Community discussions

MikroTik App
 
froszu
just joined
Topic Author
Posts: 14
Joined: Tue Jul 06, 2021 9:54 pm

simple port forwarding is not working

Sat Jan 07, 2023 2:07 pm

I setup simple port forwarding, but none of this works. I've done it before with sucess, but now I am stuck.
Please, take a look at my config. I have some static leases defined.
Also I experiment with VLANs, but VLANs does not seem to matter here - I tried deleteing them and ports still don't work.
There are firewall rules in the config, but I disabled them all in safe-mode, it did not help.

How can I debug/test this ?
# jan/07/2023 12:59:12 by RouterOS 7.6
# software id = Z9EA-9S6S
#
# model = RB5009UPr+S+
# serial number = HDA08FGQAT6
/interface bridge
add admin-mac=18:FD:74:CF:96:D0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] poe-out=off
set [ find default-name=ether8 ] name=ether8-admin poe-out=off
/interface vlan
add disabled=yes interface=bridge name=vlan10-iot vlan-id=10
add disabled=yes interface=bridge name=vlan20-guest vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="admin iface list" name=admin-iface-list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=home_IP_pool ranges=192.168.2.200-192.168.2.254
add name=dhcp_pool_vlan10 ranges=192.168.10.200-192.168.10.254
add name=dhcp_pool_vlan20 ranges=192.168.20.200-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10-iot name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20-guest name=dhcp_vlan20
add address-pool=home_IP_pool interface=bridge name=dhcp_home
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=ether8-admin
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether8-admin list=admin-iface-list
add interface=bridge list=admin-iface-list
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.254.254/24 comment="admin addres" interface=ether8-admin \
    network=192.168.254.0
add address=192.168.10.1/24 interface=vlan10-iot network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-guest network=192.168.20.0
add address=192.168.2.10/24 interface=*13 network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.2.3 client-id=1:18:fd:74:bb:eb:1e comment=\
    "cAp_XL static lease" mac-address=18:FD:74:BB:EB:1E server=*3
add address=192.168.2.123 client-id=1:e4:5f:1:1f:34:4e comment="habdec1 WiFi" \
    mac-address=E4:5F:01:1F:34:4E server=dhcp_home
add address=192.168.2.2 client-id=1:2c:c8:1b:42:ec:cb comment=\
    "MikroTik Callisto" mac-address=2C:C8:1B:42:EC:CB server=dhcp_home
add address=192.168.2.124 client-id=1:b8:27:eb:85:70:fa comment="pisdr1 WiFi" \
    mac-address=B8:27:EB:85:70:FA server=dhcp_home
add address=192.168.2.12 client-id=1:0:11:32:cb:ac:e8 comment="nas1 synology" \
    mac-address=00:11:32:CB:AC:E8 server=dhcp_home
add address=192.168.2.11 client-id=1:e4:5f:1:39:43:fd comment=pibak1 \
    mac-address=E4:5F:01:39:43:FD server=dhcp_home
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
    192.168.2.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=2455 protocol=tcp to-addresses=\
    192.168.2.124 to-ports=2455
add action=dst-nat chain=dstnat dst-port=2422 protocol=tcp to-addresses=\
    192.168.2.124 to-ports=22
add action=dst-nat chain=dstnat dst-port=1122 protocol=tcp to-addresses=\
    192.168.2.11 to-ports=22
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB5009

/tool mac-server
set allowed-interface-list=admin-iface-list
/tool mac-server mac-winbox
set allowed-interface-list=admin-iface-list
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: simple port forwarding is not working

Sat Jan 07, 2023 5:20 pm

The format of your dstnat rules is incorrect and missing something ..................

