Community discussions

MikroTik App
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Unable to Access Port for Specific IP

Thu Mar 24, 2022 3:25 pm

Hi all,

ISSUE
I'm unable to access a port (5555) of a specific IP that I can successfully ping

Details
  • The IP is the IP of a dynamic dns host name that resolves to my local server (192.168.x.x) to support a service that's running there on port 5555
  • I can successfully ping the IP of the dynamic dns host name (ping ip_of_dynamic_dns)
  • hEX Router
  • RouterOS v6.48.1 (stable)

Error trying to access the service via the IP of a dynamic dns host name (https://ip_of_dynamic_dns):
  • "ERR_CONNECTION_REFUSED" - Chrome/Brave
  • "RESOURCE_NOT_FOUND" - IE (I believe this is a HTTP Status 404)

What I've tried
Router.jpg
RouterRule.jpg
  • Firewall - I've completely turned it off (I also tried adding inbound and outbound rules (Windows 10)
FirewallIn.jpg
FirewallOut.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Unable to Access Port for Specific IP

Tue Mar 29, 2022 11:46 am

Hi all,

ISSUE
I'm unable to access a port (5555) of a specific IP that I can successfully ping

Details
  • The IP is the IP of a dynamic dns host name that resolves to my local server (192.168.x.x) to support a service that's running there on port 5555
How does dynamic dns resolve to your private IP?

If you are using mikrotik cloud service (dynamic dns) than it will resolve to the public IP you have at the moment...now you have to pass (dst-nat) the traffic from internet to the specific port on your public (dynymic) IP - to some IP on your private network
Something like...
add action=dst-nat chain=dstnat comment=MyServer dst-port=5555 in-interface=InInterfaceName protocol=tcp to-addresses=192.168.x.x to-ports=5555
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Tue Mar 29, 2022 1:06 pm

It's very important to hide private only address 192.168.x.x or someone inside your network can read this topic and can ping your pc...
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Unable to Access Port for Specific IP

Wed Mar 30, 2022 9:57 pm

It's very important to hide private only address 192.168.x.x or someone inside your network can read this topic and can ping your pc...
:-) don't you think that he is confused enough already?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Wed Mar 30, 2022 11:24 pm

Please post your config

/export hide-sensitive file=anynameyouwish
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Sun Apr 03, 2022 6:48 pm

Hi all,

ISSUE
I'm unable to access a port (5555) of a specific IP that I can successfully ping

Details
  • The IP is the IP of a dynamic dns host name that resolves to my local server (192.168.x.x) to support a service that's running there on port 5555
How does dynamic dns resolve to your private IP?

If you are using mikrotik cloud service (dynamic dns) than it will resolve to the public IP you have at the moment...now you have to pass (dst-nat) the traffic from internet to the specific port on your public (dynymic) IP - to some IP on your private network
Something like...
add action=dst-nat chain=dstnat comment=MyServer dst-port=5555 in-interface=InInterfaceName protocol=tcp to-addresses=192.168.x.x to-ports=5555

Thank you @satman1w, @rextended, and @anav for your responses. My apologies for my delayed response as I've been on vacation - I was trying to get this settled before I left.

@satman1w
  • I've added the ip firewall filter you suggested. I actually originally had it setup to restrict forwarding per a specific IP address (in this case the dynamic DNS IP address) per instructions from viewtopic.php\?t=121397 - but I removed that restriction to follow your specific steps - see the export fragment from my config (below)
  • The dynamic dns is actually for my VPN
  • I can ping the dynamic DNS IP address successfully
  • Within my internal network, https://ip_of_dynamic_dns (though I initially get a warning that it's not secure, "do you want to continue")
  • Outside my internal network https://ip_of_dynamic_dns produces the issue/message in the OP

@anav
  • Here is a fragment from my export - I'm a little shy about posting my config (even with "hide-sensitive" as I've noticed it still exposes my internal IP addresses - I had to "xxx" them myself) per my concern about security - see my below reply to @rextended
  • add action=accept chain=forward comment=\
        "https://forum.mikrotik.com/viewtopic.php\?t=121397" \
        connection-nat-state=dstnat connection-state=new in-interface=ether1
    add action=dst-nat chain=dstnat comment=MyServer dst-port=5555 in-interface=ether1 \
        protocol=tcp to-addresses=xxx.xxx.x.x to-ports=5555
    

