Hello all,

I would like to open a port so that user from the outside (Internet) can connect to my inside Server with the local IP 192.168.88.3
I've read the official manual and I tried different tips from previous posts in the forum but nothing worked. I use the RouterBOARD RB450G with the factory default interface configuration. Ether1-gateway is my wan interface. My Server is connected to ether3-slave-local. In my example I would like to open port 51982 for incoming connections.

Interface configuration:
Name Type L2 MTU Tx Rx Tx Packet (p/s) Rx Packet (p/s) Tx Drops Rx Drops Tx Errors Rx Errors
D R ether2-master-local Ethernet 1520 69.8 kbps 11.2 kbps 8 7 0 0 0 0
-D R ISP PPPoE Client 0 bps 0 bps 0 0 0 0 0 0
D R ether1-gateway Ethernet 1520 0 bps 0 bps 0 0 0 0 0 0
D RS ether3-slave-local Ethernet 1520 0 bps 0 bps 0 0 0 0 0 0
D S ether4-slave-local Ethernet 1520 0 bps 0 bps 0 0 0 0 0 0
D S ether5-slave-local Ethernet 1520 0 bps 0 bps 0 0 0 0 0 0


This is the NAT configuration:

-D 0 masquerade srcnat ether1-gateway 1259.5 KiB 23 874
-D 1 dst-nat dstnat 6 (tcp) 51982 0 B 0


This is the default firewall configuration:

# Action Chain Src. Address Dst. Address Protocol Src. Port Dst. Port Any. Port In. Interface Out. Interface Bytes Packets
;;; default configuration
-D 0 accept input 1 (icmp) 0 B 0
;;; default configuration
-D 1 accept input 856.0 KiB 6 311
;;; default configuration
-D 2 accept input 0 B 0
;;; default configuration
-E X 3 drop input ether1-gateway 0 B 0


When I check with Open Port Check tool from yougetsignal.com than I get the message "Port 51982 is closed". I've tried it with "In. Interface" ether1-gateway in the nat configuration too but still the same problem. Furthermore the Windows Firewall is off so that there is nothing on the Server that can block. Why it doesn't work? Please help me

Please post /ip firewall export

Here is the firewall export:

[admin@MikroTik] > ip firewall export
# jan/01/2002 01:28:11 by RouterOS 5.15
# software id = XXX
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-port=51982 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.3 to-ports=51982
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

You need to add that port into your ip firewall filter config. It is being dropped before nat

@rjickity

Could you give me an example please? I don't know exactly what you mean.

You need to add that port into your ip firewall filter config. It is being dropped before nat

DST-NAT takes place in prerouting chain, before input chain.
There is no need to add allow rule in input chain.

@dod84
Is your server port 51982 reachable from LAN side?
Your config is quiet simple and looks good.

Regards,

@ ditonet

I've 2 PC's in the inside lan (1x client and 1x server) and I can reach my server from my desktop PC in the inside lan without problems. Only from external it's not possible. There is no port open it's like Fort Knox

When you check with Open Port Check tool from yougetsignal.com does dst-nat rule packet counter increase?

No the dst-nat rule packet counter doesn't increase.

Run 'Torch' on ether1-gateway interface and observe incoming packet during checking.
You should see packets from 'yougetsignal.com'.
Other place to observe packets is Firewall/Connections.

HTH,

I can see that there are incoming connection requests (tcp flags) but they all time out and then they will discard.

In dst-nat rule 'in-interface' should be set to PPPoE client interface instead of 'ether1-gateway'.

HTH,

I've tried by dst-nat rule in-interface pppoe now but it still doesn't work

you should set 2 rules for port forwarding like below:
I WANT SEND REMOTE DESKTOP WITH IP VALID 31.XXX.XXX.XXX TO A PC WITH LOCAL IP 192.168.0.1
(REMOTE DESKTOP PORT:3389 IF U WANT FORWARD ON A DEVICE CHANG PORT No. )

@ditonet

you're correct, my mistake. at times i forget mikrotiks packet flow...

@dod84

specifying the in-interface should be all you need. Could you provide an /ip address print and also show the server ip configuration ?