Have a read.......... of port fowarding in general, this is geared towards hairpin nat but its good reading nonetheless. viewtopic.php?t=179343

However to quickly answer your question.... In general, if your WANIP is dynamic:
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=xxxxx protocol=yyy to-address=LANIP { to ports only required for port translation}

If Static
add chain=dstnat actin=dst-nat dst-address=WANIP dst-port=xxxxx protocol=yyy to-address=LANIP

++++++++++++++++

If the WANIP is dynamic and you wish to reach the server from the LAN, by use of the WANIP then that adds complications, solved by various means but the most common is to set up a firewall address list consisting of your ip cloud address.

add chain=dsntnat action=dst-nat dst-address-list=MYCLOUDIP dst-port=xxxxx protocol=yyy to-address=LANI

+++++++++++++++++++

If the server is in the same subnet as users accessing it via WANIP then you run into hairpin nat solved typically by
add chain=srcnat action=masquerade dst-address=localsubnet src-address=localsubnet
 
froszu
just joined
Topic Author
Posts: 14
Joined: Tue Jul 06, 2021 9:54 pm

Re: simple port forwarding is not working

Sat Jan 07, 2023 5:54 pm

Many thanks for fast reply !
Before I delve into reading on hairpin nat...

My WANIP is static, so looking at your fast-answer, I was missing just dst-address=WANIP After I added this, I still can't reach my port.
I am testing outside of my LAN, to not run into hairpin problem - I am basically trying to SSH into rasberryPI from my phone (just cell, no WIFI)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: simple port forwarding is not working

Sat Jan 07, 2023 6:40 pm

If its from the external and not a user from the same lan subnet you can ignore hairpin.

Since its a static IP, not that it will change the results of your testing the sourcenat rule could look like.

add chain=srcnat action=src-nat out-interface=ether1 to-addresses=staticWANIP


++++++++++++++++++

Not familiar with IPV6 but do recommend the following.... add the standard rule required for dst nat in forward chain prior to the last rule.
From:
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN


TO:
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
 
froszu
just joined
Topic Author
Posts: 14
Joined: Tue Jul 06, 2021 9:54 pm

Re: simple port forwarding is not working

Sat Jan 07, 2023 10:40 pm

Ok - is it possible the problems is elsewhere ?
Here:

I am getting internet from my ISP into their router. Since they won't give me acess to this router - I asked them to setup DMZ and "forward" all traffic to port Ether1.
This Ether1 is where I plug my MikroTik router - and I am getting IP 192.168.1.3 address.
My old OpenWRT router (which I am dumping in favour of MirkoTik :) was always getting IP 192.168.1.2.

Is it possible that my ISP configured DMZ in such a way that it works only with old OpenWRT device ?
I think so because I cant even open Web Gui on port 80 from outside.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: simple port forwarding is not working

Sat Jan 07, 2023 10:51 pm

Is it possible that my ISP configured DMZ in such a way that it works only with old OpenWRT device ?

It's very much possible. You can set "WAN" IP address on mikrotik manually to 192.168.1.2 (you can actually keep DHCP client as it is and only add this address to ether1, it's fine for device to have more tgan one IP address per interface) just to test if things start to work somehow. Just make sure your old router is not connected to CPE's DMZ while testing. If things start to work, then either ask ISP to change things on CPE or configure MT with static IP setup (if you stop DHCP client, you'll have to set some further things, such as route, dns servers, etc.).
 
froszu
just joined
Topic Author
Posts: 14
Joined: Tue Jul 06, 2021 9:54 pm

Re: simple port forwarding is not working  [SOLVED]

Sun Jan 08, 2023 12:12 am

Success! I changed MAC address on ether1, rebooted and all flies !
/interface ethernet set ether1 mac-address=xxx

thanks for your time all.
 
souljazk
just joined
Posts: 17
Joined: Tue Jan 12, 2016 10:05 am

Re: simple port forwarding is not working

Mon Jan 09, 2023 9:25 am

Depending what you are forwarding, you may be better off using Cloudflare to allow secure access, without needing to open any ports.

Who is online

Users browsing this forum: No registered users and 25 guests