Why doesn't the port open?

101 · Mon Feb 20, 2023 10:34 pm

Hello. Help me, please!
I want to open a port for my virtual machine whose ip is 192.168.88.100 with port 7777 for UDP. Locally the server works, everything is fine. I write my external ip, then the port is closed, etc.

Device: Hap ac2
Settings default
RouterOS v7.7 (stable)
Address Acquisition: PPPoE
ISP: IP in stock

The settings I made:
ip
firewall
nat add
chain=dstnat
Dst. Address= my isp ip
protocol= 17 (udp)
dst-port=7777
In. Interface List= WAN
action=dst-nat
to-address=192.168.88.100 (ip virtual machine)
to-port=7777

config
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0

Thank you in advance for your response

nichky · Tue Feb 21, 2023 12:28 am

add this and try again:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge

101 · Tue Feb 21, 2023 9:52 am

add this and try again:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge

I added.
Port 7777 is closed on my ip

memelchenkov · Tue Feb 21, 2023 10:49 am

Your ISP may filter game ports. Ask them, is it, or not.

Sob · Tue Feb 21, 2023 2:33 pm

For start, your "my isp ip" is public (not 10.x.x.x, 100.64-127.x.x, 172.16-31.x.x, 192.168.x.x) and directly on your router (you can see it in IP->Addresses), correct?

101 · Tue Feb 21, 2023 3:12 pm

Your ISP may filter game ports. Ask them, is it, or not.

They said that all the ports are open and set up the router

101 · Tue Feb 21, 2023 4:41 pm

For start, your "my isp ip" is public (not 10.x.x.x, 100.64-127.x.x, 172.16-31.x.x, 192.168.x.x) and directly on your router (you can see it in IP->Addresses), correct?

https://bayfiles.com/ra28y6Z9y9/1_png
https://bayfiles.com/qa2cy0Z8y9/2_png

rextended · Tue Feb 21, 2023 6:15 pm

Sorry, by that title "Why doesn't the port open?"
Gain this reply: "You have try to turn the knob or use the key?"

anav · Tue Feb 21, 2023 6:33 pm

Really, is that where you went..........?

Shocking, I thought it would have been,
........ if its open we must drink it soon, otherwise it will go bad.

OR

The port is closed due to an explosion at the docks..............

101 · Tue Feb 21, 2023 7:07 pm

Sorry, by that title "Why doesn't the port open?"
Gain this reply: "You have try to turn the knob or use the key?"

Very excellent response from "guru". I am not a sysadmin, and I am entitled to make a mistake. I was looking for information on how to solve my question, so I come to the forum when I can no longer solve it at all. For me it is a dark forest in the light of day.

101 · Tue Feb 21, 2023 7:08 pm

Really, is that where you went..........?

Shocking, I thought it would have been,
........ if its open we must drink it soon, otherwise it will go bad.

OR

The port is closed due to an explosion at the docks..............

My answer to rextended is the same as yours.
Спасибо!

rextended · Tue Feb 21, 2023 7:09 pm

Sorry, by that title "Why doesn't the port open?"
Gain this reply: "You have try to turn the knob or use the key?"

Very excellent response from "guru". I am not a sysadmin, and I am entitled to make a mistake. I was looking for information on how to solve my question, so I come to the forum when I can no longer solve it at all. For me it is a dark forest in the light of day.

You took it from the wrong point of view, it was just a joke to defuse, given the title it came naturally to me.
Too much seriousness in life kills earlier.

Don't take me seriously just because it says "Forum Guru"...
Trust the guru

101 · Tue Feb 21, 2023 7:22 pm

Very excellent response from "guru". I am not a sysadmin, and I am entitled to make a mistake. I was looking for information on how to solve my question, so I come to the forum when I can no longer solve it at all. For me it is a dark forest in the light of day.
You took it from the wrong point of view, it was just a joke to defuse, given the title it came naturally to me.
Too much seriousness in life kills earlier.

Don't take me seriously just because it says "Forum Guru"...
Trust the guru

Okay, I hear you). It's just that the language barrier makes it hard to take jokes.

Sob · Tue Feb 21, 2023 8:44 pm

Is it also language barrier that makes you answer only half of questions?

Now we know that if it start with 91, it's public address. But we still don't know it your router actually has this address. Once again, look in IP->Addresses, is this address there?

101 · Tue Feb 21, 2023 8:55 pm

Is it also language barrier that makes you answer only half of questions? Now we know that if it start with 91, it's public address. But we still don't know it your router actually has this address. Once again, look in IP->Addresses, is this address there?

Is it also language barrier that makes you answer only half of questions?
Sorry.

IP -> Addresses, is this address there? Yes

https://bayfiles.com/26d42fZ1ye/Screens ... _52_14_png

Sob · Tue Feb 21, 2023 11:06 pm

Yes, it's correct and it should work. Even if it wouldn't work completely, you should at least see some incoming packets, counters for dstnat rule (columns Bytes and Packets) should increase. How do you test it?

101 · Tue Feb 21, 2023 11:11 pm

Yes, it's correct and it should work. Even if it wouldn't work completely, you should at least see some incoming packets, counters for dstnat rule (columns Bytes and Packets) should increase. How do you test it?

I connect to the server, or use sites where you can check any ports.
Can you please tell me if I have the right NAT?
https://bayfiles.com/ra28y6Z9y9/1_png

Sob · Tue Feb 21, 2023 11:16 pm

Not from a screenshot, it can hide some things. But based on your description in first post it should be ok. To be sure, try to run this in Terminal:

/export file=myconfig

and then post content of created myconfig.rsc here in code tags.

anav · Wed Feb 22, 2023 4:36 am

Finally Sob you are getting the hang of helping, next time ask for the config on the first post ;-PP

101 · Wed Feb 22, 2023 10:36 am

Not from a screenshot, it can hide some things. But based on your description in first post it should be ok. To be sure, try to run this in Terminal:
Code: Select all
/export file=myconfig
and then post content of created myconfig.rsc here in code tags.

 by RouterOS 7.7
# model = RBD52G-5HacD2HnD-TC
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=XXXX wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=XXXX wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=XXXXXK
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=forum out-interface=bridge
add action=dst-nat chain=dstnat comment="Open port 7777 for CT101" \
    dst-address=91.92.2.111 dst-port=7777 in-interface-list=WAN protocol=\
    udp to-addresses=192.168.88.101 to-ports=7777  #192.168.88.101 correct for Virtual Machine
/ip hotspot service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:XXX::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=MY IPv6::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=XXXX/XXXXX
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

rextended · Wed Feb 22, 2023 11:41 am

delete this:
add action=masquerade chain=srcnat comment=forum out-interface=bridge

and test if all work outside your network.

you must use another internet connection for test if it is working, or you go to the hell of hairpin nat & co.

(and also you must be sure that the ports on vmachine are correct)

And you also be sure than your ISP do not block the port...

Ca6ko · Wed Feb 22, 2023 11:54 am

Remove your full IP address everywhere, leave 91.xx.xx.xx in the photo and in the config text. Otherwise you can get regular bot attacks.
What service are you trying to run on this port?
Checking the openness of a specific port through the sites does not always give the right result. Try changing UDP to TCP to check and some widespread service.
From the local network access to the external IP is the same no, if necessary then you need to configure the Hairpin nat.
If incoming port is the same as outgoing then you do not need to specify it in the output.

Disable the rule, it is unnecessary. add action=masquerade chain=srcnat comment=forum out-interface=bridge

anav · Wed Feb 22, 2023 4:16 pm

What I find confusing is the WAN situation. I thought PPPOE provide a dymamic WANIP.
Please confirm as that very much drives correct config formats for rules.............
If its a fixed static WANIP, quite correct never show it in full.
If not, then dont show any WANIP address as its not relevant.

add action=dst-nat chain=dstnat comment="Open port 7777 for CT101" \
dst-address=91.XX dst-port=7777 in-interface-list=WAN protocol=\
udp to-addresses=192.168.88.101 to-port=7777

One should have either (NOT BOTH):
a. dst-address for a static/fixed WANIP
b. in-interface-list=WAN for a dynamic WANIP
c. dst-address-list=MYIPCLOUD for dynamic WANIP with a hairpin NAT scenario.

Note: to-port not required if same as dst-port.

Sob · Wed Feb 22, 2023 7:07 pm

It seems mostly fine. In addition to previous (^^^), you can try to add temporary logging rule, either for specific port:

/ip firewall mangle
add chain=prerouting in-interface=pppoe-out1 protocol=udp dst-port=7777 connection-state=new action=log log-prefix=new-incoming

Or a broad one for all:

/ip firewall mangle
add chain=prerouting in-interface=pppoe-out1 connection-state=new action=log log-prefix=new-incoming

Then try some online port tester, even for different ports that you don't forward anywhere, and see if anything gets logged (= connection attempts from internet reached your router).

101 · Thu Mar 02, 2023 5:38 pm

What I find confusing is the WAN situation. I thought PPPOE provide a dymamic WANIP.
Please confirm as that very much drives correct config formats for rules.............
If its a fixed static WANIP, quite correct never show it in full.
If not, then dont show any WANIP address as its not relevant.

add action=dst-nat chain=dstnat comment="Open port 7777 for CT101" \
dst-address=91.XX dst-port=7777 in-interface-list=WAN protocol=\
udp to-addresses=192.168.88.101 to-port=7777

One should have either (NOT BOTH):
a. dst-address for a static/fixed WANIP
b. in-interface-list=WAN for a dynamic WANIP
c. dst-address-list=MYIPCLOUD for dynamic WANIP with a hairpin NAT scenario.

Note: to-port not required if same as dst-port.

Thank you for your response. Please explain again. What should I do?
Let's imagine from scratch that I have an ip to access the internet: 123.123.1.10.
The router routeros have the factory settings.
I want to open the virtual machine port: 192.168.88.101.
What would you do?

Ca6ko · Thu Mar 02, 2023 11:48 pm

The router routeros have the factory settings.

/ip firewall nat
add action=dst-nat chain=dstnat comment="virtual machine" dst-port=7777 in-interface-list=WAN protocol=udp to-addresses=192.168.88.101

PS Provided the client only connects from an external network

anav · Fri Mar 03, 2023 3:16 am

Two things.............. okay three things........
if users are in same subnet and need to reach the server via wanip domain name, then you need hairpinat rule.

Also need to change forward chain rule..........
From
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=drop all else

FROM
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=forum out-interface=bridge
add action=dst-nat chain=dstnat comment="Open port 7777 for CT101" \
dst-address=91.92.2.111 dst-port=7777 in-interface-list=WAN protocol=\
udp to-addresses=192.168.88.101 to-ports=7777 #192.168.88.101 correct for Virtual Machine

TO
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Open port 7777 for CT101" \
dst-address=fixedWANIP dst-port=7777 protocol=udp to-addresses=192.168.88.101[/b]

Why doesn't the port open?

Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Re: Why doesn't the port open?

Who is online