Issues port forwarding to isp vlan

Discolai · Wed Jun 26, 2024 2:38 pm

Hi,

I have set up my mikrotik Hex S with a direct connection to my ISP provided fiber. My ISP provides internet over vlan 102, so I have set up wan on that vlan id.
Internet connectivity works as it should, but port forwarding does not. I also had some issues with plex direct streaming locally which might be related. I fixed that by overriding the dns records.
Below is my current settings, any help would be appreciated

# jun/26/2024 13:26:57 by RouterOS 6.47.10
# software id = NS4M-BHUV
#
# model = RB760iGS
# serial number = D4500F9D8F84
/interface bridge
add admin-mac=DC:2C:6E:13:D6:E0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] mac-address={redacted}
/interface vlan
add interface=sfp1 name=altibox_wan vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=main-lan ranges=192.168.10.20-192.168.10.254
/ip dhcp-server
add address-pool=main-lan disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
add interface=*9
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=altibox_wan list=WAN
add list=LAN
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
/ip dhcp-client
add comment=defconf disabled=no interface=altibox_wan
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
add address=192.168.10.3 regexp=".*plex\\.direct"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.10.3 to-ports=\
    32400
/ip service
set www address=192.168.10.0/24
set www-ssl address=192.168.10.0/24 disabled=no tls-version=only-1.2
/system clock
set time-zone-name=Europe/Oslo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

llamajaja · Wed Jun 26, 2024 4:08 pm

(1) Which interface was identified here???? --> that now has the YOU HAVE AN ERROR indication LOL
add bridge=bridge interface=ether1
add interface=*9

(2) Since spf+1 is the WAN port it needs to be removed from the bridge. I see that its disabled but dont keep garbage lying around get rid of it.

(3) Also get rid of this empty entry!
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=altibox_wan list=WAN
add list=LAN

(4) Did you add netmask manually??? Remove it if so....
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24

Would expect something like:
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.1

(5) Why? Its an insecure access option?
/ip service
set www address=192.168.10.0/24

(6) Similarly this should be none.
/tool mac-server
set allowed-interface-list=LAN

(7) NOW to the port forwarding................ THREE ITEMS!

a. For a dynamic WANIP, use the following format instead..................
Assuming you have either the ip cloud URL, my netname, or some other DYNDNS service on the go, the following applies.

/ip firewall address-list
add address=mynetname.net list=MyWAN ( could be any domain name thingy used for both external and internal users to reach server )

b. IF internal users also use the DYNDNS type name to access the server then you need hairpin nat rule.

Result:
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" src-address=192.168.10.0/24 dst-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
dst-adddress-list=MyWAN protocol=tcp to-addresses=192.168.10.3

(note: to ports not required if same as dst-ports)

c. Last consideration is firewall rules in the forward chain......
Take the last rule and default rule shown below and change to three other rules............. more clear, better security and works better for port forwarding...
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

The previous default rule combined both dropping traffic from the WAN but allowing port forwarding from the WAN. Note that the default rules for ease of new users automatically allows all traffic and uses the above rule to only limit incoming WAN traffic.

We take the reverse stance, we block all traffic as the starting point by the last rule and above that we add what is allowed, thus internet traffic and port forwarding traffic (we dont limit to WAN and some users may becoming from LANside ) . What should be clear, is that the rules are more readable and obvious to the reader AND we block LAN to LAN traffic if you had additional subnets.
The new rules

llamajaja · Wed Jun 26, 2024 4:13 pm

Not sure what you are doing with PLEX and DNS, but suggest you disable the two IP DNS static rules you have made while making the changes recommended.
They should NOT be required.
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
add address=192.168.10.3 regexp=".*plex\\.direct"

Discolai · Fri Jun 28, 2024 6:35 pm

(1) Which interface was identified here???? --> that now has the YOU HAVE AN ERROR indication LOL
add bridge=bridge interface=ether1
add interface=*9

(2) Since spf+1 is the WAN port it needs to be removed from the bridge. I see that its disabled but dont keep garbage lying around get rid of it.

(3) Also get rid of this empty entry!
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=altibox_wan list=WAN
add list=LAN

(4) Did you add netmask manually??? Remove it if so....
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24

Would expect something like:
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.1

(5) Why? Its an insecure access option?
/ip service
set www address=192.168.10.0/24

(6) Similarly this should be none.
/tool mac-server
set allowed-interface-list=LAN

(7) NOW to the port forwarding................ THREE ITEMS!

a. For a dynamic WANIP, use the following format instead..................
Assuming you have either the ip cloud URL, my netname, or some other DYNDNS service on the go, the following applies.

/ip firewall address-list
add address=mynetname.net list=MyWAN ( could be any domain name thingy used for both external and internal users to reach server )

b. IF internal users also use the DYNDNS type name to access the server then you need hairpin nat rule.

Result:
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" src-address=192.168.10.0/24 dst-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
dst-adddress-list=MyWAN protocol=tcp to-addresses=192.168.10.3

(note: to ports not required if same as dst-ports)

c. Last consideration is firewall rules in the forward chain......
Take the last rule and default rule shown below and change to three other rules............. more clear, better security and works better for port forwarding...
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

The previous default rule combined both dropping traffic from the WAN but allowing port forwarding from the WAN. Note that the default rules for ease of new users automatically allows all traffic and uses the above rule to only limit incoming WAN traffic.

We take the reverse stance, we block all traffic as the starting point by the last rule and above that we add what is allowed, thus internet traffic and port forwarding traffic (we dont limit to WAN and some users may becoming from LANside ) . What should be clear, is that the rules are more readable and obvious to the reader AND we block LAN to LAN traffic if you had additional subnets.
The new rules

Thank you for the feedback. I am not trying to reach the server by a domain name so I only applied the rest of your suggestions.

I added the hairpin rule which made it possible to reach the server using my public ip from within my own network, but I am still not able to reach it from the outside.

Discolai · Thu Jul 04, 2024 6:19 pm

I figured out the issue eventually. My isp did some maintenance in my area and moved me over to Carrier Grade NAT.

I sent a support request to my ISP requesting to moved out of CGNAT, waited a few minutes and renewed my DHCP lease. This resolved my port forwarding issues

Issues port forwarding to isp vlan [SOLVED]

Issues port forwarding to isp vlan

Re: Issues port forwarding to isp vlan

Re: Issues port forwarding to isp vlan

Re: Issues port forwarding to isp vlan

Re: Issues port forwarding to isp vlan [SOLVED]

Who is online