Port Forwarding impossible

Levonhard · Wed Dec 22, 2021 1:36 pm

Grreetings!
I am essentially parallel with networking, but i would like to forward some ports (UDP 8766 and 16261, TCP 16262 - 16272).
I have watched almost every tutorial on youtube relating to this but so far ports remain closed as shown by https://www.yougetsignal.com/tools/open-ports/
I own mikrotik routerboard 951ui-2hnd.

I stumbled upon this forum and found that other people had a similar problem and their issues were resolved so i brought my questions here.
I'll be posting this image of one of my forwarding attempts and my configs. If you can guide me how to post the configs in text or if you require i will happily do so.
my IPV4 is what i get when i type ipconfig in windows cmd
my external IP is the IP i get from https://whatismyipaddress.com

You would be forever in my gratitude!

/interface bridge
add admin-mac=E4:8D:8C:C8:84:9C auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway name=\
    pppoe-out1 use-peer-dns=yes user=MS245850734
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290 \
    mode=ap-bridge ssid="Dwarf Fortress" wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] name=default-encryption
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:0:d8:61:1a:42:e6 mac-address=\
    00:D8:61:1A:42:E6 server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-address=86.120.238.83 dst-port=8766 \
    in-interface=bridge-local protocol=udp to-addresses=192.168.88.254 \
    to-ports=8766
/ip upnp
set enabled=yes
/ip upnp interfaces
add forced-external-ip=100.120.63.154 interface=pppoe-out1 type=external
add interface=bridge-local type=internal
/system clock
set time-zone-name=Europe/Bucharest
/system leds
set 5 interface=wlan1
/system note
set note="I closed the vulnerability with a firewall. Please update RouterOS. \
    You can say thanks on the WebMoney Z399578297824 or BTC 14qiYkk3nUgsdqQawi\
    MLC1bUGDZWHowix1"
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool romon port
add disabled=no

anav · Fri Dec 24, 2021 7:19 pm

It is normal for ports to appear closed on a scan when configured on a MT.
If you put in a source address or list on the DST nat rule, the port should not even be visible on a scan (nice bonus).

How old is your firmware, master is a term not used for awhile now???

/ip neighbor discovery
set ether1-gateway discover=no

Try putting that to LAN at least for now and yes.

Your firewall rules are a touch lacking.......
Would modify to this.........
/ip firewall filter
add chain=input action=accept comment="default configuration" connection-state=\
established,related,untracked
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add chain=input action=accept comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="default configuration" \
connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
established,related,untracked
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"

Why is UPNP enabled??

Did you put in this system note??????
/system note
set note="I closed the vulnerability with a firewall. Please update RouterOS. \
You can say thanks on the WebMoney Z399578297824 or BTC 14qiYkk3nUgsdqQawi\
MLC1bUGDZWHowix1"

Based on that comment,
THE ONLY THING you should be thinking of doing is NETINSTALL with a new firmware and forget anything on this router config, TIS hacked!!!

Fri Dec 24, 2021 8:06 pm

Whoops...

mducharme · Fri Dec 24, 2021 8:16 pm

Yes you need to fix the security of that device. You must be running an absolutely ancient RouterOS version given that configuration. You should netinstall to a more modern version and do a factory reset.

Besides that, the problem is that you have in-interface for your port forward rule set to bridge-local, which is telling the router that you only want to port forward traffic coming from your internal network to that IP and port, and not to port forward traffic coming from the internet.

2frogs · Fri Dec 24, 2021 8:20 pm

/system note
set note="I closed the vulnerability with a firewall. Please update RouterOS. \
    You can say thanks on the WebMoney Z399578297824 or BTC 14qiYkk3nUgsdqQawi\
    MLC1bUGDZWHowix1"

You should consider your device compromised and use netinstall to reset config and update to the latest stable version at least. The problem was your firewall rules are using in-interface=ether1 instead of in-interface=ppoe-out1.