@rextended
  • "It's very important to hide private only address 192.168.x.x or someone inside your network can read this topic and can ping your pc..."
    - I admit I'm an example of "just knowledgeable to be dangerous" :). I'm not sure if what you're saying is that posting 192.168.x.x is too much information in case someone somehow accesses my internal network. I'm conscientious of security for sure but admittedly lighter on network security as I'd like to be
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Sun Apr 03, 2022 8:38 pm

viewtopic.php?t=179343

If you are trying to reach the server from (users or you) from the same subnet that the server is located, then you are running into a situation that calls for hairpin nat.
add chain=srcnat action=masquerade dst-address=192.168.x.0/24 src-address=192.168.x.0/24 as your first source-nat rule.
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Mon Apr 04, 2022 10:03 pm

viewtopic.php?t=179343

If you are trying to reach the server from (users or you) from the same subnet that the server is located, then you are running into a situation that calls for hairpin nat.
add chain=srcnat action=masquerade dst-address=192.168.x.0/24 src-address=192.168.x.0/24 as your first source-nat rule.
Thanks @anav, thanks for the link! I tried what you've specified that but unfortunately had no luck (same result as described in my OP). Just to verify though, the dst-address and src-address should be the same and represent my internal server where I want the ip_of_dynamic_dns to resolve to, correct? Also, just double-checking, would the hairpin scenario apply in my case where I try to access https://ip_of_dynamic_dns from my phone via cell service (wi-fi turned off) with the same result?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Tue Apr 05, 2022 12:33 am

No hairpin nat is required only if the user and server are on same subnet, if coming in externally, from the internet, not required.
If you want further help full config is required.
/export hide-sensitive file=anynameyouwish

Just ensure no public IPs or gateways are visible. rest is normally fine.
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Tue Apr 05, 2022 3:50 pm

No hairpin nat is required only if the user and server are on same subnet, if coming in externally, from the internet, not required.
If you want further help full config is required.
/export hide-sensitive file=anynameyouwish

Just ensure no public IPs or gateways are visible. rest is normally fine.
Ok, here's my backup (JimsExportClean.rsc), I cleaned it up putting xxx's in places of IPs. Let me know what you think
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Tue Apr 05, 2022 3:55 pm

xxx
Last edited by rextended on Tue Apr 05, 2022 3:57 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Tue Apr 05, 2022 3:56 pm

I said public IPs, a config where you cover all the private internal IPs makes no sense from a security point and also really makes the config less useful for problem solving LOL, but will have a look.

(1) Typical error:
/ip address
add address=xxx.xxx.x.1/24 comment=defconf interface=ether2 network=\
xxx.xxx.x.0

Should be
/ip address
add address=xxx.xxx.x.1/24 comment=defconf interface=bridge network=\
xxx.xxx.x.0

(2) Highly recommend you keep your input chain rules together and your forward chain firewall rules together, makes it very easy to spot mistakes and is simply an efficient organized approach. IN addition the order of some of your rules is non standard.

From this
add action=accept chain=forward comment=\
"viewtopic.php\?t=121397" \
connection-nat-state=dstnat connection-state=new in-interface=ether1


TO THIS
add action=accept chain=forward connection-nat-state=dstnat \
comment="allow port forwarding"


(3) Specifically the forward chain rule above should be AFTER these ones!
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked

---> { put the destination nat rule here in the order }

(4) This rule is now redundant as you have already allowed port forwarding from both LAN and WAN......... so we will get rid of it, but replace the parts still necessary.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


What this rule also did was block all WAN to LAN traffic which is a good thing!
However we will do one better, as the LAST rule in the forward chain.
add chain=forward action=drop comment="drop all else"

This drops all wan to lan traffic and drops all LAN to LAN traffic and drops all LAN to WAN traffic at layer 3.
In other words, unless you specifically allow it, (proper control) traffic is not permitted, - best approach.

What does this mean, well it means that probably the only additional change you will need is to allow LAN to WAN traffic for internet
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"

(4) I want you to disable raw rules when testing the port forwarding in case there is something funky going on there, using raw in the hands of the beginner can be dangerous!

