Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

RB750Gr3 - Struggling with port forwarding

Post Reply
 
smd145
just joined
Topic Author
Posts: 2
Joined: Sun Jan 09, 2022 6:34 am

RB750Gr3 - Struggling with port forwarding

Sun Jan 09, 2022 6:52 am

Hey everyone,

I just got a RB750Gr3 to replace my ISP router. I have looked through the tutorials on Youtube, the Mikrotik wiki, and this forum to see how to set it up like I wanted. Things are pretty smooth until it comes to port forwarding. I am trying to open port 80 and 443 so that I can access my Raspberry Pi webserver from outside my network.

It is very weird that I can access the webserver through the URL without any problems, both inside the network and outside the network (using mobile data). But when I try to verify using certbot, there is always a connection problem. I also used a port checker service like canyouseeme.org and it shows that port 80 is opened 50% of the time (first click opened, second click timed out, etc.).

Could anyone give my config a quick look to see if I made any mistakes at all. Thank you for your time.

Note: I have manually removed some sensitive information from the config
Code: Select all

/interface bridge
add add-dhcp-option82=yes admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no \
    dhcp-snooping=yes igmp-snooping=yes name=bridge
	
/interface ethernet
set [ find default-name=ether1 ] name=ether1-pppoe
set [ find default-name=ether2 ] name=ether2-switch
set [ find default-name=ether3 ] name=ether3-eap
set [ find default-name=ether4 ] name=ether4-camera
set [ find default-name=ether5 ] name=ether5-spare

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-pppoe name=pppoe-c1 \
    use-peer-dns=yes user=abcxyz
	
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-vpn

/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan11-vpn vlan-id=11
add interface=bridge name=vlan20-iot vlan-id=20
add interface=bridge name=vlan30-guest vlan-id=30

/interface ethernet switch
set 0 name=switch

/interface list
add name=WAN
add name=LAN
add name=MGNT

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=pool-bridge ranges=10.0.0.2-10.0.0.254
add name=pool-vlan10 ranges=10.0.10.2-10.0.10.254
add name=pool-vlan11 ranges=10.0.11.2-10.0.11.254
add name=pool-vlan20 ranges=10.0.20.2-10.0.20.254
add name=pool-vlan30 ranges=10.0.30.2-10.0.30.254

/ip dhcp-server
add address-pool=pool-vlan10 interface=vlan10-private lease-time=2h name=\
    dhcp-vlan10
add address-pool=pool-vlan11 interface=vlan11-vpn lease-time=2h name=\
    dhcp-vlan11
add address-pool=pool-vlan20 interface=vlan20-iot lease-time=2h name=\
    dhcp-vlan20
add address-pool=pool-vlan30 interface=vlan30-guest lease-time=2h name=\
    dhcp-vlan30
add address-pool=pool-bridge interface=bridge lease-time=2h name=dhcp-bridge

/port
set 0 name=serial0

/routing table
add disabled=no fib name=to-vpn

/interface bridge port
add bridge=bridge comment=defconf interface=ether2-switch
add bridge=bridge comment=defconf interface=ether3-eap
add bridge=bridge comment=defconf interface=ether4-camera
add bridge=bridge comment=defconf interface=ether5-spare

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ipv6 settings
set disable-ipv6=yes

/interface list member
add interface=pppoe-c1 list=WAN
add interface=vlan10-private list=LAN
add interface=vlan11-vpn list=LAN
add interface=vlan20-iot list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan10-private list=MGNT
add interface=bridge list=MGNT
add interface=bridge list=LAN
add interface=vlan11-vpn list=MGNT

/interface wireguard peers
# A valid wireguard peer here
	
/ip address
add address=10.0.0.1/24 interface=bridge network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.11.1/24 interface=vlan11-vpn network=10.0.11.0
add address=10.0.20.1/24 interface=vlan20-iot network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-guest network=10.0.30.0
add address=10.5.0.2/24 interface=wg-vpn network=10.5.0.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=5m

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=10.0.0.2,1.1.1.1,1.0.0.1 gateway=\
    10.0.10.1
add address=10.0.11.0/24 dns-server=10.0.0.2,1.1.1.1,1.0.0.1 gateway=\
    10.0.11.1
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.30.1