Sob · Fri Dec 24, 2021 8:32 pm

You don't seem to be very good with masking addresses. Anyway, if online service shows 86.x.x.x as your address, but router has 100.120.63.154 on its WAN interface, then bad news, you don't have public address. And public address is requirement for port forwarding. There's a chance that ISP could be forwarding ports to your non-public 100.120.63.154, but probably not very high, since it's CGNAT. You can try dstnat rule that's not completely wrong and see if it helps:

/ip firewall nat
add chain=dstnat in-interface=pppoe-out1 protocol=udp dst-port=8766 action=dst-nat to-addresses=192.168.88.254

Fri Dec 24, 2021 8:35 pm

First netinstall before considering anything else...

Levonhard · Sat Dec 25, 2021 10:18 am

Yeah my Firmware was old, and since you replied i ran a NETINSTALL and upgraded to OS 7.1.1
After the install i pasted what you wrote regarding discovery and firewall in the terminal. I pasted twice, above and below ++++++
My UPNP was enabled because i saw a youtube video showing me the "propper way" to ope ports
No... i didnt put in the system note XD, It just popped up every time i went into winbox and i just tought it was just doing its job. Now after netinstall it doesnt show up anymore. Thank you for the guidance and warning.

# dec/25/2021 09:55:25 by RouterOS 7.1.1
# software id = PNJM-B23Q
#
# model = 951Ui-2HnD
# serial number = 62810596DAFF
/interface bridge
add admin-mac=E4:8D:8C:C8:84:9C auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=romania disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid="Dwarf Fortress" wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=MS245850734
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    in-interface-list=LAN
add chain=forward comment="default configuration" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8766 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.88.254 to-ports=8766
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Regarding the ports, they still show up as closed after tinkering with settings you guys provided. I feel like this router is trolling me...
The purpose for these ports was so that i could host a dedicated Project Zomboid server. Maybe I'm missing something....

Sob · Sat Dec 25, 2021 7:46 pm

I'll quote myself from another similar thread:

@anav: One suggestion, to save time and energy, every time there's "my port forwarding doesn't work", start with four questions:

1) Do you know what is public address?
2) Are you sure?
3) Do you have public address?
4) Are you sure?

If you get 4 x YES, then next step is to add (as first rule):
Code: Select all
/ip firewall mangle
add chain=prerouting in-interface=<WAN> connection-state=new action=log log-prefix=INCOMING
and try some online port tester and any port. Possible outcomes:

a) Something gets logged with every test. You can continue with debugging, check config, look for mistakes, ...
b) Nothing gets logged, so user was wrong with at least some of YESes. You can direct them to ISP's router/modem (if they have access), tell them to ask ISP about public address, ...

Levonhard · Sun Dec 26, 2021 10:56 am

I'll quote myself from another similar thread:
@anav: One suggestion, to save time and energy, every time there's "my port forwarding doesn't work", start with four questions:

1) Do you know what is public address?
2) Are you sure?
3) Do you have public address?
4) Are you sure?

If you get 4 x YES, then next step is to add (as first rule):
Code: Select all
/ip firewall mangle
add chain=prerouting in-interface=<WAN> connection-state=new action=log log-prefix=INCOMING
and try some online port tester and any port. Possible outcomes:

a) Something gets logged with every test. You can continue with debugging, check config, look for mistakes, ...
b) Nothing gets logged, so user was wrong with at least some of YESes. You can direct them to ISP's router/modem (if they have access), tell them to ask ISP about public address, ...

1.yes
2.yes
3.yes
4.yes

Added the mangle rule too, no luck :/

Sun Dec 26, 2021 11:33 am

Are you sure there is nothing in between outside world and your Tik which needs to be configured to forward that port to your Tik ?
Something from ISP ?

jvanhambelgium · Sun Dec 26, 2021 11:57 am

You initial screenshot revealed some PPPoE IP address of 100.x.x.x
I think you are behind CGNAT (=Carrier Grade NAT) therefore you will never be able to "open" ports from the outside world and host services.

The 100.x.x.x is often used in CGNAT-scenario's.

Sun Dec 26, 2021 12:04 pm

Reverse VPN then.
You will need some other device with public reachable ip ( dynamic or static).

Port Forwarding impossible

Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Re: Port Forwarding impossible

Who is online