Port Forwarding done right?

DanPrs · Thu Aug 28, 2014 6:29 am

I've got a few services running on a server, all of which need some ports opened up. I am not able to access the services from outside my network, notably Plex. Here the /ip firewall export compac:

#
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=add-dst-to-address-list address-list=10.10.10.2 chain=forward \
    comment=Plex dst-port=32400 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=\
    "Transmission PIA VPN" src-address=10.10.10.5
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=CouchPotato dst-port=5050 \
    in-interface=ether1-gateway protocol=tcp to-addresses=10.10.10.3 \
    to-ports=5050
add action=dst-nat chain=dstnat comment=SickBeard dst-port=8081 in-interface=\
    ether1-gateway protocol=tcp to-addresses=10.10.10.4 to-ports=8081
add action=dst-nat chain=dstnat comment=Transmission dst-port=9091 \
    in-interface=ether1-gateway protocol=tcp to-addresses=10.10.10.5 \
    to-ports=9091
add action=dst-nat chain=dstnat comment=BTSync dst-port=8888 in-interface=\
    ether1-gateway protocol=tcp to-addresses=10.10.10.6 to-ports=8888
add action=dst-nat chain=dstnat comment=Headphones dst-port=8181 \
    in-interface=ether1-gateway protocol=tcp to-addresses=10.10.10.9 \
    to-ports=8181
add action=dst-nat chain=dstnat comment=FreeNAS dst-port=442 in-interface=\
    ether1-gateway protocol=tcp to-addresses=10.10.10.20 to-ports=442
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=\
    ether1-gateway protocol=tcp to-addresses=10.10.10.2 to-ports=32400
add action=masquerade chain=srcnat out-interface="Transmission PIA VPN"
[danprs@MikroTik] >

Have I missed a step?

faisali · Thu Aug 28, 2014 7:52 am

Why such a complicated config ? ( I am getting throw off by the mark routing mark ?? what are you trying to do with that ? )

Personally speaking, is it a bit hard to follow what your config is doing...

My suggestion to be to strip down your config, and apply it in layers to figure out what is causing you grief.

Disable all your firewall rules..

Setup simple NAT first
Then setup inbound port forwarding..

Once that is working then go back and add your firewall rules...

In some cases, for dst-nat to work, I had to specify the outside IP address in addition to the interface.
Needless to say, that the order of the NAT rules is important too... all the dst-nat commands have to be before the src-net command in the filter list.

DanPrs · Thu Aug 28, 2014 9:06 am

This is pretty much all I'm doing, to no avail.

Is there a better guide or something else I should be doing?

CelticComms · Thu Aug 28, 2014 2:54 pm

Traffic to the DST NATed address also needs to be allowed in the forward chain. Try adding a specific accept rule for that traffic.

Your forward chain could also do with some attention to make it more secure.

DanPrs · Thu Aug 28, 2014 5:55 pm

So is it possible to send me in the right direction or post a few steps? The wiki is pretty light on documentation.

CelticComms · Thu Aug 28, 2014 6:03 pm

You want to make sure that traffic entering the WAN port is allowed to be forwarded to the internal private IP address / port that is the destination in your DST NAT rule.

faisali · Fri Aug 29, 2014 12:43 am

for a quick and dirty test.. just go to the IP Firewall Filter Rules, and disable all of them....

(I believe this is what I did to make one of these work, where I had started out with the default configuration out of the box).

faisali · Fri Aug 29, 2014 12:47 am

on another box, where I had blown away the default config, and built the config from scratch... I had to add the WAN Ip address to the dst-nat statement...

e.g. add action=dst-nat chain=dstnat disabled=no dst-address=204.xxx.xxx.xx \
dst-port=3283 protocol=udp to-addresses=192.168.10.10 to-ports=3283

Not quite sure why.. but that did the trick...

DanPrs · Fri Aug 29, 2014 2:25 am

That's not working, check out the config.

faisali · Fri Aug 29, 2014 3:22 am

Why do you say it is not working ?

