Community discussions

MikroTik App
 
JimiEZ
just joined
Topic Author
Posts: 4
Joined: Sun Oct 02, 2022 11:51 am

Default configuration - just can't get port forwarding to work [rb750gr3]

Sun Oct 02, 2022 1:01 pm

Hey, I know this is very very basic stuff, I've read quite a few tutorials and watched videos, but somehow I just can't get port forwarding to work on my Hex.

I went with the automatic default config and my network is as follows: 1G symmetric connection that comes through a Fiber Media Converter (bridged mode, dynamic public IP) -> into ether1 of RB750GR from there via ether2 -> TP-link 8-port dumb switch, to which everything else connects to. Wan connection works just fine and get very respectable ~900ish up/down speeds.

Here's my config:
# oct/02/2022 12:18:46 by RouterOS 6.49.6
# software id = BIWD-CH4N
#
# model = RB750Gr3
# serial number = CC210FD2F930
/interface bridge
add admin-mac=XX:XX:XXX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.3-10.0.0.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_LAN
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/ip address
add address=10.0.0.2/24 comment=defconf interface=ether2_LAN network=10.0.0.0
/ip arp
add address=10.0.0.10 comment=Server interface=bridge mac-address=\
    XX:XX:XX:XX:XX
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1_WAN
/ip dhcp-server lease
add address=10.0.0.9 client-id=xxxxxxxxx mac-address=\
   xxxxxxx server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.2 comment=defconf name=router.lan
/ip firewall address-list
add address=cc210fd2f930.sn.mynetname.net list=WAN_list
add address=10.0.0.0/24 list=LAN_list
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
    10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1_WAN
add action=dst-nat chain=dstnat dst-port=34343 in-interface=ether1_WAN \
    protocol=tcp to-addresses=10.0.0.9 to-ports=34343
add action=dst-nat chain=dstnat dst-port=aaa protocol=tcp to-addresses=\
    10.0.0.10 to-ports=aaa
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1_WAN protocol=\
    tcp to-addresses=10.0.0.10 to-ports=80
/ip upnp
set show-dummy-rule=no
/system clock
set time-zone-name=xxx
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=188.165.138.207
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

10.0.0.10 is my home server, I've tried opening ports for HTTP and SSH, 10.0.0.9 is my desktop computer. After bumbling about, I've managed to create a functioning hairpin NAT and I'm able to access my home server via SSH through a non-standard port within LAN using my domain name, but outside connections just won't come through whatever I do.

I have a domain for the server and I'm able to access the server via the domain name within LAN but not from outside.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Mon Oct 03, 2022 12:59 am

Some reading on port forwarding - viewtopic.php?t=179343
 
JimiEZ
just joined
Topic Author
Posts: 4
Joined: Sun Oct 02, 2022 11:51 am

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Tue Oct 11, 2022 7:43 pm

Some reading on port forwarding - viewtopic.php?t=179343
I have tried pretty much every single thing in that thread. Suggestions?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Tue Oct 11, 2022 8:37 pm

Okay, post your latest config please.........
/export (minus serial number and any public IP information )
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Tue Oct 11, 2022 9:13 pm

First you have to be sure that your ISP isn't blocking that port and that your public IP is public.
Easy done sniffing traffic on your wan interface with a filter set for your desired port.
If no packets arrive, the problem isn't your config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Tue Oct 11, 2022 10:24 pm

@znevna. I am sure he has that covered cause early on in the bloated topic LOL, that is clearly stated.
.....................
ruSure.jpg
You do not have the required permissions to view the files attached to this post.
 
JimiEZ
just joined
Topic Author
Posts: 4
Joined: Sun Oct 02, 2022 11:51 am

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Thu Oct 27, 2022 11:59 pm

Okay, post your latest config please.........
/export (minus serial number and any public IP information )
Life's been pretty hectic, so I've not had more than a few moments here and there to tinker with this. I'm seeing packets and traffic, but can't access anything outside LAN and port checkers tell me that my ports are not open / connection time out.