(5) Why is upnp enabled? Normally recommended to keep this disabled.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Last edited by anav on Tue Apr 05, 2022 4:11 pm, edited 4 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Tue Apr 05, 2022 3:57 pm

You do not need to replace something like 192.168.1.x with xxx.xxx.x.x ...

If the ether2 do not have C4:AD:34:14:FE:B7, put the ether2 MAC inside the appropriate filed on the bridge

Paste this on new terminal
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romontikapp"
why: dude right deprecated (now use winbox)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Tue Apr 05, 2022 4:12 pm

xxx
rextended, the answer to all problems is not porn! ;-PP
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Tue Apr 05, 2022 4:25 pm

Oh, right... tooooooo many time on hospital....
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Wed Apr 06, 2022 11:29 pm

You do not need to replace something like 192.168.1.x with xxx.xxx.x.x ...

If the ether2 do not have C4:AD:34:14:FE:B7, put the ether2 MAC inside the appropriate filed on the bridge

Paste this on new terminal
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romontikapp"
why: dude right deprecated (now use winbox)
Hi @rextended, thanks so much for your response! I get "input does not match any value of policy" when I try what you've suggested - see attached image
You do not have the required permissions to view the files attached to this post.
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Wed Apr 06, 2022 11:30 pm

I said public IPs, a config where you cover all the private internal IPs makes no sense from a security point and also really makes the config less useful for problem solving LOL, but will have a look.

(1) Typical error:
/ip address
add address=xxx.xxx.x.1/24 comment=defconf interface=ether2 network=\
xxx.xxx.x.0

Should be
/ip address
add address=xxx.xxx.x.1/24 comment=defconf interface=bridge network=\
xxx.xxx.x.0

(2) Highly recommend you keep your input chain rules together and your forward chain firewall rules together, makes it very easy to spot mistakes and is simply an efficient organized approach. IN addition the order of some of your rules is non standard.

From this
add action=accept chain=forward comment=\
"viewtopic.php\?t=121397" \
connection-nat-state=dstnat connection-state=new in-interface=ether1


TO THIS
add action=accept chain=forward connection-nat-state=dstnat \
comment="allow port forwarding"


(3) Specifically the forward chain rule above should be AFTER these ones!
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked

---> { put the destination nat rule here in the order }

(4) This rule is now redundant as you have already allowed port forwarding from both LAN and WAN......... so we will get rid of it, but replace the parts still necessary.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


What this rule also did was block all WAN to LAN traffic which is a good thing!
However we will do one better, as the LAST rule in the forward chain.
add chain=forward action=drop comment="drop all else"

This drops all wan to lan traffic and drops all LAN to LAN traffic and drops all LAN to WAN traffic at layer 3.
In other words, unless you specifically allow it, (proper control) traffic is not permitted, - best approach.

What does this mean, well it means that probably the only additional change you will need is to allow LAN to WAN traffic for internet
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"

(4) I want you to disable raw rules when testing the port forwarding in case there is something funky going on there, using raw in the hands of the beginner can be dangerous!

(5) Why is upnp enabled? Normally recommended to keep this disabled.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Hi @anav first off, than you SO much for your detailed post/response!!!! I recognize that all replies to my (or any) question (especially one as detailed as yours) represent time people are generous enough to offer.

Unfortunately so far, after following your steps I haven't been able to resolve my issue just yet.

Having said that, to keep me honest and be able to ensure I've done what you've asked, I've attached another export of my config, this time with my internal IPs :)

Just a couple of notables:
  • I'm confused by "(5) Why is upnp enabled? Normally recommended to keep this disabled." The attached screenshot of my upnp shows it's disabled though I do see this in my export
    /ip upnp interfaces
    add interface=bridge type=internal
    add interface=ether1 type=external
  • I removed the following section as I didn't think it's needed
    /ip dhcp-server lease
  • I only initially removed the internal IPs because you mentioned "It's very important to hide private only address 192.168.x.x or someone inside your network can read this topic and can ping your pc...". I'm the first to recognize what I don't know and not willing to dismiss any advice so I did what I thought you were suggesting but I must be misunderstanding something here, I have been known to do that for sure :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Wed Apr 06, 2022 11:32 pm

I have removed too much "," inside your export
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"

correct: (or simply open winbox / system / users / groups / full and remove dude right and apply)
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,tikapp"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Wed Apr 06, 2022 11:36 pm

This:
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
not mean than upnp is enabled, just some (unused) settings are still stored inside the config.

only that lines, NOT PRESENTS on your export, mean than upnp is enabled
/ip upnp
set enabled=yes
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Wed Apr 06, 2022 11:39 pm

It's very important to hide private only address 192.168.x.x or someone inside your network can read this topic and can ping your pc...
This is my dummy sarcasm...