When I point my browser to your IP and port, I get 401 Unauthorized .... (you might want to delete the gui screenshots.... IP and port # are on the Window Bar...

DanPrs · Fri Aug 29, 2014 4:35 am

*facepalm

If it was working, you'd end up at Plex's home page.

CelticComms · Fri Aug 29, 2014 5:46 am

Try uploading the config - output from /export compact. It conveys a lot of info in less space than screenshots.

DanPrs · Fri Aug 29, 2014 6:09 am


# aug/28/2014 22:56:34 by RouterOS 6.7
# software id = XXXXXXXX
#
/interface bridge
add admin-mac=4C:XXXXXXXXX auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
    ether10-slave-local
set [ find default-name=sfp1 ] disabled=yes name=sfp1-gateway
/interface pptp-server
add name="Home VPN" user=""
/interface pptp-client
add connect-to=us-east.privateinternetaccess.com disabled=no max-mru=1400 \
    max-mtu=1400 name="Transmission PIA VPN" password=XXXXXXXXXXXXXXXX user=\
    XXXXXXXXXXX
/ip neighbor discovery
set ether1-gateway discover=no
set sfp1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc pfs-group=none
/ip pool
add name=pool2 ranges=10.10.0.1
add name=VPN-Pool ranges=10.10.10.50-10.10.10.254
add name=dhcp_pool2 ranges=67.XXXXXXX-67.XXXXXX
add name=dhcp_pool1 next-pool=pool2 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-local lease-time=1w \
    name=dhcp1
/port
set 0 name=serial0
/ppp profile
add local-address=10.10.10.1 name="Home VPN VPS" remote-address=VPN-Pool
set 2 dns-server=8.8.8.8 local-address=10.10.10.1 remote-address=VPN-Pool \
    wins-server=8.8.4.4
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/interface ethernet switch vlan
add ports=ether6-master-local,ether7-slave-local switch=switch2 vlan-id=20
/interface l2tp-server server
set enabled=yes
/interface ovpn-server server
set enabled=yes
/interface pptp-server server
set default-profile="Home VPN VPS" enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes \
    interface=bridge-local network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-local network=10.10.10.0
/ip arp
add address=10.10.10.1 comment=ARP interface=bridge-local mac-address=\
    00:90:F5:EC:2A:05
add address=10.10.10.2 comment=Plex interface=bridge-local mac-address=\
    02:A6:54:00:09:0B
add address=10.10.10.5 comment=Transmission interface=bridge-local \
    mac-address=02:39:CF:00:11:0B
add address=10.10.10.3 comment=CouchPotato interface=bridge-local \
    mac-address=02:22:9D:00:0A:0B
add address=10.10.10.4 comment=SickBeard interface=bridge-local mac-address=\
    02:09:2F:00:10:0B
add address=10.10.10.6 comment=BTSync interface=bridge-local mac-address=\
    02:55:CB:00:0D:0B
add address=10.10.10.7 comment=ownClowd interface=bridge-local mac-address=\
    0C:77:1A:31:EB:CA
add address=10.10.10.8 comment=CrashPlan interface=bridge-local mac-address=\
    30:46:9A:46:A0:75
add address=10.10.10.20 comment=FreeNAS interface=bridge-local mac-address=\
    BC:5F:F4:E7:9B:36
add address=10.10.10.100 comment="Asus RT" interface=bridge-local \
    mac-address=74:D0:2B:42:FE:38
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server lease
add address=10.10.10.20 client-id=1:bc:5f:f4:e7:9b:36 comment=FreeNAS \
    mac-address=BC:5F:F4:E7:9B:36 server=dhcp1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=67.87.240.0/21 gateway=67.XXXXXXXXX
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=add-dst-to-address-list address-list=10.10.10.2 chain=forward \
    dst-port=32400 in-interface=ether1-gateway protocol=tcp src-address=\
    67.XXXXXXXXXXX
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=\
    "Transmission PIA VPN" src-address=10.10.10.5
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface="Transmission PIA VPN"
add action=dst-nat chain=dstnat comment=Plex dst-address=67.XXXXXXXXXX \
    dst-port=32400 in-interface=ether1-gateway protocol=tcp to-addresses=\
