it enabled.

Edit: One more problem, port forwarding in Quick Set was and probably still is broken and creates incomplete rules. They work for incoming connections, but also break outgoing connections to same port. It can be fixed if you add dst-address-type=local to created rules.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 64 guests
  4. RouterOS
  5. Beginner Basics