Community discussions

MikroTik App
 
User avatar
cptjames32
just joined
Topic Author
Posts: 6
Joined: Tue Aug 16, 2022 7:00 pm
Location: USA

Port Forwarding refuses to work past the router

Tue Aug 16, 2022 7:11 pm

Hello,

I for some reason can't get port forwarding to work past the router. I can open any port to the router itself and that works when i test with a is my port open website. However when I port forward port 5060 to my VOIP server, it will not forward the port to the server. Any one see anything wrong with my config? I'm running the latest stable branch of OS6


# aug/16/2022 11:04:12 by RouterOS 6.48.6
# model = RB2011iL
/interface bridge
auto-mac=no comment=defconf name=bridge
/interface gre
add local-address=209.111.111.111 name=gre-tunnel1 remote-address=72.111.111.111
/interface vlan
add interface=ether5 name="VLAN" vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256 hash-algorithm=sha256 name=CSGO nat-traversal=no
/ip ipsec peer
add address=172.16.0.29/32 local-address=172.16.0.30 name="County" profile=CSGO
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Flex
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=LEADS pfs-group=modp4096
/ip pool
add name=dhcp ranges=10.100.1.2-10.100.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=10.100.10.2-10.100.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface="VLAN" name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged="VLAN" vlan-ids=10
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.100.1.1/24 comment=defconf interface=bridge network=10.100.1.0
add address=10.100.10.1/24 interface="VLAN" network=10.100.10.0
add address=172.16.0.30/30 interface=gre-tunnel1 network=172.16.0.28
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.100.1.20 client-id=1:34:5a:6:d2:3e:9c mac-address=34:5A:06:D2:3E:9C server=defconf
add address=10.100.1.23 mac-address=00:25:90:63:93:65 server=defconf
add address=10.100.10.6 client-id=1:a8:93:4a:66:f1:cb mac-address=A8:93:4A:66:F1:CB server=dhcp1
/ip dhcp-server network
add address=10.100.1.0/24 comment=defconf gateway=10.100.1.1 netmask=24
add address=10.100.10.0/24 gateway=10.100.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.100.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=72.111.111.111 list=CCSO
add address=10.34.40.134 list=CCSO
add address=10.34.40.136 list=CCSO
/ip firewall filter
add action=accept chain=input dst-port=50,500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat dst-address=10.100.1.0/24 src-address=10.100.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface=ether1 protocol=udp \
    to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP2 dst-port=5060 in-interface=ether1 protocol=tcp \
    to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP3 dst-port=10000-20000 in-interface=ether1 protocol=udp \
    to-addresses=10.100.1.23 to-ports=10000-20000
/ip firewall service-port
set sip disabled=yes sip-direct-media=no
/ip ipsec identity
add peer="County"
/ip ipsec policy
add dst-address=172.16.0.29/32 peer="County" proposal=LEADS src-address=172.16.0.30/32
/ip service
set www disabled=yes
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
cptjames32
just joined
Topic Author
Posts: 6
Joined: Tue Aug 16, 2022 7:00 pm
Location: USA

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 8:23 pm

I should add, I have gone thru all of the post I could find on this issue, and no change I make works.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 9:01 pm

Clearly its the bad hair, err the associated static electricity.

(1) Tsk Tsk, bad news.......
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp

Why are you insisting on the security risk of opening your winbox port to the internet. Remote access to winbox should only be done ONCE you have connected to the router itself, with the myriad of encrypted methods you seem to like dabbling with. Please change immediately to
add action=accept chain=input dst-port=winboxport# protocol=tcp in-interface-list=LAN

You may wish to allow some VPN access to the input chain for this port. I personally never use my actual winboxport number on a public config example.

(2) What is the purpose of this rule.......
add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp ????

(3) Your are a bit confused as shown by your Forward Chain........
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN


BETTER and coherent....
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN (assuming you want lan to wan access of course)
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


Note: Ether5/VLAN seems to live by itself, if you want it to be able to access it, or have users on Ether5/VLAN access anything you will require associated firewall rules.

(4) Assuming your WANIP is a. an accessible public IP, and b. dynamic, the format of your dst-nat rules will not suffice for the hairpin nat scenario
please read through this.........
viewtopic.php?t=179343
 
User avatar
cptjames32
just joined
Topic Author
Posts: 6
Joined: Tue Aug 16, 2022 7:00 pm
Location: USA

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 9:33 pm

Ok, I changed everything you listed, however it still will not forward a port to my server.

1. I changed this to only allow my public IP in. (I am remote to this router)

2. That rule was there to test the port forwarding to my server. If I allow port 80, I can see the router's gui by typing in the public ip. When I forward it in the router to a web server, it never makes it to the server.

3. I left all of the default rules from the default config on it. I cleaned them up as you suggested.

4. I already found your post on this before. This router has a public facing IP that is static, I changed the dst-nat rules to the public ip and did hairpin nat. Neither would pass the port traffic onto the server.