    10.10.10.2 to-ports=32400
/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override \
    nat-traversal=yes secret=XXXXXXXXX
add enc-algorithm=3des generate-policy=port-override secret=123Gandara
/ip proxy
set cache-on-disk=yes enabled=yes
/ip route
add distance=1 gateway="Transmission PIA VPN" routing-mark=\
    "Transmission PIA VPN"
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
/lcd
set backlight-timeout=never default-screen=stats-all
/lcd pin
set pin-number=0364
/lcd interface
set sfp1-gateway interface=sfp1-gateway
set ether1-gateway interface=ether1-gateway
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
/ppp secret
add name=XXXXXXXXX password=XXXXXXXXXX
add name=XXXXXXXXXpassword=XXXXXXXXX profile="Home VPN VPS" service=pptp
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes mode=unicast primary-ntp=17.171.4.33
/system scheduler
add interval=1m name="DDNS Scheduller " on-event="DDNS No-IP" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-time=startup
/system script
add name="DDNS No-IP" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source="# No-IP automatic Dynamic DNS update\r\
    \n\r\
    \n#--------------- Change Values in this section to match your setup -----\
    -------------\r\
    \n\r\
    \n# No-IP User account info\r\
    \n:local noipuser \"XXXXXXXXXXXXXX\";\r\
    \n:local noippass \"XXXXXXXXXXXXXX\";\r\
    \n\r\
    \n# Set the hostname or label of network to be updated.\r\
    \n:local noiphost \"XXXXXXXXXX.com\";\r\
    \n\r\
    \n# Change to the name of interface that gets the dynamic IP address\r\
    \n:local inetinterface \"ether1-gateway\";\r\
    \n\r\
    \n#-----------------------------------------------------------------------\
    -------------\r\
    \n# No more changes need\r\
    \n\r\
    \n:global previousIP;\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n# Get the current IP on the interface\r\
    \n   :local currentIP [/ip address get [find interface=\"\$inetinterface\"\
    \_disabled=no] address];\r\
    \n\r\
    \n# Strip the net mask off the IP address\r\
    \n   :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n       :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
    \n           :set currentIP [:pick \$currentIP 0 \$i];\r\
    \n       } \r\
    \n   }\r\
    \n\r\
    \n   :if (\$currentIP != \$previousIP) do={\r\
    \n      :log info \"No-IP: Current IP \$currentIP is not equal to previous\
    \_IP, update needed\";\r\
    \n      :set previousIP \$currentIP;\r\
    \n      :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$curre\
    ntIP\";\r\
    \n      :log info \"No-IP: Sending update for \$noiphost\";\r\
    \n      /tool fetch url=(\$url . \"&hostname=\$noiphost\") user=\$noipuser\
    \_password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host \
    . \".txt\")\r\
    \n      :log info \"No-IP: Host \$noiphost updated on No-IP with IP \$curr\
    entIP\";\r\
    \n      \r\
    \n   } else={\r\
    \n   :log info \"No-IP: Previous IP \$previousIP is equal to current IP, n\
    o update needed\";\r\
    \n   }\r\
    \n} else={\r\
    \n   :log info \"No-IP: \$inetinterface is not currently running, so there\
    fore will not update.\";\r\
    \n}"
/tool graphing interface
add interface="Transmission PIA VPN"
add interface="Home VPN"
add interface=ether1-gateway
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=bridge-local
/tool traffic-monitor
add interface="Transmission PIA VPN" name="Transmission VPN In" threshold=0 \
    traffic=received trigger=always
add interface="Transmission PIA VPN" name="Transmission VPN Out" threshold=0 \
    trigger=always
add interface=ether1-gateway name="Gateway Out" threshold=0 trigger=always

CelticComms · Fri Aug 29, 2014 2:45 pm

What does the Plex unit have set as its default gateway?

