Port forwarding

Rule · Sun Feb 18, 2024 8:08 pm

Hey! I've got a problem! I use V7.8 RouterOS. I've set up my router like 1 day ago. I use PPPoE and yes I have a static IP address.

I am trying to port forward port :3071 for a node js server, but it doesnt work I watched the tutorial for that I tried doing it the simple way and the firewall nat mannual way

I set it up to dstnat chain protocol 6 dst port 3071 In Interface list WAN ACtion dst-nat to address 192.168.88.243 where my pc is to port :3071 (Node.JS server running on port)

Mon Feb 19, 2024 8:54 am

Start with viewtopic.php?t=203686

Rule · Tue Feb 20, 2024 3:54 pm

Start with viewtopic.php?t=203686

Also strange thing, when I have set it up with pppoe I had to use google DNS either it wouldn't have let me find anything rather then just ping through cmd

# feb/20/2024 15:52:58 by RouterOS 7.8
# software id = **ELIDED**
#
# model = RB5009UG+S+
# serial number = **ELIDED**
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out3 \
    use-peer-dns=yes user=**ELIDED**
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=sfp-sfpplus1
/interface list member
add list=LAN
add interface=*F list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=*10 list=WAN
add interface=pppoe-out3 list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out3
add action=dst-nat chain=dstnat dst-port=3000 log=yes protocol=tcp \
    to-addresses=192.168.88.243 to-ports=3000
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.1.1
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.88.1
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=Europe/Bucharest

Mesquite · Tue Feb 20, 2024 6:23 pm

1. A clue as to improper config.............. symbols and number in your rules where not applicable!!!

From:
/interface list member
add list=LAN { empty entry you need to get rid of }
add interface=*F list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=*10 list=WAN
add interface=pppoe-out3 list=WAN

TO:
/interface list member
add interface=pppoe-out3 list=WAN
add interface=ether1 list=WAN
add interface=bridge1 list=LAN

2. Remove netmask if you entered it, not required........
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24

3. Dst NAT RULE INCOMPLETE see addition in green! ( to- ports not required if same as dst port )
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp in-interface=pppoe-out3 \ {edit fixed IP should be dst-address=staticWANip}
log=yes to-addresses=192.168.88.243

Rule · Tue Feb 20, 2024 6:42 pm

1. A clue as to improper config.............. symbols and number in your rules where not applicable!!!

From:
/interface list member
add list=LAN { empty entry you need to get rid of }
add interface=*F list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=*10 list=WAN
add interface=pppoe-out3 list=WAN

TO:
/interface list member
add interface=pppoe-out3 list=WAN
add interface=ether1 list=WAN
add interface=bridge1 list=LAN

2. Remove netmask if you entered it, not required........
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24

3. Dst NAT RULE INCOMPLETE see addition in green! ( to- ports not required if same as dst port )
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp in-interface=pppoe-out3 \
log=yes to-addresses=192.168.88.243

also when i try to remove /24 itgoes to /32 and kills my internet when I edit the in interface for DST thing it doesn't send anything like it did like no packets no nothing

This site can’t be reached redactedIP refused to connect.

Another thing I realised is that when I try DHCP servers without DNS my internet dies / cant reach NS of google maybe but can ping via cmd

Mesquite · Tue Feb 20, 2024 9:11 pm

Sorry you are not making any sense.
Where above was there advice to remove a /24 and put in a /32 ???

Your input about DHCP and DNS, seems out of the blue as well........... what is the issue here?

Rule · Tue Feb 20, 2024 9:20 pm

Sorry you are not making any sense.
Where above was there advice to remove a /24 and put in a /32 ???

Your input about DHCP and DNS, seems out of the blue as well........... what is the issue here?

1.Okay so when I remove /24 it automakes it /32
2.also if I use DHCP server without DNS it doesnt work I can just ping stuff via cmd
3. port forwarding doesnt work

Mesquite · Tue Feb 20, 2024 11:05 pm

Remove /24 from what you still havent stated that
ALso why are you removing dns-server entry???

My bad on dst port rule please adjust too ( I didnt hoist in that your wanip is fixed static )
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp dst-address=staticWAN-ip \
log=yes to-addresses=192.168.88.243

This is what your entry should look like.

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dhcp-server network { no entry for netmask required }
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
...

..

basic.jpg

Rule · Wed Feb 21, 2024 4:40 pm

Remove /24 from what you still havent stated that
ALso why are you removing dns-server entry???

My bad on dst port rule please adjust too ( I didnt hoist in that your wanip is fixed static )
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp dst-address=staticWAN-ip \
log=yes to-addresses=192.168.88.243

This is what your entry should look like.

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dhcp-server network { no entry for netmask required }
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
...

..basic.jpg

LIke this?