You write something like on OP: "my server is 192.168.x.x"

Censoring 192.168.x.x or similar is useless...
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Thu Apr 07, 2022 12:57 am

It's very important to hide private only address 192.168.x.x or someone inside your network can read this topic and can ping your pc...
This is my dummy sarcasm...

You write something like on OP: "my server is 192.168.x.x"

Censoring 192.168.x.x or similar is useless...
lol! I got ya'. Thanks for pointing that out :)
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Thu Apr 07, 2022 12:59 am

This:
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
not mean than upnp is enabled, just some (unused) settings are still stored inside the config.

only that lines, NOT PRESENTS on your export, mean than upnp is enabled
/ip upnp
set enabled=yes
Got it. So it's not enabled, which is what I want and reflects the advice I've been given, thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Unable to Access Port for Specific IP

Thu Apr 07, 2022 1:10 am

for swipe fastly and remove it from config (and export):
/ip upnp interfaces remove [find]
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Thu Apr 07, 2022 1:11 am

I have removed too much "," inside your export
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"

correct: (or simply open winbox / system / users / groups / full and remove dude right and apply)
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,tikapp"
Dude has been removed (sorry dude) :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Thu Apr 07, 2022 1:11 am

Do not see any major problems with your config as stated............
Perhaps there is an issue with your ISP connection (type etc........ do you get a private or public IP??)

(1) This rule could be improved as already stated.
add action=accept chain=forward comment=\
"viewtopic.php\?t=121397" \
connection-nat-state=dstnat connection-state=new in-interface=ether1

TO
add action=accept chain=forward connection-nat-state=dstnat
comment="allow port forwarding"


(2) INPUT CHAIN: I normally put the ICMP rule after the invalid rule and the capsman rule disabled or removed if not using (and after the iCMP rule).

(3) What is the purpose of this rule. ????
add action=masquerade chain=srcnat dst-address=192.168.2.5 src-address=\
192.168.2.5

The hairpin nat format would be, a. putting it prior to the normal source nat rule in position and
b. format: add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.2.0/24

(4) FOR TESTING PURPOSES............... Temporarily disable your RAW RULES!! (EDIT OK I see that is done).
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Thu Apr 07, 2022 6:44 am

Do not see any major problems with your config as stated............
Perhaps there is an issue with your ISP connection (type etc........ do you get a private or public IP??)

(1) This rule could be improved as already stated.
add action=accept chain=forward comment=\
"viewtopic.php\?t=121397" \
connection-nat-state=dstnat connection-state=new in-interface=ether1

TO
add action=accept chain=forward connection-nat-state=dstnat
comment="allow port forwarding"


(2) INPUT CHAIN: I normally put the ICMP rule after the invalid rule and the capsman rule disabled or removed if not using (and after the iCMP rule).

(3) What is the purpose of this rule. ????
add action=masquerade chain=srcnat dst-address=192.168.2.5 src-address=\
192.168.2.5

The hairpin nat format would be, a. putting it prior to the normal source nat rule in position and
b. format: add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.2.0/24

(4) FOR TESTING PURPOSES............... Temporarily disable your RAW RULES!! (EDIT OK I see that is done).
See my attached updated export for the following changes per your suggestion.
(1) Done - Sorry, I missed that, so essentially remove: connection-state=new in-interface=ether1
(2) Done - Note, I opted to disable the capsman rule
(3) Done - Sorry, I forgot to take out the hairpin rule. You suggested it on Monday but after I replied you confirmed it wasn't necessary

Note, in order to support doing #2 as specified, my order is now:
  • One forward ("special dummy rule to show fasttrack counters")
  • All the inputs
  • All the rest of the forwards
I mention this because you also mentioned that it's good practice to have all the inputs and forwards together which I now can't do because the "special dummy rule to show fasttrack counters" forward can't be moved from the top, when I try I get "Couldn't move Firewall Rule <>-cannot move muiltin (6)"

