Community discussions

MikroTik App
 
vidicantavi
just joined
Topic Author
Posts: 6
Joined: Wed May 03, 2023 7:19 pm

port forward help

Wed May 03, 2023 7:57 pm

hi,

new to mikrotik. i can't figure out what i'm missing
i have a RB750Gr3 trying to forward port 10000, 80 and 443 to a lan ip. this is my export. i dunno what i'm doing wrong. all services from local ip are accesible, none from wan
# may/03/2023 19:34:22 by RouterOS 6.49.7
# software id = JDLJ-1RYF
#
# model = RB750Gr3
# serial number = xxxxxDEYHY
/interface bridge
add admin-mac=18:FD:74:7F:BD:D9 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=Orange
set [ find default-name=ether1 ] name=digi_eth
/interface pppoe-client
add add-default-route=yes disabled=no interface=digi_eth name=DIGI user=\
    xxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.10.0.10-10.10.0.254
add name=vpn ranges=10.10.1.2-10.10.1.255
/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
    bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=DIGI list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=Orange
/ip dhcp-server lease
add address=10.10.0.16 client-id=\
    ff:5b:f8:df:8c:0:1:0:1:2b:e5:24:3b:bc:30:5b:f8:df:8c mac-address=\
    BC:30:5B:F8:DF:8C server=defconf
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf dns-server=\
    1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=10.10.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=tavi.xxxx.xxx list=hostnames
add address=xxxxdeyhy.sn.mynetname.net list=hostnames
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=DIGI new-connection-mark=DIGI_input passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=Orange new-connection-mark=Orange_input passthrough=yes
add action=mark-routing chain=output connection-mark=DIGI_input \
    new-routing-mark=DIGI_output passthrough=yes
add action=mark-routing chain=output connection-mark=Orange_input \
    new-routing-mark=ORANGE_output passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=DIGI
add action=masquerade chain=srcnat out-interface=Orange
add action=dst-nat chain=dstnat comment=webmin dst-address-list=hostnames \
    dst-port=10000 protocol=tcp to-addresses=10.10.0.16 to-ports=10000
add action=dst-nat chain=dstnat comment=apache dst-address-list=hostnames \
    dst-port=80 protocol=tcp to-addresses=10.10.0.16 to-ports=80
add action=dst-nat chain=dstnat comment=https dst-address-list=hostnames \
    dst-port=443 protocol=tcp to-addresses=10.10.0.16 to-ports=443
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=DIGI routing-mark=\
    DIGI_output
add check-gateway=ping disabled=yes distance=1 gateway=Orange routing-mark=\
    ORANGE_output
add check-gateway=ping disabled=yes distance=1 gateway=90.xxx.xxx.1,DIGI
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Bucharest
/system routerboard settings
set auto-upgrade=yes force-backup-booter=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by vidicantavi on Tue May 09, 2023 8:14 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forward help

Fri May 05, 2023 7:09 pm

(1) I am not a big fan of this default rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


Suggest change it to

add action=accept in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(2) Your routes are bit funny.
What is the setup supposed to do for you.........
Is there a primary or secondary?
Do some subnets only go out one WAN etc....
Do some external users come in on any wans.

This might help explain the need for mangling or not for example.
 
vidicantavi
just joined
Topic Author
Posts: 6
Joined: Wed May 03, 2023 7:19 pm

Re: port forward help

Tue May 09, 2023 7:41 am

sorry for lack of details, its supposed to do be a load balance, one wan connection is dhcp and one is pppoe thats why the routes are a bit funny, load balance seems to work since i can speedtest up to 1.4 gbps whit one 1gbps connection and one 500mbps connection. the "vpn" part is me trying to get some cammeras from another site that are behind a cg-nat to a nvr in yet another site to record. haven't finished that, just checked the vpn thing and didn't have time to finish setting it up or testing it.

i've tried disableding the not established not dstnated drop rule. i've tryed disableing all drop rules. still port forwarding didn't work

ive tryed setting up your 3 rules, drop all else rule make internet unfunctional, the allow forward dstnated counter goes up every time i try to acces it but its still not working.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: port forward help