# feb/21/2024 16:39:34 by RouterOS 7.8
# software id = Elided
#
# model = RB5009UG+S+
# serial number = Elided
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out3 \
    use-peer-dns=yes user=Elided
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=sfp-sfpplus1
/interface list member
add disabled=yes interface=*F list=WAN
add disabled=yes interface=ether1 list=WAN
add disabled=yes interface=*10 list=WAN
add interface=pppoe-out3 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out3
add action=dst-nat chain=dstnat dst-address=wanip dst-port=3000 log=\
    yes protocol=tcp to-addresses=192.168.88.243 to-ports=3000
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.1.1
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.88.1
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=Europe/Bucharest

Also port forward still doin nothing

Wed Feb 21, 2024 5:15 pm

“to-addresses=192.168.88.24“ needs to reference your PPPoE address, not your internal LAN IP.

Or, reference the interface, not the IP.

Rule · Wed Feb 21, 2024 5:20 pm

“to-addresses=192.168.88.24“ needs to reference your PPPoE address, not your internal LAN IP.

Or, reference the interface, not the IP.

wait wdym?

like port forward or where?

Bcs If I change the to address to my Public Ip / PPPoE address then it will route from dst address which is PPPoE address to pppoe address

also ye I tried my Lan ip in dst adress and gives no packets

Also refrencing any In. Interface such as Ether 1 pppoe 3 or bridge it just straight up doesnt send the packets back. (from what I know it should atleast send packets to know if it makes contact even if it's not permited)

Wed Feb 21, 2024 5:56 pm

wait wdym?

I'm getting confused with the multiple configs posted here. It doesn't help that I was replying on a phone, making it difficult to tell which one is active at the moment. Sorry for adding more smoke than light.

All I can figure now is that what I take to be the current version of the dstnat rule:

add action=dst-nat chain=dstnat dst-address=wanip dst-port=3000 log=\
    yes protocol=tcp to-addresses=192.168.88.243 to-ports=3000

…is referring to the literal string "wanip", which the router doesn't know how to look up. Either that needs to be a statically-assigned PPPoE public IP, or you need to refer to the interface instead:

add action=dst-nat chain=dstnat in-interface=pppoe-out3 dst-port=3000 log=\
    yes protocol=tcp to-addresses=192.168.88.243

That formulation is more flexible anyway.

Note that you don't have to give "to-ports" when it's the same as dst-port. That's the implicit default.

By the way, where's your firewall? If this is a public-facing router, you shouldn't be without one.

Rule · Wed Feb 21, 2024 6:04 pm

wait wdym?

I'm getting confused with the multiple configs posted here. It doesn't help that I was replying on a phone, making it difficult to tell which one is active at the moment. Sorry for adding more smoke than light.

All I can figure now is that what I take to be the current version of the dstnat rule:
Code: Select all
add action=dst-nat chain=dstnat dst-address=wanip dst-port=3000 log=\
    yes protocol=tcp to-addresses=192.168.88.243 to-ports=3000
…is referring to the literal string "wanip", which the router doesn't know how to look up. Either that needs to be a statically-assigned PPPoE public IP, or you need to refer to the interface instead:
Code: Select all
add action=dst-nat chain=dstnat in-interface=pppoe-out3 dst-port=3000 log=\
    yes protocol=tcp to-addresses=192.168.88.243
That formulation is more flexible anyway.

Note that you don't have to give "to-ports" when it's the same as dst-port. That's the implicit default.

By the way, where's your firewall? If this is a public-facing router, you shouldn't be without one.

1. I'm still new to mikrotik routers, also this is just to experiment with friends and to use as a VPN, I don't intend to making it publicly available!
2.I tried with In. Interface making it pppoe3-out but nothing happens like literally no packets sent

Also sorry for my stupid responses but I'm new I wanted to try smth more complicated and understand how it works!

Wed Feb 21, 2024 6:16 pm

2.I tried with In. Interface making it pppoe3-out but nothing happens like literally no packets sent

Then the packets aren't coming in over the pppoe3-out interface. Stop focusing on this port forwarding side issue and debug the main issue.

Rule · Wed Feb 21, 2024 6:17 pm

2.I tried with In. Interface making it pppoe3-out but nothing happens like literally no packets sent

Then the packets aren't coming in over the pppoe3-out interface. Stop focusing on this port forwarding side issue and debug the main issue.

hear me out the reason was that in the masquadrade rule I used in interface PPPoE I removed it and now everything works as well as port fwd.

Srry if I blew your mind with my side problem Port FWD to much.

May I please get a link to a guide on firewall and protecting if I were to make a public router please?

Wed Feb 21, 2024 6:24 pm

The default configuration isn't a bad place to start. Links from there into the docs are there for a reason. (Hint.)

Rule · Wed Feb 21, 2024 6:32 pm

The default configuration isn't a bad place to start. Links from there into the docs are there for a reason. (Hint.)

Thx!!

Mesquite · Wed Feb 21, 2024 9:52 pm

I still have no idea what you were trying to do LOL. but if its working great!

Rule · Thu Feb 22, 2024 8:18 pm

I still have no idea what you were trying to do LOL. but if its working great!

Ah Tehnically Iw as trrying to portforward port 3000 Lol

Port forwarding [SOLVED]

Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding [SOLVED]

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Re: Port forwarding

Who is online