After rebooting I get the following error trying to access the service via the IP of my VPN's dynamic dns host name (https://ip_of_dynamic_dns):
  • "ERR_CONNECTION_CLOSED" - Chrome
  • "ERR_CONNECTION_TIMED_OUT" - Brave
  • "ERR_CONNECTION_TIMED_OUT" - Brave from my phone NOT connected to wifi

Notable that in the OP it was:
  • "ERR_CONNECTION_REFUSED" - Chrome/Brave
  • "RESOURCE_NOT_FOUND" - IE (I believe this is a HTTP Status 404)

"Perhaps there is an issue with your ISP connection (type etc........ do you get a private or public IP??)"
  • My ISP is Verizon
  • When I ping my IP (which shows under ip->ARP interface=ether1) from my phone (via an android app called Ping (Lipinic) where my phone's wifi is OFF, i.e. only using cell, 11 packets were sent and received, 0 were lost
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Thu Apr 07, 2022 12:55 pm

Assuming your ISP is fine, then perhaps its the server software itself or some windows firewall on the PC running the server???
Suggest get a friend to test access to your server from their end to continue the problem solving.
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Sun Apr 10, 2022 6:43 pm

Assuming your ISP is fine, then perhaps its the server software itself or some windows firewall on the PC running the server???
Suggest get a friend to test access to your server from their end to continue the problem solving.
I tried completely disabling my windows firewall with no impact, but much to my surprise, I asked a couple of my friends to try it and https://ip_of_dynamic_dns worked for both of them (with my Windows firewall enabled and disabled). But, it doesn't work for me (computer and Android phone), or my wife (iPhone) when either of us are on my WiFi or not with my Windows firewall completely disabled or not. Again, while connected to my WiFi, my internal IP properly accesses my VPN server (with an initial warning that my connection is not private...) using: https://192.168.2.5:5555

Note: I'm back to the error messages in the OP (vs my last post stating closed/timed_out, I noticed the dynamic DNS IP changed and I didn't realize it

Not sure if this provides any insight but netstat -abo produces the following where I've confirmed (via task manager) that PID 3984 is in fact my VPN
  Proto  Local Address          Foreign Address        State           PID
 Can not obtain ownership information
  TCP    0.0.0.0:5555           MyComputer:0      LISTENING       3948
 [chrome.exe]
  TCP    192.168.2.5:62052      MyComputer:5555   ESTABLISHED     3100
 Can not obtain ownership information
  TCP    [::]:5555              MyComputer:0      LISTENING       3948
 [svchost.exe]
  TCP    192.168.2.5:5555       MyComputer:62052  ESTABLISHED     3948
So some progress, but it needs to work for me vs my friends
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Sun Apr 10, 2022 9:05 pm

Good news at least that the Server works for normal outside users..........
So to be clear you were testing access to the Server from within your own router network via WIFI.
And you were using the dyndns URL, aka trying to use the Public IP of the router to do so...........

Now, there is no indication of wifi on your Router setup??

Also not sure why you are using DSTNAT rules for VPN?
VPN is a router service, what you need to do is connect to the ROUTER via the input chain (normally to make a VPN connection)???

In any case trying to reach your server from within the network (same network) very much requires hairpin nat.
So put this as your first Source Nat rule.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Sun Apr 10, 2022 9:55 pm

Good news at least that the Server works for normal outside users..........
So to be clear you were testing access to the Server from within your own router network via WIFI.
And you were using the dyndns URL, aka trying to use the Public IP of the router to do so...........

Now, there is no indication of wifi on your Router setup??

Also not sure why you are using DSTNAT rules for VPN?
VPN is a router service, what you need to do is connect to the ROUTER via the input chain (normally to make a VPN connection)???

In any case trying to reach your server from within the network (same network) very much requires hairpin nat.
So put this as your first Source Nat rule.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24
Hi @anav, thanks for sticking with me on this :)

Is there something about my router setup that I can offer that's not included in my export from my previous post?