new config:
# aug/16/2022 13:25:56 by RouterOS 6.48.6
# software id = CG01-2JDG
#
# model = RB2011iL
/interface bridge
add admin-mac=DC:2C:6E:4C:6E:41 auto-mac=no comment=defconf name=bridge
/interface gre
add local-address=209.111.111.111 name=gre-tunnel1 remote-address=72.111.111.111
/interface vlan
add interface=ether5 name="VLAN" vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256 hash-algorithm=sha256 name=CSGO nat-traversal=no
/ip ipsec peer
add address=172.16.0.29/32 local-address=172.16.0.30 name="County" profile=CSGO
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=CC
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=CC pfs-group=modp4096
/ip pool
add name=dhcp ranges=10.100.1.2-10.100.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=10.100.10.2-10.100.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface="VLAN" name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged="VLAN" vlan-ids=10
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.100.1.1/24 comment=defconf interface=bridge network=10.100.1.0
add address=10.100.10.1/24 interface="VLAN" network=10.100.10.0
add address=172.16.0.30/30 interface=gre-tunnel1 network=172.16.0.28
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.100.1.20 client-id=1:34:5a:6:d2:3e:9c mac-address=34:5A:06:D2:3E:9C server=defconf
add address=10.100.1.23 mac-address=00:25:90:63:93:65 server=defconf
add address=10.100.10.6 client-id=1:a8:93:4a:66:f1:cb mac-address=A8:93:4A:66:F1:CB server=dhcp1
/ip dhcp-server network
add address=10.100.1.0/24 comment=defconf gateway=10.100.1.1 netmask=24
add address=10.100.10.0/24 gateway=10.100.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.100.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=72.111.111.111 list=CC
add address=10.34.40.134 list=CC
add address=10.34.40.136 list=CC
/ip firewall filter
add action=accept chain=input dst-port=50,500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp src-address=206.111.111.111
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat dst-address=10.100.1.0/24 src-address=10.100.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface=ether1 protocol=udp to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP2 dst-port=5060 in-interface=ether1 protocol=tcp to-addresses=10.100.1.23 to-ports=\
    5060
add action=dst-nat chain=dstnat comment=VOIP3 dst-port=10000-20000 in-interface=ether1 protocol=udp to-addresses=10.100.1.23 \
    to-ports=10000-20000
/ip firewall service-port
set sip disabled=yes sip-direct-media=no
/ip ipsec identity
add peer="County"
/ip ipsec policy
add dst-address=172.16.0.29/32 peer="County" proposal=CC src-address=172.16.0.30/32
/ip service
set www disabled=yes
set winbox address=206.111.111.111/32
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 9:47 pm

(2) Makes no sense, as the two are apples and oranges...........

(3) will have another look at your latest config...........

A. If its a static IP then your dst-nat rules are indeed in the WRONG format.
They need to be like.............. taking your first rule!

add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface=ether1 protocol=udp to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 dst-address=staticWANIP protocol=udp to-addresses=10.100.1.23 to-ports=5060

B. Also the default masquerade rule can be modified.........
From
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
TO:
add action=src-nat chain=srcnat ipsec-policy=out,none to-addresses=staticWANIP out-interface=ether1
Last edited by anav on Tue Aug 16, 2022 10:02 pm, edited 4 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 9:58 pm

4. I already found your post on this before. This router has a public facing IP that is static, I changed the dst-nat rules to the public ip and did hairpin nat. Neither would pass the port traffic onto the server.

If you had, then your dst-nat rule would have been properly configured as per the below........not exactly hidden.

A. STATIC-FIXED WAN IP.

With the above rule in place and the CORRECT DST NAT rule for static WANIPs is utilized, the router will now handle both the 'normal' external incoming requests as well as internal server requests via the dst NAT rule.
add action=dst-nat chain=dstnat dst-address=47.123.12.89 dst-port=12566 protocol=tcp to=addresses=192.168.88.68

same same for the masquerade rules.....

b. Source Nat Rule:

case1: Dynamic WANIP add chain=srcnat action=masquerade out-interface-list=WAN { will also work for fixed/static WANIPs but not as technically correct }

case2: Fixed/Static WANIP add chain=srcnat action=src-nat out-interface=ether1 to-addresses=WANIP(static) { where out interface must be the active interface, pppoe1-out, vlan etc. }
 
User avatar
cptjames32
just joined
Topic Author
Posts: 6
Joined: Tue Aug 16, 2022 7:00 pm
Location: USA

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 10:04 pm

add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface=ether1 protocol=udp to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 dst-address=staticWANIP protocol=udp to-addresses=10.100.1.23 to-ports=5060

B. Also the default masquerade rule can be modified.........
From
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
TO:
add action=src-nat chain=srcnat ipsec-policy=out,none to-addresses=staticWANIP out-interface=ether1

First change is done.

Second change won't work unless I enter a to-address or to-port
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 10:06 pm

add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface=ether1 protocol=udp to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 dst-address=staticWANIP protocol=udp to-addresses=10.100.1.23 to-ports=5060

B. Also the default masquerade rule can be modified.........
From
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
TO:
add action=src-nat chain=srcnat ipsec-policy=out,none to-addresses=staticWANIP out-interface=ether1

First change is done.

Second change won't work unless I enter a to-address or to-port
Correct you need the to address,. My bad, my initial post had an error of dst-address.
 
User avatar
cptjames32
just joined
Topic Author
Posts: 6
Joined: Tue Aug 16, 2022 7:00 pm
Location: USA

Re: Port Forwarding refuses to work past the router

Tue Aug 16, 2022 10:07 pm




First change is done.

Second change won't work unless I enter a to-address or to-port
Correct you need the to address,. My bad, my initial post had an error of dst-address.


perfect, I did that, with the other changes.

Still won't allow port to reach my internal server

Here is the current firewall
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=50,500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp src-address=206.111.111.222
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=forward comment="drop all else" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment=VOIP dst-address=209.111.111.111 dst-port=5060 protocol=udp to-addresses=10.100.1.23
add action=dst-nat chain=dstnat comment=VOIP3 dst-address=209.111.111.111 dst-port=10000-20000 protocol=udp to-addresses=\
    10.100.1.23
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat dst-address=10.100.1.0/24 src-address=10.100.1.0/24
add action=src-nat chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1 to-addresses=\
    209.111.111.111
/ip firewall service-port
set sip disabled=yes sip-direct-media=no

Who is online

Users browsing this forum: 4l4R1, emunt6, mertak, Renfrew and 73 guests