/ip dns
set allow-remote-requests=yes cache-size=64KiB servers=1.1.1.1,1.0.0.1

/ip firewall address-list
add address=10.0.0.2 list=DNS
add address=10.0.0.0/16 list=LAN_IP
add address=abcxyz.sn.mynetname.net list=WAN_IP
# add VN_IPs here

/ip firewall filter
add action=drop chain=input comment="Input: Drop non-SYN TCP" \
    connection-state=new protocol=tcp tcp-flags=!syn
add action=accept chain=input comment="Input: Accept established, related" \
    connection-state=established,related
add action=drop chain=input comment="Input: Drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Input: Accept ICMP" protocol=icmp
add action=accept chain=input comment="Input: Accept MGNT to Router" \
    in-interface-list=MGNT
add action=drop chain=input comment="Input: Drop All Else"
add action=drop chain=forward comment="Forward: Drop non-SYN TCP" \
    connection-state=new protocol=tcp tcp-flags=!syn
add action=fasttrack-connection chain=forward comment=\
    "Forward: Fasttrack established, related" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward: Accept established, related" connection-state=\
    established,related
add action=drop chain=forward comment="Foward: Drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Forward: Allow bridge to everywhere" \
    in-interface=bridge
add action=accept chain=forward comment="Forward: Allow vlan10 to everywhere" \
    in-interface=vlan10-private
add action=accept chain=forward comment="Forward: Allow vlan11 to everywhere" \
    in-interface=vlan11-vpn
add action=accept chain=forward comment="Forward: Allow vlan20 to WAN" \
    in-interface=vlan20-iot out-interface-list=WAN
add action=drop chain=forward comment="Forward: Drop vlan20 to anywhere else" \
    in-interface=vlan20-iot out-interface-list=!WAN
add action=accept chain=forward comment="Forward: Allow vlan30 to WAN" \
    in-interface=vlan30-guest out-interface-list=WAN
add action=drop chain=forward comment="Forward: Drop vlan30 to anywhere else" \
    in-interface=vlan30-guest out-interface-list=!WAN
add action=accept chain=forward comment="Forward: Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Forward: Drop all else"

/ip firewall mangle
add action=jump chain=prerouting comment=\
    "Route traffic from VLAN 11 to VPN (except local IPs)" dst-address-list=\
    !LAN_IP in-interface=vlan11-vpn jump-target=vpn-chain
add action=mark-routing chain=vpn-chain comment=\
    "Route traffic from VLAN 11 to VPN (except VN IPs)" dst-address-list=\
    !VN_IPs in-interface=vlan11-vpn new-routing-mark=to-vpn passthrough=no
	
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=\
    LAN_IP src-address-list=LAN_IP
add action=masquerade chain=srcnat comment="VNPT Internet connection" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="Wireguard VPN connection" \
    out-interface=wg-vpn
add action=dst-nat chain=dstnat comment=\
    "PF: Web | IP: 10.0.0.2 | From: 80 | To: 80 | TCP" dst-address-list=\
    WAN_IP dst-port=80 protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "PF: Web | IP: 10.0.0.2 | From: 443 | To: 443 | TCP" dst-address-list=\
    WAN_IP dst-port=443 protocol=tcp to-addresses=10.0.0.2 to-ports=443

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wg-vpn routing-table=to-vpn \
    suppress-hw-offload=no
	
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=Asia/Ho_Chi_Minh

/tool bandwidth-server
set enabled=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2879
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: RB750Gr3 - Struggling with port forwarding

Sun Jan 09, 2022 9:38 am

https://wiki.mikrotik.com/wiki/Manual:I ... c_examples
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB750Gr3 - Struggling with port forwarding

Sun Jan 09, 2022 4:41 pm

First, when setting up the rules, the ports will appear open upon external testing.
If you use a source address or source address list in the dst nat rule, they will not appear on scans....

YOu should always limit external access when possible.
If you can use dydns services so that you can put those in your firewall address list for external sources if external users dont have static IP addresses.

Will look at the config.....

(1) Why use port forwarding which is basically an insecure access to the subnets on the router WHEN YOU HAVE WIREGUARD ???
You should tunnel into the router and access your resources on the LAN that way!!