"So to be clear you were testing access to the Server from within your own router network via WIFI.
And you were using the dyndns URL, aka trying to use the Public IP of the router to do so"
  • When NOT connected to my WiFi I can NOT access via: https://ip_of_dynamic_dns or https://dynamic_dns

What I'm doing revolves around using a VPN that is different than the VPN available via Mikrotik. If I can access my server via https://ip_of_dynamic_dns or https://dynamic_dns, I'll be able to use the VPN I'm trying to use

I put the hairpin again to avail but we have discussed it in an earlier reply in this string and determined it wasn't appropriate in my situation
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Sun Apr 10, 2022 11:09 pm

If you are doing port forwarding to your server from an IP address within the same subnet, which is what you are doing with wifi, then I think it is relevant.
So keep the hairpin nat rule proposed and modify your destination nat rule as so..........

add chain=dstnat action=dst-nat dst-address-list=updatedDYNDNS address protocol=tcp dst-port=5555 to-addresses=192.168.2.5

where firewall address list entry
/ip firewall address-list
add address=URL list=updatedDYNDNS

where URL= dyndns URL that represents your WANIP.
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Mon Apr 11, 2022 1:07 am

If you are doing port forwarding to your server from an IP address within the same subnet, which is what you are doing with wifi, then I think it is relevant.
So keep the hairpin nat rule proposed and modify your destination nat rule as so..........

add chain=dstnat action=dst-nat dst-address-list=updatedDYNDNS address protocol=tcp dst-port=5555 to-addresses=192.168.2.5

where firewall address list entry
/ip firewall address-list
add address=URL list=updatedDYNDNS

where URL= dyndns URL that represents your WANIP.
Ok, I think I've done what you've suggested, now my export looks as follows:
/ip firewall nat
add action=dst-nat chain=dstnat comment=VPN dst-address-list=updatedDYNDNS \
    dst-port=5555 in-interface=ether1 protocol=tcp to-addresses=192.168.2.5 \
    to-ports=5555
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 \
    dst-address-list="" src-address=192.168.2.0/24

/ip firewall address-list
add address=URL list=updatedDYNDNS]
Where URL = bla.bla.net (i.e. the dynamic_dns part of: https://dynamic_dns)

After doing this (^^^), my friend said he could NOT access https://ip_of_dynamic_dns any more, so I changed URL from dynamic_dns to ip_of_dynamic_dns and he COULD once again successfully access https://ip_of_dynamic_dns (though I still can't), i.e. I changed it as follows:
/ip firewall address-list
add address=ip_of_dynamic_dns list=updatedDYNDNS]
Before I realized my initial change didn't work, I was thinking that what this does is handle whenever my dynamic_dns changes, i.e. the address I added in /ip firewall address-list allows me to specify my dynamic_dns instead of the IP address that it happens to currently resolve to. But again, it failed to resolve for my friend so I guess that's not the case, at least for me.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Mon Apr 11, 2022 1:24 am

Yes, because in my example there was no in-interface=ether1 Why did you inject it??

Also you are missing the regular source nat rule which should be after the hairpin sourcenat rule.

Also you can confirm the firewall address list entry resolves to the proper IP. look it up !!
The list should show two entries, one for the URL and one to what it resolves too.
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Sun Apr 24, 2022 9:48 pm

Just getting back to this due to other priorities...

@anav - Yeah in-interface=ether1 was there because I had edited something I had prior and never corrected to what you suggested, my bad. It's as you've specified now

So some progress
  • I discovered that https://ip_of_dynamic_dns:443 works for me which I got from the documentation of the VPN I'm using states to use 443 (https) when connecting via an HTTP proxy server or when using high firewall settings

Regarding port 5555 (which still doesn't work for me), I involved my friends & family to try https://ip_of_dynamic_dns:5555 with the following result (I had all disconnect from WiFi when trying):
  • 5 WORKED - 2 nearby in MA, as well as in NH and GA, even one in Canada (mix of iPhone and Android). they all have cell provider T-Mobile (which is what I use) except the one in NH (Comcast)
  • FAILED - 2, both use T-Moble, one of which is a T-Mobile support person I called for assistance (in his case I gave him the IP address) - he said T-Mobile isn't doing anything to block it

