I have a RB5009 router connected diectly to my fibre modem. I have two security cameras connected to the router at 192.168.88.253 and 192.168.88.254. I would like to view them when not at home.
I have followed this advice to setup the NAT rule for one of the cameras, - https://help.mikrotik.com/docs/display/ ... forwarding
When I check these ports with https://portchecker.co/check-it , they are reported closed.
My computer firewall is turned off at the moment.
Do I need to do anything else in the router to open up the ports ? or am I doing this wrong ?
Re: port forwarding problem
No idea without seeing the config.
Re: port forwarding problem
# 2024-03-14 18:59:05 by RouterOS 7.14.1
# software id = AKH6-QXXQ
#
# model = RB5009UPr+S+
# serial number = HDA08BKAFKG
/interface bridge
add admin-mac=18:FD:74:CC:AD:C5 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=------------------------------
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="front camera" disabled=yes \
dst-address=xx.xxx.xxx.xxx protocol=tcp src-address=0.0.0.0 src-port=8001 \
to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat disabled=yes dst-address=xx:xx:xx:xx\
dst-port=8001 protocol=tcp to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat dst-port=8001 in-interface-list=WAN \
log-prefix=192.168.88.254 protocol=tcp src-address=xx:xx:xx:xx to-ports=\
8001
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# software id = AKH6-QXXQ
#
# model = RB5009UPr+S+
# serial number = HDA08BKAFKG
/interface bridge
add admin-mac=18:FD:74:CC:AD:C5 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=------------------------------
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="front camera" disabled=yes \
dst-address=xx.xxx.xxx.xxx protocol=tcp src-address=0.0.0.0 src-port=8001 \
to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat disabled=yes dst-address=xx:xx:xx:xx\
dst-port=8001 protocol=tcp to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat dst-port=8001 in-interface-list=WAN \
log-prefix=192.168.88.254 protocol=tcp src-address=xx:xx:xx:xx to-ports=\
8001
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by ringrring on Tue Apr 09, 2024 9:35 am, edited 1 time in total.
Re: port forwarding problem
(1) slight mod to dns..
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
REMOVE the following default..........
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(2) Take this default rule and create three new rules......... Clearer and better security.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Nothing so far that I see stopping your required traffic.......... above are improvements.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
(3) Okay lets look at your dstnat rule.
/ip firewall nat
add action=dst-nat chain=dstnat comment="front camera" disabled=yes \
dst-address=xx.xxx.xxx.xxx protocol=tcp src-address=0.0.0.0 src-port=8001 \
to-addresses=192.168.88.254 to-ports=8001
DO NOT USE source address 0.0.0.0 USE DST PORT not src port......
If you want to limit which public IPs can access your Server, then create a firewall address list etc........
Note adding a source IP or src address list of IPs also has the side benefit of causing your ports not to be visible on a scan vice just closed.
If your WANIP is dynamic then use in-interface-list=WAN
If your WANIP is static then use dst-address=X>X>X>X { your static WANIP }
To ports not required if same as dst-ports.
ex.
add action=dst-nat chain=dstnat comment="front camera" disabled=no \
in-interface-list=WAN dst-port=8001 protocol=tcp to-addresses=192.168.88.254
Q. Do you have users on the same LAN as the server accessing the server by DYNDNS name/URL ??
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
REMOVE the following default..........
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(2) Take this default rule and create three new rules......... Clearer and better security.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Nothing so far that I see stopping your required traffic.......... above are improvements.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
(3) Okay lets look at your dstnat rule.
/ip firewall nat
add action=dst-nat chain=dstnat comment="front camera" disabled=yes \
dst-address=xx.xxx.xxx.xxx protocol=tcp src-address=0.0.0.0 src-port=8001 \
to-addresses=192.168.88.254 to-ports=8001
DO NOT USE source address 0.0.0.0 USE DST PORT not src port......
If you want to limit which public IPs can access your Server, then create a firewall address list etc........
Note adding a source IP or src address list of IPs also has the side benefit of causing your ports not to be visible on a scan vice just closed.
If your WANIP is dynamic then use in-interface-list=WAN
If your WANIP is static then use dst-address=X>X>X>X { your static WANIP }
To ports not required if same as dst-ports.
ex.
add action=dst-nat chain=dstnat comment="front camera" disabled=no \
in-interface-list=WAN dst-port=8001 protocol=tcp to-addresses=192.168.88.254
Q. Do you have users on the same LAN as the server accessing the server by DYNDNS name/URL ??
Last edited by anav on Thu Mar 14, 2024 9:42 pm, edited 1 time in total.
Re: port forwarding problem
Great, learning a lot.
How do I make those changes, using webfig or command line ?. I would like to see the cameras on the intranet so yes, - do I need to make a masqerade rule?.
How do I make those changes, using webfig or command line ?. I would like to see the cameras on the intranet so yes, - do I need to make a masqerade rule?.
Re: port forwarding problem
I use winbox, but webconfig should suffice. You already have a masquerade rule.
Re: port forwarding problem
so theres not really anything preventing port 8001 being open in my config?.
Re: port forwarding problem
Best to clean up the config and if still having issue post the latest config............
Re: port forwarding problem
Please note when you post the config, please include your config in a code block. The code block is the 7th icon on the row of icons above the text entry box. It looks like a square with a blob in the middle. When your press that, it will produce a beginning and ending code block. Past your config text between the two blocks.
Re: port forwarding problem
Isnt the first non code block config and wont be the last........... you can thank Normis for ensuring the resulting the first posting experience of new users and those supporting them 
Re: port forwarding problem
thanksPlease note when you post the config, please include your config in a code block. The code block is the 7th icon on the row of icons above the text entry box. It looks like a square with a blob in the middle. When your press that, it will produce a beginning and ending code block. Past your config text between the two blocks.
Re: port forwarding problem
I am still struggling with port forwarding my security cameras. I have the config below. When I try to connect from the WAN using my phone I can see packets going up on the connections in routerOS but no transfer of data. Please can someone look at my config. ( I did try set up back to home but then deleted it, because it seemed to slow my home connection speed).
Code: Select all
# 2024-04-11 07:40:44 by RouterOS 7.14.2
# software id = AKH6-QXXQ
#
# model = RB5009UPr+S+
# serial number = HDA08DKAFKG
/interface bridge
add admin-mac=18:BD:74:CC:AD:C5 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=xxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=xxxxxxxxxxx/32 comment="xxxxxxxxxxx (iPhone16,2)" \
interface=*D public-key="xxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8 verify-doh-cert=yes
/ip dns static
add address=45.90.28.0 disabled=yes name=dns.nextdns.io
add address=45.90.30.0 disabled=yes name=dns.nextdns.io
add address=2a07:a8c0:: disabled=yes name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: disabled=yes name=dns.nextdns.io type=AAAA
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=front dst-port=8001 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.88.253 to-ports=\
8001
add action=dst-nat chain=dstnat comment=back dst-port=8002 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.88.254 to-ports=8002
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system script
add comment=20240401 dont-require-permissions=no name="add dns ip_nextdns" \
owner=capnahab policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A;\
\n/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A;\
\n/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA;\
\n/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA;"
add comment="add nat (nextdns)" dont-require-permissions=yes name=nat_nextdns \
owner=capnahab policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53 \
\n/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=\
53 "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: port forwarding problem
Are you sure that cameras provide their service on ports 8001 and 8002? I'd guess they are actually using standard port 80 ... in which case NAT rules should have "to-ports=80" set.
Re: port forwarding problem
(1) recommend change this rule:
from:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
(2) As MKX very sideways alluded, there appears to be nothing intrinsically wrong with the config to prevent your desired traffic. Hence his query on confirming correct port allocation.
It would seem you probably are attempting port translation, so the dst-port = PORT HITTING THE ROUTER, to-port = PORT REACHING THE SERVER. The router does the switcheroo for you.
(3) If not using IPV6, ensure its disabled.........
from:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
(2) As MKX very sideways alluded, there appears to be nothing intrinsically wrong with the config to prevent your desired traffic. Hence his query on confirming correct port allocation.
It would seem you probably are attempting port translation, so the dst-port = PORT HITTING THE ROUTER, to-port = PORT REACHING THE SERVER. The router does the switcheroo for you.
(3) If not using IPV6, ensure its disabled.........
Re: port forwarding problem
I have mainly used the default firewall rules. there is an entry
(see config above)
That seems like it may be blocking requests to the camera - what dyou think ?
The ports 8001 (camera 1) and 8002 (camera 2) are what are recommended in the camera instructions and setup in the camera config (as well as port 80). I spose I could try port 80 too but maybe slightly less secure.
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LANThat seems like it may be blocking requests to the camera - what dyou think ?
The ports 8001 (camera 1) and 8002 (camera 2) are what are recommended in the camera instructions and setup in the camera config (as well as port 80). I spose I could try port 80 too but maybe slightly less secure.
Last edited by ringrring on Thu Apr 11, 2024 6:35 pm, edited 1 time in total.
Re: port forwarding problem
Sorry, I am very much learning here, - I am not sure what you mean, using winbox or webfig how do I do the below ?
It would seem you probably are attempting port translation, so the dst-port = PORT HITTING THE ROUTER, to-port = PORT REACHING THE SERVER. The router does the switcheroo for you.
-
-
gigabyte091
Forum Guru
- Posts: 1205
- Joined:
- Location: Croatia
Re: port forwarding problem
Did you make the changes to your firewall rules as @anav suggested you earlier in the topic and later mentioned again by @llamajaja?
Can you confirm that cameras are using only those ports ? What camera brand are you using ?
Can you confirm that cameras are using only those ports ? What camera brand are you using ?
Re: port forwarding problem
I think I have made all the changes, thats why I showed the config.Did you make the changes to your firewall rules as @anav suggested you earlier in the topic and later mentioned again by @llamajaja?
Can you confirm that cameras are using only those ports ? What camera brand are you using ?
I am only using those ports.
I don't understand what @llamajaja means by
It would seem you probably are attempting port translation, so the dst-port = PORT HITTING THE ROUTER, to-port = PORT REACHING THE SERVER. The router does the switcheroo for you.
The cameras are Mobotix M16.
I had this working after @anav's advice. The only thing I did in the interim was try to install back to home from my phone but it seemed to slow my connection down on the LAN so I tried to remove it.
Re: port forwarding problem
It is now working,
as @anav said 'DO NOT USE source address 0.0.0.0USE DST PORT not src port ' did it.
Now I just need to work out how to make it avaialble from LAN as @anav said
as @anav said 'DO NOT USE source address 0.0.0.0USE DST PORT not src port ' did it.
Now I just need to work out how to make it avaialble from LAN as @anav said
Re: port forwarding problem
I would like to be able to view my cameras from the LAN. Here is my NAT config. Neither camera work when viewed from the LAN but are fine from the WAN, - I tried the port number in the second one to see if it made a difference but no.
Code: Select all
model = RB5009UPr+S+
# serial number = HDA08BKAFKG
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=front dst-port=8001 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat comment=back dst-port=8002 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.253 to-ports=8002
add action=masquerade chain=srcnat dst-address=192.168.88.254 protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.253 protocol=tcp src-address=192.168.88.0/24 to-ports=8002
Re: port forwarding problem [SOLVED]
Well if you try to access the camera via the LANIP address of the camera it should work fine.
If you are trying to use the same DYNDNS URL there could be problems.
If users are in the same LAN as the Server then it will not work without modifications. Easiest is to move users or server to different vlan.
If you elect not to do that then you need to address a hairpin nat scenario.
HAIRPIN NAT
1. Regardless of type of WAN connection, a single Source NAT rule is required.
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
2. For dynamic WANIP, create a firewall list
/ip firewall address-list
add address=dyndnsURL list=MYWAN { alternatively you can use your IP cloud option 'mynetname.net' }
YOUR NAT RULES SHOULD LOOK LIKE THIS:
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=front dst-port=8001 dst-address-list=MYWAN protocol=tcp to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat comment=back dst-port=8002 dst-address-list=MYWAN protocol=tcp to-addresses=192.168.88.253 to-ports=8002
3. ENSURE you changed the firewall rules I ALREADY recommended.
(1) recommend change this rule:
from:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
If you are trying to use the same DYNDNS URL there could be problems.
If users are in the same LAN as the Server then it will not work without modifications. Easiest is to move users or server to different vlan.
If you elect not to do that then you need to address a hairpin nat scenario.
HAIRPIN NAT
1. Regardless of type of WAN connection, a single Source NAT rule is required.
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
2. For dynamic WANIP, create a firewall list
/ip firewall address-list
add address=dyndnsURL list=MYWAN { alternatively you can use your IP cloud option 'mynetname.net' }
YOUR NAT RULES SHOULD LOOK LIKE THIS:
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=front dst-port=8001 dst-address-list=MYWAN protocol=tcp to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat comment=back dst-port=8002 dst-address-list=MYWAN protocol=tcp to-addresses=192.168.88.253 to-ports=8002
3. ENSURE you changed the firewall rules I ALREADY recommended.
(1) recommend change this rule:
from:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
Re: port forwarding problem
Thanks very much, yes I can see them using the IP addresses. I think I will continue to use that as hairpin is beyond my understanding and will be on the increasing pile of things to pick up later.
Who is online
Users browsing this forum: AshuGite and 15 guests