(2) Why give the bridge an address (it makes it unclean, ) whatever subnet its carrying move it to a vland so its all apples and apples........

(3) Probably not required but for interface list members but it wont do any harm and is not untrue...........
/interface list member
add interface=pppoe-c1 list=WAN
add interface=ether1 list=WAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB750Gr3 - Struggling with port forwarding

Sun Jan 09, 2022 5:03 pm

(4) These drop rules not required as you have a drop all else rule at the end of the chain.............

add action=drop chain=forward comment="Forward: Drop vlan20 to anywhere else" \
in-interface=vlan20-iot out-interface-list=!WAN
add action=drop chain=forward comment="Forward: Drop vlan30 to anywhere else" \
in-interface=vlan30-guest out-interface-list=!WAN

(5) Your vlans 10,11 and bridge serve no purpose to be separated, they can go anywhere see everything.......... it should all be vlan10 or vlan11 for example.

And if you still wanted to keep such a silly setup, then at least be efficient.
interface list
add name=EVERYTHING
add interface=vlan10
add interface=vlan20
add interface=bridge

So then have one rule, instead of three.... (just to make the point)
add chain=forward action=accept in-interface-list=EVERYTHING

(6) WHY are you mangling for VPN wireguard, typically not required.
what is the purpose here??

(7) This is meaning less without the associated firewall address list actually identified
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=\
LAN_IP src-address-list=LAN_IP

(8) NOT required.
add action=masquerade chain=srcnat comment="Wireguard VPN connection" \
out-interface=wg-vpn

(9) The way to ensure incoming wireguard traffic goes out to the router is to normally ensure its part of the LAN interface group so that firewall rules apply, however you dont use a standard approach so in this case you will need a separate rule to permit wan access.
add chain=forward action=accept in-interface=vwg-vpn out-interface-list=WAN

(10) Since you have an IP address assigned to the wg-vpn interface, return traffic from the internet or router subnets will go back to the clients through the tunnel.

(11) DST nat rules seem fine.
add action=dst-nat chain=dstnat comment=\
"PF: Web | IP: 10.0.0.2 | From: 80 | To: 80 | TCP" dst-address-list=\
WAN_IP dst-port=80 protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
"PF: Web | IP: 10.0.0.2 | From: 443 | To: 443 | TCP" dst-address-list=\
WAN_IP dst-port=443 protocol=tcp to-addresses=10.0.0.2 to-ports=443
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB750Gr3 - Struggling with port forwarding

Sun Jan 09, 2022 5:05 pm

Finally lets get back to this bridge thing........
Which port is the server ON?
Which ports are the vlans on
Which ports are trunk ports or access ports.

have a read here to get some bearings and to fill in the missing entities interface bridge vlans, interface bridge ports and of course turning vlan bridge filtering on.
viewtopic.php?t=143620
Top
 
smd145
just joined
Topic Author
Posts: 2
Joined: Sun Jan 09, 2022 6:34 am

Re: RB750Gr3 - Struggling with port forwarding

Mon Jan 10, 2022 7:38 pm

Thank you for your time and your valuable insight @anav. To answers your questions:

(1) Why use port forwarding which is basically an insecure access to the subnets on the router WHEN YOU HAVE WIREGUARD ???
I do have a wireguard server running inside my network but I also need to host a small webserver that is public facing which requires only port 80 and 443 to be opened.

(2) Why give the bridge an address (it makes it unclean, ) whatever subnet its carrying move it to a vland so its all apples and apples........
This is where I don't like about my setup. I am kinda struggling with assigning VLAN to ports. There is a case where a port need to have VLAN10 (because it's connected to a unmanaged switch), while all traffics going through that port can be any VLAN at all (there is an AP connected to that port). I think this is called VLAN trunking, but I am still learning and will improve it once I understand the concept.

(3) Probably not required but for interface list members but it wont do any harm and is not untrue...........
Makes sense to me -> added

(4) These drop rules not required as you have a drop all else rule at the end of the chain.............
My mistakes. Thank you for pointing it out.