Moving forward
  • I guess I can live with 443 though I'd still love to know why 5555 doesn't work for me and if anyone still has any thoughts, I'm all ears!
  • I'd like to know how if it's possible to ensure that when they ip_of_dynamic_dns changes the port forward will handle that

I've once again included my most recent export of my config
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Unable to Access Port for Specific IP

Sun Apr 24, 2022 10:32 pm

Both ports are open from here with SoftEther VPN Server on them. And about changing address, the idea for updatedDYNDNS list is to use DDNS hostname, not numeric address, for example if you're using built-in IP->Cloud, it would be:
/ip firewall address-list
add address=<whateveryouhave>.sn.mynetname.net list=updatedDYNDNS
The hostname exits, but currently it points to completely different address (96.x.x.x instead of 72.x.x.x).

edit: You can also replace dst-address-list=updatedDYNDNS with dst-address-type=local and it will work with any address that router will have. But you still want to have DDNS hostname updated, because that's what clients should connect to.
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Sun Apr 24, 2022 11:06 pm

Both ports are open from here with SoftEther VPN Server on them. And about changing address, the idea for updatedDYNDNS list is to use DDNS hostname, not numeric address, for example if you're using built-in IP->Cloud, it would be:
/ip firewall address-list
add address=<whateveryouhave>.sn.mynetname.net list=updatedDYNDNS
The hostname exits, but currently it points to completely different address (96.x.x.x instead of 72.x.x.x).

edit: You can also replace dst-address-list=updatedDYNDNS with dst-address-type=local and it will work with any address that router will have. But you still want to have DDNS hostname updated, because that's what clients should connect to.
Nice! Thanks @Sob. Oddly I thought I tried to put in my dynamic_dns into the updatedDYNDNS list (as I also considered what you explained) but I thought I got an error, but when I just tried now, it took my dynamic_dns as expected. With that, I suspect if my dynamic DNS IP changes, my port forwards using my updatedDYNDNS list won't be effected.

Why the 5555 port doesn't work for some people but works for others (as described in my last post) still remains a bit of a mystery
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to Access Port for Specific IP

Sun Apr 24, 2022 11:20 pm

Did you check if they failed both 5555 and 443, if both then perhaps your block raw lists getting in the way????
 
IsThisRight
just joined
Topic Author
Posts: 16
Joined: Thu Mar 24, 2022 2:27 pm

Re: Unable to Access Port for Specific IP

Sun Apr 24, 2022 11:28 pm

Both ports are open from here with SoftEther VPN Server on them. And about changing address, the idea for updatedDYNDNS list is to use DDNS hostname, not numeric address, for example if you're using built-in IP->Cloud, it would be:
/ip firewall address-list
add address=<whateveryouhave>.sn.mynetname.net list=updatedDYNDNS
The hostname exits, but currently it points to completely different address (96.x.x.x instead of 72.x.x.x).

edit: You can also replace dst-address-list=updatedDYNDNS with dst-address-type=local and it will work with any address that router will have. But you still want to have DDNS hostname updated, because that's what clients should connect to.
Nice! Thanks @Sob. Oddly I thought I tried to put in my dynamic_dns into the updatedDYNDNS list (as I also considered what you explained) but I thought I got an error, but when I just tried now, it took my dynamic_dns as expected. Unfortunately, I was no longer able to access: https://ip_of_dynamic_dns:443. I then saw your update to use dst-address-type=local instead, and then I was able to access https://ip_of_dynamic_dns:443 once again. My updatedDYNDNS list is still pointing to my dynamic_dns but using dst-address-type=local instead instead of dst-address-list=updatedDYNDNS seems like I'm not using my updatedDYNDNS list so I'm not sure if the IP of my dynamic_dns changes if I'll be impacted?

Why the 5555 port doesn't work for some people but works for others (as described in my last post) still remains a bit of a mystery
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Unable to Access Port for Specific IP

Sun Apr 24, 2022 11:54 pm

What DDNS service do you use? Is it the built-in one with xxx.sn.mynetname.net? Because if it is, then as I wrote, it for some reason points to different address, so it can't work well. For router just keep dst-address-type=local, it's simple and foolproof. But if client should use xxx.sn.mynetname.net (as they should), you need to find out why it's not updated.

Who is online

Users browsing this forum: BioMax, nickiv and 35 guests