Trouble with Port Forwarding

PreambleDoorpost · Sun Feb 12, 2023 3:12 am

Hi,

I am having issues with port forwarding. I know these logs have a LOT of unnecessary stuff, I've been messing around trying to get port forwarding to work.

My NAT rule packet counter goes up every time I send a ping check on it but there is never a response back.

/interface bridge
add name=local
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/ip pool
add name=dhcp_pool0 ranges=192.168.88.12-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge nat
add action=accept chain=srcnat disabled=yes
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether1
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=local interface=ether6
add bridge=local interface=ether3
add bridge=local interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=combo1

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.3 gateway=192.168.88.1
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat disabled=yes \
    dst-address=publicip  dst-port=3245 protocol=tcp
add action=accept chain=forward connection-nat-state=dstnat disabled=yes \
    dst-address=publicip  dst-port=3245 protocol=udp
add action=accept chain=forward disabled=yes dst-port=3245 in-interface=\
    combo1 protocol=tcp
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=accept chain=input disabled=yes dst-port=46698 protocol=tcp
add action=accept chain=input disabled=yes dst-port=46698 protocol=udp
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new connection-type="" in-interface-list=listBridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=combo1 log=yes log-prefix=!NAT
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new disabled=yes dst-address=publicip  dst-port=443 \
    in-interface-list=listBridge protocol=udp src-address=192.168.88.0/24
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new disabled=yes dst-address=publicip  dst-port=443 \
    in-interface-list=listBridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.88.220 \
    dst-port=443 protocol=tcp
add action=accept chain=forward disabled=yes dst-address=192.168.88.220 \
    dst-port=443 in-interface=combo1 protocol=udp
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=combo1 \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=combo1 \
    port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=combo1 port=22 \
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    combo1
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=combo1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment=\
    "Allow Established/Related/Untracked connections" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop everything else"
/ip firewall mangle
add action=passthrough chain=prerouting disabled=yes dst-port=3245 log=yes \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=combo1
add action=dst-nat chain=dstnat disabled=yes dst-address=publicip \
    dst-port=443 in-interface=combo1 protocol=tcp to-addresses=192.168.88.220 \
    to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=combo1 \
    protocol=udp to-addresses=192.168.88.220 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=60665 protocol=udp \
    to-addresses=192.168.88.220
add action=dst-nat chain=dstnat disabled=yes dst-address=oldpublicip  \
    dst-port=27765 protocol=tcp src-port="" to-addresses=192.168.88.230 \
    to-ports=27765
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.230 \
    out-interface=local protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=oldpublicip \
    dst-port=25565 in-interface=combo1 protocol=udp to-addresses=\
    192.168.88.232 to-ports=25565
add action=dst-nat chain=dstnat disabled=yes dst-port=1224 protocol=tcp \
    to-addresses=192.168.88.220
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.220 \
    dst-port=46698 protocol=tcp
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.220 \
    dst-port=46698 protocol=udp
add action=dst-nat chain=dstnat disabled=yes dst-port=1224 protocol=udp \
    to-addresses=192.168.88.220
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 protocol=udp \
    to-addresses=192.168.88.220
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 protocol=tcp \
    to-addresses=192.168.88.220
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add disabled=yes interface=ether1 type=internal
add disabled=yes interface=local type=internal
add disabled=yes interface=combo1 type=external
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge

anav · Sun Feb 12, 2023 3:21 pm

Your firewall rules are a mess.

The only forward chain rule you need for port forwarding is one rule.
The rest are done in NAT rules...............
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat

aoakeley · Sun Feb 12, 2023 3:23 pm

Hi,
I am having issues with port forwarding.

All the DST-NAT (port forwarding rules) are disabled

PreambleDoorpost · Sun Feb 19, 2023 10:41 pm

Here is my setup after resetting my whole router and starting from scratch. I still can't get port forwarding to work, the counter on my dst-nat rule goes up by 1 everytime I test but it's still closed on the outside.

/interface bridge
add name=Local
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.22.2-10.10.22.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Local name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=Local interface=ether1
add bridge=Local interface=ether2
add bridge=Local interface=ether3
add bridge=Local interface=ether4
add bridge=Local interface=ether5
add bridge=Local interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=!listBridge
/interface list member
add interface=Local list=listBridge
/ip address
add address=10.10.22.1/24 comment=defconf interface=Local network=10.10.22.0
/ip dhcp-client
add interface=combo1
/ip dhcp-server network
add address=10.10.22.0/24 dns-server=1.1.1.1 gateway=10.10.22.1
/ip firewall filter
add action=accept chain=input comment="Default configuration" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="fast-track for establis\
    hed,related\"This rule allows established and related connections to bypas\
    s the firewall and significantly reduce CPU usage." connection-state=\
    established,related hw-offload=yes
add action=accept chain=input protocol=icmp
add action=accept chain=forward dst-port=65472 protocol=tcp
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Drop everything else, log = yes"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=combo1
add action=dst-nat chain=dstnat dst-port=65472 in-interface=combo1 protocol=\
    tcp to-addresses=10.10.22.241
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=10.10.22.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set color-scheme=dark enabled=no
/system clock
set time-zone-name=America/Los_Angeles
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge

Sob · Sun Feb 19, 2023 11:11 pm

Are you sure that on your 10.10.22.241 device something definitely listens on tcp port 65472, it's not blocked by device's own firewall, device has this router as its default gateway, etc?