(5) Your vlans 10,11 and bridge serve no purpose to be separated, they can go anywhere see everything.......... it should all be vlan10 or vlan11 for example.
(6) WHY are you mangling for VPN wireguard, typically not required.
In here, traffics going into VLAN11 will be routed through the wireguard interface. That's for my VPN-ed wifi thing. The mangle rules are for conditional VPN routing. If the destination IP is in a list I specified (for example, the local network), then it won't be forwarded through the VPN so I still have local access.

(7) This is meaning less without the associated firewall address list actually identified
I actually have the LAN_IP list defined, and it includes 10.0.0.0/16 in there (because my network is 10.0.xx.xx). Probably I mistakenly deleted it while anonymized the command lists.

(8) NOT required.
I tried removing it and the VPN connection stopped working.

(9) The way to ensure incoming wireguard traffic goes out to the router is to normally ensure its part of the LAN interface group so that firewall rules apply, however you dont use a standard approach so in this case you will need a separate rule to permit wan access
I am sorry but I don't understand what you are implying here. Please pardon me for this as I am trying to understand it.

Which port is the server ON?
Which ports are the vlans on
Which ports are trunk ports or access ports.
Thank you for the link. I will have a look at it and improve my settings when I have some time.
To answer your questions here: The server is connected to an unmanaged switch, which is then connected to port ether2. I believe then the server is in the "bridge" interface, and got the IP in the 10.0.0.0/24 range
A quick summary:
- Port ether1 is PPPoE incoming connection from the ISP
- Port ether2 is connect to an unmanaged switch, which required all VLAN to go through. It's currently have no VLANs at all, but I am aiming to move it to VLAN 10
- Port ether3 is connect to the wifi access point, it's in the same situation as port 2
- Port ether4 is the camera DVR. It has no VLAN now but I am planning to move it to VLAN 10
- Port ether5 is a spare one that has no VLAN to it


I hope this reply clears my situation up a little bit. Please understand that I am quite new to this word Mikrotik router. Once again, thank you so much for spending your time helping me.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB750Gr3 - Struggling with port forwarding

Mon Jan 10, 2022 8:41 pm

So it appears there is need for only vlan? vlan10? what about other subnets...........
Read the below and perhaps it will become clearer!

Same basic points to consider.
a. an unmanaged switch cannot handle vlans (it can only handle one vlan and by that I mean traffic coming from it can be tagged by a smart device such as your router and untag the packets on the return path (like from the internet) before it reaches the switch (as it cannot read tags).
Conclusion: we can associated an unmanaged switch and everything behind it with only one vlan.

b. An access point needs to be vlan capable to handle vlans otherwise consider it just like a dumb switch.
Which Access Point do you have??

The idea of vlans is that when you run out of ports what to do?
The answer is send multiple subnets down a single port. However this implies you have a smart device (either managed switch or smart access point) at the other end of the vlan.

If you have four ports available on the router and a five port unmanaged switch what you have is
Subnet A can hit four devices (thu ether2 to unmanaged switch)
Subnet B can hit one device (thru ether3)
Subnet C can hit one device (thru ether4)
Subnet D can hit one device. (thru ether5)

So far no need for vlans.
As soon as you have a need for subnet E, then you need vlans.
As soon as you have one more device/user that needs any subnet you need either
A. start using vlans and a managed switch
OR
B. another un-managed switch attached to one of the existing subnets.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB750Gr3 - Struggling with port forwarding

Mon Jan 10, 2022 8:43 pm

Is the public facing server to a select known group of users that you can get their static public IP or their public IP via free dyndns service?
How is the entry on port 80 protected encryption wise? Login?
Just trying to wrap my head on best security protection.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB750Gr3 - Struggling with port forwarding

Mon Jan 10, 2022 8:45 pm

This I had no clue to understand.

In here, traffics going into VLAN11 will be routed through the wireguard interface. That's for my VPN-ed wifi thing. The mangle rules are for conditional VPN routing. If the destination IP is in a list I specified (for example, the local network), then it won't be forwarded through the VPN so I still have local access.


Is VPN11 for local users going out the wireguard tunnel and if so to where?
OR
Is it for incoming remote users and if so going where??
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 86 guests
  4. RouterOS
  5. Beginner Basics