Tue May 09, 2023 2:45 pm

The Mikrotik device seems to be behind another router
If it is so, how did you set it?
Did you open the same port on it too?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forward help

Tue May 09, 2023 2:58 pm

There is no load balancing going on you are missing rules for PCC load balancing if that is what you are attempting.
All you have setup thus far is ensuring traffic coming in a particular WAN leaves the same WAN.
 
vidicantavi
just joined
Topic Author
Posts: 6
Joined: Wed May 03, 2023 7:19 pm

Re: port forward help

Tue May 09, 2023 3:25 pm

The Mikrotik device seems to be behind another router
If it is so, how did you set it?
Did you open the same port on it too?
it is not behind another, just one of my providers has dhcp from their gpon to my router/pc etc. the gpon is set to bridge mode.
There is no load balancing going on you are missing rules for PCC load balancing if that is what you are attempting.
All you have setup thus far is ensuring traffic coming in a particular WAN leaves the same WAN.
well, i'm ok whit the missing load balancing crap since i've enough bandwidth outgoing to get my things done. and i mostly wanna have different services available when i call from wan ip to be routed through different providers therefore the marked connections / incoming addresses should do the trick, issue is i still can't access crap behind the router
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forward help

Tue May 09, 2023 6:00 pm

Well, you have to have some direction, if not load balancing then which one is primary and which one is failover?
 
vidicantavi
just joined
Topic Author
Posts: 6
Joined: Wed May 03, 2023 7:19 pm

Re: port forward help

Wed May 10, 2023 12:05 pm

Well, you have to have some direction, if not load balancing then which one is primary and which one is failover?
honestly it feels like its loadbalancing since if i visit whatismyip or speedtest sometimes it shows one iip sometimes it shows the other, on speedtest in multi file format shows the cumulative speeds. one connection has static ip the other one has isp provided ddns. also my forward rules are for both hostnames. . even if i unplug 1 connection the forward isn't working, tried resetting the router to use only one isp forward still isn't working. i even tried using the simple web browser forward whit only 1 isp and forward isn't working
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forward help

Wed May 10, 2023 2:15 pm

This is not a therapy class, what you feel is irrelevant. I asked for your planning and requirements.
 
vidicantavi
just joined
Topic Author
Posts: 6
Joined: Wed May 03, 2023 7:19 pm

Re: port forward help

Wed May 10, 2023 8:06 pm

This is not a therapy class, what you feel is irrelevant. I asked for your planning and requirements.
that really was funny, and yes, i agree, i just wanna get the port forwarding working from both wan connections if possible.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forward help

Wed May 10, 2023 8:10 pm

And I would love to help you do that but one needs context and planning before configuring otherwise its a waste of time.
Make up your mind on how you want to use your WAN connections, then we can properly deal with port forwarding on both wans.
 
vidicantavi
just joined
Topic Author
Posts: 6
Joined: Wed May 03, 2023 7:19 pm

Re: port forward help

Wed May 10, 2023 8:50 pm

And I would love to help you do that but one needs context and planning before configuring otherwise its a waste of time.
Make up your mind on how you want to use your WAN connections, then we can properly deal with port forwarding on both wans.
ok,

i'm really sorry if i'm not getting what your asking me to do. i'm not really a network admin. i will try to explain as best as i can.

i have 2 wan connections. i have a nextcloud server on my network. i want to open 80, 443 and 10000(webmin) to wan so i can get to my files from outside (phone and stuff) and if possible i would love to have load balancing configured properly to get most of my connections. then i have another mikrotik lte modem in another site that i would like to have it connect thorough vpn to this one so i can have my nvr record those ip cameras. nvr and cameras are in different site and ddns doesn't work because of cgnat.

basically that is all i need. and i really appreciate the support

Who is online

Users browsing this forum: holvoetn, mkx, Sirajs, xaar and 56 guests