Hey Mates,
Made ROuter configuration, but port forwarding not working.
Port scanner shows that ports are opened
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat connection-state="" \
in-interface=ether1WAN
add action=accept chain=forward dst-port=80 in-interface=ether1WAN protocol=tcp
add action=accept chain=forward dst-port=443 in-interface=ether1WAN protocol=tcp
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related \
hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-address=192.168.88.103 dst-port=80 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103 to-ports=80
add action=dst-nat chain=dstnat dst-address=192.168.88.103 dst-port=443 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103 to-ports=443
add action=dst-nat chain=dstnat dst-address=192.168.88.103 dst-port=9987 \
in-interface=ether1WAN protocol=udp to-addresses=192.168.88.103 to-ports=9987
add action=dst-nat chain=dstnat dst-address=192.168.88.103 dst-port=30033 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103 to-ports=30033
/ip route
Re: Port Forwarding not working
In your destination NAT statement below
add action=dst-nat chain=dstnat dst-address=192.168.88.103 dst-port=80 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103 to-ports=80
Your dst-address and your to-address are the same.
The dst-address should be your router WAN port address and the to-address should be the "inside" address of the system that is hosting the service.
add action=dst-nat chain=dstnat dst-address=192.168.88.103 dst-port=80 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103 to-ports=80
Your dst-address and your to-address are the same.
The dst-address should be your router WAN port address and the to-address should be the "inside" address of the system that is hosting the service.
Re: Port Forwarding not working
Your config is in error.
EITHER you want to host services ON THE ROUTER ( hence you open 80 and 443 on your router to the whole wide world )
OR
You port forward to a server on your LAN handling port 80 and 443.
Which is it?
I suspect servers on the LAN and thus remove the input chain rules for 80, 443
++++++++++++++++++++++++++
Previous poster is bang on.
Think about it!! The local private dst-address ( of the server ) is NEVER on incoming traffic. The only dst address on incoming traffic is the address of the Router itself the WANIP!!
Its the routers job to identify where the traffic should go based on Destination Port.
If there is no valid destination port identified, the traffic is dropped.
If there is a valid destination port ( as identified by the router on the incoming traffic ), then the router knows WHERE locally to send such traffic the TO ADDRESS!!
Note if the dst-port and to-port are identical ( no port translation needed ), the the to-port need not be entered as no entry implies same port.
Case A:
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Related" connection-state=\
established,related
add action=accept chain=forward comment="Allow Related" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related \
hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=80 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=443 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=9987 \
in-interface=ether1WAN protocol=udp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=30033 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
Case B:
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-port=80 in-interface=ether1WAN protocol=tcp
add action=accept chain=forward dst-port=443 in-interface=ether1WAN protocol=tcp
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related \
hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=9987 \
in-interface=ether1WAN protocol=udp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=30033 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
Note: WAN interface not required on firewall rule for dstn, and think about it, if you happen to have LAN users also using the WANIP of the router to access the servers......................
EITHER you want to host services ON THE ROUTER ( hence you open 80 and 443 on your router to the whole wide world )
OR
You port forward to a server on your LAN handling port 80 and 443.
Which is it?
I suspect servers on the LAN and thus remove the input chain rules for 80, 443
++++++++++++++++++++++++++
Previous poster is bang on.
Think about it!! The local private dst-address ( of the server ) is NEVER on incoming traffic. The only dst address on incoming traffic is the address of the Router itself the WANIP!!
Its the routers job to identify where the traffic should go based on Destination Port.
If there is no valid destination port identified, the traffic is dropped.
If there is a valid destination port ( as identified by the router on the incoming traffic ), then the router knows WHERE locally to send such traffic the TO ADDRESS!!
Note if the dst-port and to-port are identical ( no port translation needed ), the the to-port need not be entered as no entry implies same port.