Here is the ip address print:

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 ether2-master-local
1 D 192.168.0.103/24 192.168.0.0 ether1-gateway
2 D 10.64.64.102/32 10.112.112.150 ISP


And thats the Server configuration (Windows 7):

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\XXX>ipconfig/all

Windows-IP-Konfiguration

Hostname . . . . . . . . . . . . : XXX-pc
Primäres DNS-Suffix . . . . . . . :
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein

Ethernet-Adapter LAN-Verbindung:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Realtek RTL8168B/8111B-Familie-PCI-E-Giga
bit-Ethernet-NIC (NDIS 6.20)
Physikalische Adresse . . . . . . : 00-1A-4D-53-5B-DE
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::e8a0:d600:7a5c:67a6%10(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.88.3(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.88.1
DHCPv6-IAID . . . . . . . . . . . : 234887757
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-15-7D-81-36-00-1A-4D-53-5B-DE

DNS-Server . . . . . . . . . . . : 192.168.88.1
NetBIOS über TCP/IP . . . . . . . : Aktiviert

Tunneladapter isatap.{5D52DDD8-67B5-4111-8723-B1D9D1F56EEE}:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja

Tunneladapter LAN-Verbindung* 4:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
IPv6-Adresse. . . . . . . . . . . : 2001:0:5ef5:79fd:848:3858:a8b0:789e(Bevor
zugt)
Verbindungslokale IPv6-Adresse . : fe80::848:3858:a8b0:789e%12(Bevorzugt)
Standardgateway . . . . . . . . . : ::
NetBIOS über TCP/IP . . . . . . . : Deaktiviert

Above clearly shows that you don't have public IP address assigned to router.
So is not possible to open mentioned port to Internet without cooperation with your ISP (double NAT).

HTH,

I've added now in the NAT rules by Dst. Address the public IP from my ISP but still the same problem. Furthermore I've no static public ip. My ISP gives dynamically IP addresses that change every 24 hours. So what I need to do now?

Here is the ip address export:

[admin@MikroTik] > /ip address export
# jan/02/1970 01:44:12 by RouterOS 5.15
# software id = XXX
#
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=no \
interface=ether2-master-local network=192.168.88.0

As I wrote earlier, '/ip address print' shows two dynamically assigned IP addresses: Both are from private address space and public IP address is not assigned to any router interface.
Probably your ISP gives you private address only, not public.
Tools like 'yougetsignal.com' shows you public IP address because you are behind ISP's NAT.

HTH,

I wondered too why they are only private ip addresses displayed. Actually I've an IP Address the begnis with 87.79... so thats a public ip address. When I enter now the command /ip address print than I see the same output as I posted earlyer.

If 'ISP' is name of your PPPoE client interface you have IP from private address space.

HTH,

Yes the name ISP is the name of my PPPoE client. Thats absolutely impossible that my ISP IP is a private address. My actual WAN IP begins with 87.79 8 I can see this on yougetsignal.com and otehr sides).

Thats absolutely impossible that my ISP IP is a private address.

It's possible, I have similar config for one customer. This kind of NAT is called '1:1 mapping'.
Post results of traceroute from RouterBoard terminal window: I'm almost 100% sure that you will not see your 'public' IP address on nodes list.

HTH,

Here is the traceroute:

[admin@MikroTik] > /tool traceroute google.com
# ADDRESS RT1 RT2 RT3 STATUS
1 192.168.0.1 1ms 1ms 1ms
2 195.14.226.59 18ms 8ms 14ms
3 81.173.197.77 7ms 6ms 6ms
4 78.35.33.225 7ms 6ms 7ms
5 87.79.16.235 11ms 11ms 11ms
6 78.35.18.6 11ms 11ms 11ms
7 209.85.248.112 151ms 61ms 11ms
8 209.85.255.74 11ms 11ms 12ms <MPLS:L=376953,E=4>
9 209.85.241.227 14ms 14ms 14ms <MPLS:L=375314,E=4>
10 209.85.254.116 14ms 14ms 30ms
11 0.0.0.0 0ms 0ms 0ms
12 173.194.70.139 14ms 14ms 14ms


How can I proceed?

Ask your ISP for static public IP address.

Regards,

Thats the only solution? I have an alix board with pfsense. Under pfsense there is no problem to forward ports so it must work with mikrotik too?

Under pfsense there is no problem to forward ports so it must work with mikrotik too?

Maybe something is horribly messed in your mikrotik config, it's hard to say, you only provided some info about addresses.
Two more questions: How this address is assigned to interface 'ether1-gateway'? It's dynamic.
You are connected to ISP via 'ether1-gateway'?

Regards,

How this address is assigned to interface 'ether1-gateway'? It's dynamic.
I've no idea- its only the default config

You are connected to ISP via 'ether1-gateway'?
Yes over the ether1-gateway

I've no idea- its only the default config

RB default config is with DHCP client running on 'ether1-gateway' interface.
Some device connected to this interface is running DHCP server.
Check your config, as I wrote earlier something is messed up.

Regards,

you should set 2 rules for port forwarding like below:
I WANT SEND REMOTE DESKTOP WITH IP VALID 31.XXX.XXX.XXX TO A PC WITH LOCAL IP 192.168.0.1
(REMOTE DESKTOP PORT:3389 IF U WANT FORWARD ON A DEVICE CHANG PORT No. )

Last Picture: