Community discussions

MikroTik App
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Simple port forwarding rule doesn't work

Mon Aug 14, 2023 12:59 pm

Hi Guys,

I'm trying to open port for remote desktop connection (RDP) to my home server, I went through a lot of guides, but I just cannot to get it work.

I have MT hEX as my gateway router, I use DDNS and I'm testing open port by yougetsignal.com, where I test Remote address = myDDNS address, port number 3389.

This is my first forwarding rule on Mikrotik.

Where DDNS is enabled, it says Router is behind a NAT.
Image
 
User avatar
baragoon
Member
Member
Posts: 364
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Simple port forwarding rule doesn't work

Mon Aug 14, 2023 1:11 pm

you need to forward this port on the router between your MTK and internet, forwarding this port only at your MTK will not work for you
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Mon Aug 14, 2023 1:29 pm

you need to forward this port on the router between your MTK and internet
What does it mean? Do I need to contact my ISP or where can I forward the port between my router and internet?
 
User avatar
baragoon
Member
Member
Posts: 364
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Simple port forwarding rule doesn't work

Mon Aug 14, 2023 4:02 pm

i don't know your network desing, but port forward must be on the router before your MTK, you are behind NAT
ask your ISP
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2942
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Simple port forwarding rule doesn't work

Mon Aug 14, 2023 4:57 pm

...
What does it mean? Do I need to contact my ISP or where can I forward the port between my router and internet?
If you want to pass traffic incoming to YourIPFromISP:ServicePort to device Inside then the same rule applies to yor ISP ... traffic you want receive has to be allowed and passed by ISP to your device. If it is filtered before it reaches your device then there is no way to achieve what you want.
That is why you need your own public IP in such situations.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10511
Joined: Mon Jun 08, 2015 12:09 pm

Re: Simple port forwarding rule doesn't work

Mon Aug 14, 2023 8:39 pm

You're saved by the bell! You DON'T WANT to open RDP to your server...
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Tue Aug 15, 2023 8:15 am

You DON'T WANT to open RDP to your server...
I understand the risk, opening RDP port is for short period of time to test remote connection and to learn port opening, later I will deploy VPN server.
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Tue Aug 15, 2023 8:22 am

That is why you need your own public IP in such situations.
I have already requested my ISP for public IP.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2942
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Simple port forwarding rule doesn't work

Tue Aug 15, 2023 1:48 pm

I understand the risk, opening RDP port is for short period of time to test remote connection and to learn port opening, later I will deploy VPN server.
Sooner is better than later :)

On the other hand why to open 3389 for tests?
Select any random port # on the WAN side and then redirect it to 3389 in DST rule to make bots/scanner life harder
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Tue Aug 15, 2023 2:24 pm

Select any random port # on the WAN side and then redirect it to 3389 in DST rule to make bots/scanner life harder
What does it mean "Select random port # on the WAN side?" Any example?
Redirecting means forwarding by DST-NAT rule, right?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10511
Joined: Mon Jun 08, 2015 12:09 pm

Re: Simple port forwarding rule doesn't work

Tue Aug 15, 2023 2:57 pm

I understand the risk, opening RDP port is for short period of time to test remote connection and to learn port opening, later I will deploy VPN server.
Sooner is better than later :)
I agree. Just don't do it. You will only regret it, especially when not having much technical knowledge.
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Fri Aug 18, 2023 9:18 am

So, after a few days I have now public IP. Now my port forwarding rules are working and currently I would like to deploy WireGuard VPN server. I should have everything setup, except it is not working, assuming because my port to WireGuard is closed.
How to open port to the router itself without forwarding it?
Tried it without "To address" as shown below, but not wokring.
Image
 
erlinden
Forum Guru
Forum Guru
Posts: 2480
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Simple port forwarding rule doesn't work

Fri Aug 18, 2023 12:05 pm

If you follow the guide (https://help.mikrotik.com/docs/display/ ... onexamples), you would have known there is no port forward involved. Forwarding means, forward traffic to other device. I assume you want to run a Wireguard server on your MikroTik?

Unless you are running Wireguard on another device, then a forward is required.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10511
Joined: Mon Jun 08, 2015 12:09 pm

Re: Simple port forwarding rule doesn't work

Fri Aug 18, 2023 12:28 pm

To answer the Wireguard question: you will have to add an accept rule for that port to the "input" filter rules, not put a dst-nat in the NAT rules.
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Fri Aug 18, 2023 2:43 pm

If you follow the guide (https://help.mikrotik.com/docs/display/ ... onexamples), you would have known there is no port forward involved. Forwarding means, forward traffic to other device. I assume you want to run a Wireguard server on your MikroTik?
Actually I followed some other guide, where port opening was not mentioned.
Unless you are running Wireguard on another device, then a forward is required.
Yes, I prefer to run Wireguard on the router.
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Fri Aug 18, 2023 3:30 pm

To answer the Wireguard question: you will have to add an accept rule for that port to the "input" filter rules, not put a dst-nat in the NAT rules.
I have created new rule, but it seems it doesnt work. It is on 2nd position (from top).
ImageImageImage
 
erlinden
Forum Guru
Forum Guru
Posts: 2480
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Simple port forwarding rule doesn't work

Fri Aug 18, 2023 3:33 pm

Do you have a Wireguard enabled?
Is it working locally (next step should be port check)?

Better share your current config (screenshots are unnecessary):
/export file=anynameyoulike
Remove serial and any prive information (like public IP).
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Mon Aug 21, 2023 7:29 am

Do you have a Wireguard enabled?

Yes, wireguard interface should be enabled.

Is it working locally (next step should be port check)?

Actually I'm doing this remotely, since I'm not at home currently. Hopefully I will check it today.

Better share your current config (screenshots are unnecessary):

My config:

# 2023-08-21 06:08:34 by RouterOS 7.10.2
# software id = **ELIDED**
#
# model = RB750Gr3
# serial number = -
/interface bridge
add admin-mac=- auto-mac=no comment=defconf name=BRIDGE-LAN
/interface ethernet
set [ find default-name=ether2 ] name=LAN1
set [ find default-name=ether3 ] disabled=yes name=LAN2
set [ find default-name=ether4 ] disabled=yes name=LAN3
set [ find default-name=ether5 ] disabled=yes name=LAN4
set [ find default-name=ether1 ] name="WAN (ether1)"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/caps-man configuration
add country=slovakia datapath.bridge=BRIDGE-LAN name="gNET config" \
    security.authentication-types=wpa2-psk ssid=gNet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=10.10.10.1-10.10.10.250
/ip dhcp-server
add address-pool=dhcp interface=BRIDGE-LAN lease-time=1d name=DHCP-LAN
/port
set 0 name=serial0
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BRIDGE-LAN
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="gNET config"
/interface bridge port
add bridge=BRIDGE-LAN comment=defconf interface=LAN1
add bridge=BRIDGE-LAN comment=defconf interface=LAN2
add bridge=BRIDGE-LAN comment=defconf interface=LAN3
add bridge=BRIDGE-LAN comment=defconf interface=LAN4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=BRIDGE-LAN list=LAN
add comment=defconf interface="WAN (ether1)" list=WAN
/interface wireguard peers
add allowed-address=**ELIDED**/32 interface=wireguard1 public-key=\
    "myKey"
/ip address
add address=10.10.10.254/24 comment=defconf interface=BRIDGE-LAN network=\
    10.10.10.0
add address=172.78.0.1 interface=wireguard1 network=172.78.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface="WAN (ether1)"
/ip dhcp-server lease
add address=10.10.10.100 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.252 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.4 mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.1 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.2 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.10 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.3 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.253 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
add address=10.10.10.7 client-id=**ELIDED** mac-address=**ELIDED** server=DHCP-LAN
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf dns-server=10.10.10.254 gateway=\
    10.10.10.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.10.254 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.10.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment="Open port for WireGuard" dst-port=\
    13321 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    HairPin_NAT
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="RDP port forwarding to togo-server" \
    dst-port=7878 protocol=tcp to-addresses=10.10.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment="OPEN port for WIREGUARD VPN" \
    dst-port=12345 protocol=udp to-ports=13231
add action=dst-nat chain=dstnat comment=\
    "Port forwarding to JELLYFIN @ togo-server" dst-port=8888 protocol=tcp \
    to-addresses=10.10.10.10 to-ports=8096
add action=dst-nat chain=dstnat comment="Port forwarding template/sample" \
    dst-port=9000 protocol=tcp to-addresses=10.10.10.10 to-ports=3000
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=hEX
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by tangent on Mon Aug 21, 2023 8:52 am, edited 1 time in total.
Reason: Elided PII; fixed code block formatting
 
erlinden
Forum Guru
Forum Guru
Posts: 2480
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Simple port forwarding rule doesn't work

Mon Aug 21, 2023 9:42 am

Not sure if you removed it...do both the interface and the peer have public (and private) key implemented?
I assume it is not working on local network?

Follow the link I posted before, then it will work. And consider moving the wireguard firewall filter rule below the Drop invalid rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21303
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple port forwarding rule doesn't work

Tue Aug 22, 2023 6:01 pm

I would help but you use capsman,,,,,,,,,,,,cannot help those that are already brain dead............... hint: Its a waste of time especially for a beginner.
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Wed Aug 23, 2023 7:55 am

Follow the link I posted before, then it will work. And consider moving the wireguard firewall filter rule below the Drop invalid rule.
I finally managed to get it up and running externally but when I'm in the local network, activating wireguard breaks everything. Perhaps I missed some firewall rule? And it seems DNS is not working as well on Windows 10 computer connected to wireguard from internet, but on my phone DNS is working just fine.

Windows client tunnel:
[Interface]
PrivateKey = *my private key*
Address = xxx.xxx.xxx.xxx/32
DNS = 1.1.1.1

[Peer]
PublicKey = *Wireguard public key**
AllowedIPs = 0.0.0.0/0
Endpoint = *my public IP*
PersistentKeepalive = 10
 
erlinden
Forum Guru
Forum Guru
Posts: 2480
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Simple port forwarding rule doesn't work

Wed Aug 23, 2023 11:25 am

What does "breaks everything" mean to you? Does your phone use the same DNS server as the Windows machine?
In regards to your remark about the firewall rules...if logging is activated on the firewall (drop) rule you might get an indication of the cause of not working.
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Wed Aug 23, 2023 3:09 pm

What does "breaks everything" mean to you? Does your phone use the same DNS server as the Windows machine?
In regards to your remark about the firewall rules...if logging is activated on the firewall (drop) rule you might get an indication of the cause of not working.
Breaks everything = when wireguard is activated, device goes completely offline - no internet, no network connection.
DNS is set the same (1.1.1.1) for both devices in remote application.
[Interface]
DNS = 1.1.1.1
 
togo
just joined
Topic Author
Posts: 19
Joined: Fri Feb 02, 2018 9:23 am
Location: Prešov, Slovakia

Re: Simple port forwarding rule doesn't work

Wed Aug 23, 2023 9:03 pm

If logging is activated on the firewall (drop) rule you might get an indication of the cause of not working.
I have nothing regarding firewall in logs. Should it be enabled somehow?

Who is online

Users browsing this forum: No registered users and 8 guests