Here's my latest config:
# oct/28/2022 00:30:24 by RouterOS 7.6
# software id =
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=XXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.3-10.0.0.99
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2_LAN
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.2/24 comment=defconf interface=bridge network=10.0.0.0
/ip arp
add address=10.0.0.10 comment=Server interface=bridge mac-address=\
    XXX
add address=10.0.0.3 comment=Desktop interface=bridge mac-address=\
    XXX
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server lease
add address=10.0.0.3 address-lists=LAN_list client-id=xxx \
    comment=Desktop mac-address=XXX server=defconf use-src-mac=\
    yes
add address=10.0.0.10 client-id=\
    xxx comment=Server \
    mac-address=XXX server=defconf use-src-mac=yes
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.2 comment=defconf name=router.lan
/ip firewall address-list
add address=[mydomain that resolves correctly to my dynamic public ip] list=WAN_list
add address=10.0.0.0/24 list=LAN_list
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=inva
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Port forward test" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
    10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address-list=WAN_list \
    dst-port=80 protocol=tcp to-addresses=10.0.0.10
add action=dst-nat chain=dstnat comment=SSH dst-address-list=WAN_list \
    dst-port=220 protocol=tcp to-addresses=10.0.0.10 to-ports=220
add action=dst-nat chain=dstnat comment="qBittorrent TCP" dst-address-list=\
    WAN_list dst-port=34343 protocol=tcp to-addresses=10.0.0.3 to-ports=34343
add action=dst-nat chain=dstnat comment="qBittorrent UDP" dst-address-list=\
    WAN_list dst-port=34343 protocol=udp to-addresses=10.0.0.3 to-ports=34343
/ip service
set www port=81
set ssh port=666
/ip upnp interfaces
add interface=ether1_WAN type=external
add interface=bridge type=internal
/system clock
set time-zone-name=XXX
/system ntp client
set enabled=yes
/system ntp client servers
add address=162.159.200.123
add address=188.165.138.207
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

As mentioned previously, I can access SSH and HTTP on my server at 10.0.0.10 and my domain name over LAN just fine, and seems that my desktop torrent client is getting plenty of traffic over at UDP, but very little over TCP (both are enabled in the client):

Image

(I just realized that I took this screenshot right after router reboot so it might not actually be that informative)

Yes, I'm absolutely sure that my public IP is public and the router knows it. I've tried multiple ways of setting up dst-nat, with interface, interface-list, giving it my current public IP to dest. address etc. Absolutely nothing seems to work.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Fri Oct 28, 2022 12:31 am

This rule should not have in-interface-list=WAN (but it's not breaking port forwarding thanks to another further rule):
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked in-interface-list=WAN
Actually, there's nothing I can see that would break port forwarding. You can try this to see more details about what's going on. Use your ssh port, it will have least of unwanted traffic, since it's non-standard.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

!

Fri Oct 28, 2022 12:34 am

** problem may stem from a forward chain rule (para 5) **

edit: I see sob has already answered this but do make the changes as the format is wrong.......

(1) Change this to NONE, no one uses it.
/interface detect-internet
set detect-interface-list=all

(2) For testing purposes DISABLE this line in your configuration since it relates to the server.
/ip arp
add address=10.0.0.10 comment=Server interface=bridge mac-address=\
XXX


(3) In addition if you have anything set here that is extra (besides making the server a static LANIP) remove it.
add address=10.0.0.10 client-id=\
xxx comment=Server \
mac-address=XXX server=defconf use-src-mac=yes

(4) Your Input chain rules needs a smidge of cleanup. (order, duplication etc.)
Please find a fixed version.

/ip firewall filter
{Default rules}
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
{Admin entered rules}
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input Comment="drop all else"


(5) Same deal on forward chain.............. since not doing ipsec can dispense with the xtra stuff. Also I think the issue may be caused by an addition you made to the default rule that needs to be removed!!
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked in-interface-list=WAN


Cleaned UP Version.........
{Default rules}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


(6) Good hairpin nat rule.