PreambleDoorpost · Sun Feb 19, 2023 11:15 pm

Are you sure that on your 10.10.22.241 device something definitely listens on tcp port 65472, it's not blocked by device's own firewall, device has this router as its default gateway, etc?

Default gateway = yes
I'm just using a port checker on the web so i'd say yes something is listening
not blocked by firewall = yes shouldn't be

Sob · Sun Feb 19, 2023 11:18 pm

I mean, when you're using port checker, at that moment, is there any software running on internal device and listening on that port? It must be, otherwise there will be no reponse. You can't open port "for later" without something actively using it and have it shown as open.

anav · Sun Feb 19, 2023 11:19 pm

Why did you make this rule in this format.........
/ip neighbor discovery-settings
set discover-interface-list=!listBridge

You are missing LAN and WAN interfaces
/interface list
add name=WAN
add name=LAN
add name=listBridge ??? but why suggest not needed....... aka remove it.

/interface list members
add interface=combo1 list=WAN
add interface=Local list=LAN

Now you can make the rule properly.
/ip neighbor discovery-settings
set discover-interface-list=LAN

Why did you remove most of the default firewall rules.......... and why do you not get organized and at least put them within the same chain???
/ip firewall filter
add action=accept chain=input comment="Default configuration" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment="fast-track for establis\
hed,related\"This rule allows established and related connections to bypas\
s the firewall and significantly reduce CPU usage." connection-state=\
established,related hw-offload=yes
add action=accept chain=input protocol=icmp
add action=accept chain=forward dst-port=65472 protocol=tcp
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Drop everything else, log = yes"

USE THIS.......
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(user rules)
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward

The only weird rule which needs explanation is this rule......?? I didnt include it above as it seemed out of place.
add action=accept chain=forward dst-port=65472 protocol=tcp
Okay I see its related to port forwarding yES REMOVING IT was the smart move.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

With the above fixed up,
In terms of port forwarding....... ( as long as you are not attempting to reach the server from the LAN using the WANIP of the router ) it should be fine.
External users should be able to connect and LAN users should be able to connect using the LANIP of the server directly.

If external users cannot reach the server then its more likely an ISP issue or a firewall on your server device or you dont have a publicly reachable WANIP.

Last config bit seen.
/tool mac-server
set allowed-interface-list=LAN

PreambleDoorpost · Sun Feb 19, 2023 11:56 pm

I mean, when you're using port checker, at that moment, is there any software running on internal device and listening on that port? It must be, otherwise there will be no reponse. You can't open port "for later" without something actively using it and have it shown as open.

wouldn't the port checker online be doing just that, what's the point otherwise?

Sob · Mon Feb 20, 2023 12:05 am

You need to understand what it does. There may be misleading wording about checking for open ports. But it's actually checking if it's able to connect to something. It knows nothing about your router and its config, and has no means to discover anything about that. Either it will be able to connect to something or not (and hopefully it will be whatever is runnning on internal machine and listening on that port).

anav · Mon Feb 20, 2023 2:12 am

I can port check a MT destination nat rule using gibson's site and it will show the port as existing but closed.
If I add a source address on the DST NAT rule, the port will not show at all.

Suffice to say, the only way to honestly check is with your cell phone (with wifi turned off) to see if
a. you can ping the wanip of the router
b. you can ping the server IP.

Or get a friend to connect to the server.........

PreambleDoorpost · Mon Feb 20, 2023 2:49 am

The end goal here is for uploading on peer-peer connections aka bittorrent.

I think I've got it working but my upload speeds are only hitting 100 bits to 12kb/s so very slow on a 1gig connection.

This is through a VPN, would I need to set up additional rules?

Sob · Mon Feb 20, 2023 3:52 am

@anav: There can be different results, and there's also difference between tcp and udp.

In case there wouldn't be any firewall, tcp connection that reaches target host always gets something back, either ack (when something listens on that port = it's open) or rst (when nothing listens there = it's closed). With udp it's different, because it's just individual packets, so even if something listens on that port, it doesn't mean that it will send something back. As a result, you can't clearly tell whether the port is open. When it's closed, there will be icmp message.

When there's firewall that drops packets (= nothing comes back), then for tcp it can be identified as separate filtered state. For udp it's same as before, nothing comes back, so it's either open or filtered.

Another thing to remember is that remote client can't tell what responds. If you have correct port forwarding, it's target machine. If you mess it up, it's your router. If you forget that you don't even have public address, it's ISP's router. And whichever it is, it all looks the same.

Sob · Mon Feb 20, 2023 4:04 am

Ability to upload with BT or speed of it doesn't have much to do with ability to accept incoming connections. It just makes connecting between clients easier, but it doesn't mean that it would be impossible without it.

Using VPN does need some extra config, which depends on what kind of VPN it is.

anav · Mon Feb 20, 2023 4:04 am

@sob isnt it past your bedtime LOL...........

Trouble with Port Forwarding

Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Re: Trouble with Port Forwarding

Who is online