Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Port forwarding suddenly stopped working  [SOLVED]

Post Reply
 
Rebel44cz
just joined
Topic Author
Posts: 3
Joined: Wed Feb 15, 2023 3:12 am

Port forwarding suddenly stopped working  [SOLVED]

Wed Feb 15, 2023 3:21 am

Hi,

my port forwarding for the FTP server suddenly stopped working (I am not sure if there was some FW update) - I checked the Firewall/NAT configuration and it looked OK to me (the local IP of my FTP server changed recently to 192.168.16.66 and so was wrong in the config, but I fixed it)

here is my current config
Code: Select all
/ip firewall nat
add action=accept chain=dstnat comment="Bypass DNAT for NordicACLforMGMT" src-address-list=NordicACLforMGMT
add action=masquerade chain=srcnat comment="Masquerade outgoing traffic" out-interface=wlan1
add action=masquerade chain=srcnat comment="Masquerade MyLAN to Pinholes (via routing mark)" out-interface=ether1 routing-mark=MyExtIP src-address-list=MyLAN
add action=jump chain=dstnat comment="DNAT from WAN" in-interface=wlan1 jump-target=PinholeDNAT
add action=jump chain=dstnat comment="Externaly DNATed IP Pinholes" dst-address-list=VerejnaIP in-interface=!wlan1 jump-target=PinholeDNAT
add action=jump chain=dstnat comment="WAN IP Pinholes" dst-address-list=MyExtIP in-interface=!wlan1 jump-target=PinholeDNAT
add action=redirect chain=dstnat comment="Redirect Externaly DNATed IP" dst-address-list=VerejnaIP in-interface=!wlan1
add action=dst-nat chain=PinholeDNAT comment="DMZ example: TCP 8888 incoming traffic from Internet to PC 192.168.16.10 HTTP port" disabled=yes dst-port=8888 protocol=tcp to-addresses=192.168.16.10 to-ports=80
add action=dst-nat chain=PinholeDNAT dst-port=21 protocol=tcp to-addresses=192.168.16.66 to-ports=21
add action=dst-nat chain=PinholeDNAT dst-port=28900 protocol=tcp to-addresses=192.168.16.66
add action=dst-nat chain=PinholeDNAT dst-port=28900 protocol=udp to-addresses=192.168.16.126
add action=dst-nat chain=PinholeDNAT dst-port=27015 protocol=tcp to-addresses=192.168.16.66
add action=dst-nat chain=PinholeDNAT dst-port=27015 protocol=udp to-addresses=192.168.16.66
Can you please help me find the problem? Thanks!
Last edited by Rebel44cz on Wed Feb 15, 2023 5:14 pm, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 2:00 pm

There is only one course of action I would take with this config........... flush it down the loo.

This rule alone is a worthy enough reason to NETINSTALL the router to ensure it has not been compromised. For all your supposed attempts (due to unsubstantiated fears) of weird security attempts, you create a huge hole in the router........... opening up the input chain directly to external IPs........
THe way to do this is with a VPN tunnel ( such as wireguard )
/ip firewall filter
add action=accept chain=input comment="INPUT: Allow from NordicACLforMGMT" src-address-list=NordicACLforMGMT
add address=100.127.240.0/22 list=NordicACLforMGMT
add address=78.136.134.72/30 list=NordicACLforMGMT
add address=94.241.64.144/30 list=NordicACLforMGMT
add address=80.251.240.146 list=NordicACLforMGMT
add address=5.102.62.16/29 list=NordicACLforMGMT
add address=5.102.63.16/29 list=NordicACLforMGMT
add address=78.136.134.32/28 list=NordicACLforMGMT
add address=78.136.130.32 list=NordicACLforMGMT

Also have no clue what is accomplished with the weird src-nat rule and associated dst-nt rules you have going, never seen that before......... All totally unnecessary!
/ip firewall nat
add action=accept chain=dstnat comment="Bypass DNAT for NordicACLforMGMT" src-address-list=NordicACLforMGMT

Thus, netinstall a fresh new copy of the firmware you wish to use.
Then dont add any firewall rules UNLESS they specifically are for the traffic you need.
Then come back and the rules can be tweaked for any special requirements or concerns you may have.
Do not visit MT documentation, do not visit youtube and understand each config line in the default before moving ahead.
Top
 
Rebel44cz
just joined
Topic Author
Posts: 3
Joined: Wed Feb 15, 2023 3:12 am

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 2:49 pm

Unfortunately, this device is owned by my ISP and those parts of the configuration are for their remote access.

I have admin access to it but only for purposes of setting up my own port forwarding and until recently it has been working without problems.

Any advice/idea how to fix the port forwarding to my FTP server?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 2:58 pm

In that rats nest good luck LOL.
The only advice I would have is DO YOU REMEMBER what the IP was before you changed it to 192.168.16.66??

Lets say it was 192.168.16.33, what I would do is go carefully through their config to see if that IP was referenced anywhere else in another rule because maybe for that traffic to flow, more than one rule was made ????

Last thought, how do you know if they made some change to their config which screws it up................. they have so many off the wall things it would be hard to find...........
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 4:21 pm

Try this:
Code: Select all
/ip firewall filter
add action=accept chain=USERforward connection-nat-state=dstnat
Top
 
Rebel44cz
just joined
Topic Author
Posts: 3
Joined: Wed Feb 15, 2023 3:12 am

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 5:11 pm

Try this:
Code: Select all
/ip firewall filter
add action=accept chain=USERforward connection-nat-state=dstnat
Thank you! It is working again.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 9:29 pm

Makes no sense, why was it working before, if that rule was not there...................
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 10:08 pm

The config in first post got somehow shorter and useless to see the problem, but original version had this:
Code: Select all
/ip firewall filter
add action=jump chain=forward comment="USER FORWARD CHAIN" jump-target=USERforward
...
add action=accept chain=USERforward dst-address=192.168.16.126 out-interface=ether1
So if server had originally 192.168.16.126, this rule allowed all access to it (not just dstnat). New rule will automatically allow all forwarded ports to any address. Which is fine, because if you forward some port, you probably want it to work.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding suddenly stopped working

Wed Feb 15, 2023 11:32 pm

Right so my assumption about the target server IP being in more than one location was not a bad assumption.. Makes sense now.............
You my friend are a big security risk opening up all that port forwarding ;-PPPPPP
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot] and 32 guests
  4. RouterOS
  5. Beginner Basics