(7) Disable UPNP connectivity should not be required.

(8) WHY or WHY are you running an http server and an SSH server for what purposes??
Just saying that you are inviting TONS of hacking attempts by doing so.
If you need access to the router use VPN like wireguard for example>
Also there is SSH built into the router, why port forward to your own instance, makes no sense to me??

State the requirements and maybe there are better ways of accomplishing same!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Fri Oct 28, 2022 1:41 am

About (8) ... Web server is great when one wants to host some web page. In fact, not running web server is major obstacle for doing some hosting. I have one (well, more), don't you? It's great thing for networking enthusiast! And SSH, it could be that you want to access some machine that's not router, and then connecting to that machine works better than connecting to router. ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Fri Oct 28, 2022 3:21 am

Yes all true but the risks of opening ports on the router to god knows what is IMHO not the better option.
One can easily host a website at a third party location and setup or even rent a server and do it there........

I for one would never have any port forwardings to a server but if I did you can be sure it would be limited to specific source addresses.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Fri Oct 28, 2022 5:18 am

But where's the fun in that? If I now have faster connectivity at home, than the whole country used to have (and it's not anything special, costs next to nothing), server can be device that eats 5 Watts tops and it's so small that I could lose it if it wasn't connected to cable, ... why would I want external hosting? I mean, if it's some small non-critical hobby thing, and assuming that I like to play with such things. :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Fri Oct 28, 2022 2:17 pm

But where's the fun in that? If I now have faster connectivity at home, than the whole country used to have (and it's not anything special, costs next to nothing), server can be device that eats 5 Watts tops and it's so small that I could lose it if it wasn't connected to cable, ... why would I want external hosting? I mean, if it's some small non-critical hobby thing, and assuming that I like to play with such things. :)
At least you are being honest! :-)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Fri Oct 28, 2022 5:49 pm

It's my (not so much) secret recipe for success. Play with it as often as possible, don't be afraid to experiment, but keep it pleasant to not get discouraged. Eventually you should become good at it. Not necessarily limited to routers and stuff.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Fri Oct 28, 2022 5:52 pm

It's my (not so much) secret recipe for success. Play with it as often as possible, don't be afraid to experiment, but keep it pleasant to not get discouraged. Eventually you should become good at it. Not necessarily limited to routers and stuff.
I hope someone is writing down these life lessons!! Sounds like an 11th commandment too. :-0
 
JimiEZ
just joined
Topic Author
Posts: 4
Joined: Sun Oct 02, 2022 11:51 am

Re: Default configuration - just can't get port forwarding to work [rb750gr3]

Thu Nov 03, 2022 3:25 pm

Thank you anav and Sob both for your help. I was really losing my mind with this issue. I did everything you suggested and then went as far as completely resetting the router a couple of times and trying both new autoconfig and doing a minimal setup manually.

However, in the end, turned out that the issue all along was that my new ISP is actually blocking all incoming <1900 UDP connections from their end by default and only allowing a small handful of TCP ports in the single digit range. I should have suspected something like that when it started seeming like UDP port forwards were working fine but TCP ones weren't. However, during the 25+ years I've been paying for an internet connection, this is the first time I've ran across this issue, so it never even crossed my mind as a possibility. Why on earth would you sell a 1G symmetric fiber connection, only to hamper it with crap like this by default!? Oh well, at least I managed to get an unrestricted connection with a single phone call to their tech support and guess I learned quite a bit about RouterOS firewalls too!

As to why I have a home server with HTTP and SSH running? Well, like Sob, I like to tinker with that kind of stuff and use SSH for running an IRC client etc.Keeping the system fairly restricted, up to date and using software like fail2ban and I haven't really had any issues in the well over a decade I've been running one.

Who is online

Users browsing this forum: Amazon [Bot] and 35 guests