Case A:
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Related" connection-state=\
established,related
add action=accept chain=forward comment="Allow Related" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related \
hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=80 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=443 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=9987 \
in-interface=ether1WAN protocol=udp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=30033 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
Case B:
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-port=80 in-interface=ether1WAN protocol=tcp
add action=accept chain=forward dst-port=443 in-interface=ether1WAN protocol=tcp
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related \
hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=9987 \
in-interface=ether1WAN protocol=udp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=30033 \
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
Note: WAN interface not required on firewall rule for dstn, and think about it, if you happen to have LAN users also using the WANIP of the router to access the servers......................
Re: Port Forwarding not working
Tried your A and B, Still ports not forwarding!!
Need access from outside to server
Need access from outside to server
Re: Port Forwarding not working
A. Post your latest config so I can see what you tried and failed.
Also, confirm that you have a public IP address or an upstream router gets a public IP and you can forward ports from it to the mikrotik.
Its very alarming to me, because it wasnt a matter of trying A or B, it was getting you to think about what your intent was, the actual requirement, and then to apply the correct config based on that.
Trying both means you didnt answer or understand the fundamental question. BLindly trying stuff is not fruitful.
Are you trying to reach the router on port 80 and 443
OR
Are you trying to reach a server on the LAN via port 80 and 443???
Also, confirm that you have a public IP address or an upstream router gets a public IP and you can forward ports from it to the mikrotik.
Its very alarming to me, because it wasnt a matter of trying A or B, it was getting you to think about what your intent was, the actual requirement, and then to apply the correct config based on that.
Trying both means you didnt answer or understand the fundamental question. BLindly trying stuff is not fruitful.
Are you trying to reach the router on port 80 and 443
OR
Are you trying to reach a server on the LAN via port 80 and 443???
Re: Port Forwarding not working
I'm trying reach ports working from outside, Have some plugins what need get files from my server
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1WAN
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Latvia .mode=ap .ssid=\
Homeland5g disabled=no
set [ find default-name=wifi2 ] configuration.country=Latvia .mode=ap .ssid=\
HomeLand2g disabled=no
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/interface list member
add interface=ether1WAN list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip arp
add address=192.168.88.120 interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-port=80 in-interface=ether1WAN protocol=\
tcp
add action=accept chain=forward dst-port=443 in-interface=ether1WAN protocol=\
tcp
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN \
protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN \
protocol=tcp
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=9987 in-interface=ether1WAN \
protocol=udp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=30033 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1WAN
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Latvia .mode=ap .ssid=\
Homeland5g disabled=no
set [ find default-name=wifi2 ] configuration.country=Latvia .mode=ap .ssid=\
HomeLand2g disabled=no
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/interface list member
add interface=ether1WAN list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip arp
add address=192.168.88.120 interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward comment="Allow Releated" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-port=80 in-interface=ether1WAN protocol=\
tcp
add action=accept chain=forward dst-port=443 in-interface=ether1WAN protocol=\
tcp
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN \
protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN \
protocol=tcp
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=9987 in-interface=ether1WAN \
protocol=udp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=30033 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120
Re: Port Forwarding not working
One more time...... and keep chains together, much easier to read and fix.
And remove all old rules!!
Check to make sure firewall on servers or on windows OS, that the servers is on, is not blocking traffic.......
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1WAN
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Latvia .mode=ap .ssid=\
Homeland5g disabled=no
set [ find default-name=wifi2 ] configuration.country=Latvia .mode=ap .ssid=\
HomeLand2g disabled=no
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/interface list member
add interface=ether1WAN list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip arp
add address=192.168.88.120 interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=9987 in-interface=ether1WAN \
protocol=udp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=30033 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120
And remove all old rules!!
Check to make sure firewall on servers or on windows OS, that the servers is on, is not blocking traffic.......
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1WAN
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Latvia .mode=ap .ssid=\
Homeland5g disabled=no
set [ find default-name=wifi2 ] configuration.country=Latvia .mode=ap .ssid=\
HomeLand2g disabled=no
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/interface list member
add interface=ether1WAN list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip arp
add address=192.168.88.120 interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=9987 in-interface=ether1WAN \
protocol=udp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=30033 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1WAN \
protocol=tcp to-addresses=192.168.88.120