DanPrs · Fri Aug 29, 2014 4:56 pm

Plex lives on a FreeNAS system. Plex has the IP 10.10.10.2. The gateway is 10.10.10.1. The port necessary is 32400.

FreeNAS is on 10.10.10.20. This system hosts the other services as well.

ryandenis · Wed Sep 10, 2014 6:32 pm

Did you ever get resolution to this issue? I've been struggling with the same issues as you. I've used freenas and pfsense for years and recently switched to mikrotik but can't get the simple things to work. Its quite frustrating.

suntelSean · Mon Oct 20, 2014 7:18 am

For those that are having problems with Plex etc.

I'm a newbie to RouterOS, so for the time being I've relied heavily on the RouterOS by Example book.

However, as a Plex user myself, I soon found out that just setting up a port forward isn't enough.

First in your Filter Rules
Also, this MUST be above the Drop all rule for the Forward chain.

Chain: forward
Protocol: tcp
Dst Port: 32400
In Interface: ether1 (or whichever is your wan port)
Action: Accept

Make another one but with UDP as well.
These 2 entries just allow the router to allow those ports to be opened.

Next, lets now create the port forward rules.
Chain: dstnat
Protocol: tcp
Dst Port: 32400
In Interface: ether1 (or whichever is your wan port)
Action: dst-nat
To Address: YourLocalPlexServerIp
to ports: 32400

do the same for UDP as well.

Voila! Done!

nerden · Sat Dec 27, 2014 7:10 pm

I have been fighting with this for the last two days, and think I have read all the posts on this forum relating to Plex and UPnP,
After a lot of tinkering there I found two fixes;

1)Use UPnP, several other poeple have not had issues when using UPnP, it just worked for them, i had to manually specify the information for my external interface:
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add forced-external-ip=85.96.108.209 interface=ether1-gateway type=external

2) Rather than using UPNP, manually create a DNAT tranlation, it looks a bit different from the other translations i have used but seems to work.
(Basically this was in the list of NAT translations when I had it setup with UPnP, so I removed the automatic config and the UPnp settings and created it manually, you will need to specify the port number from the Plex config page (Server>Connect>Port)
/ip firewall nat
add action=dst-nat chain=dstnat comment=PLEX dst-address=\
86.27.67.17 dst-port=32400 protocol=tcp to-addresses=192.168.100.10
to-ports=32400

Hopefully that will save someone two days of frustration in future

p3ter · Wed Jul 21, 2021 10:35 am

...Also, this MUST be above the Drop all rule for the Forward chain.

Chain: forward
Protocol: tcp
Dst Port: 32400
In Interface: ether1 (or whichever is your wan port)
Action: Accept

Make another one but with UDP as well.
These 2 entries just allow the router to allow those ports to be opened.

Thank you @suntelSean from a noob, 7 years later :) So many posts on Plex telling me it should 'just work' with NAT rules, adding the firewall Accept rule is a key missing step.
I assume those people who CAN get this working with only a NAT rule have not followed Mikrotik advice on firewall rules (https://wiki.mikrotik.com/wiki/Manual:S ... o_a_router), and are therefore accepting unsolicited incoming packets.

gotsprings · Wed Jul 21, 2021 12:45 pm

...Also, this MUST be above the Drop all rule for the Forward chain.

Chain: forward
Protocol: tcp
Dst Port: 32400
In Interface: ether1 (or whichever is your wan port)
Action: Accept

Make another one but with UDP as well.
These 2 entries just allow the router to allow those ports to be opened.
Thank you @suntelSean from a noob, 7 years later :) So many posts on Plex telling me it should 'just work' with NAT rules, adding the firewall Accept rule is a key missing step.
I assume those people who CAN get this working with only a NAT rule have not followed Mikrotik advice on firewall rules (https://wiki.mikrotik.com/wiki/Manual:S ... o_a_router), and are therefore accepting unsolicited incoming packets.

If you use the current default firewall filter rules...

A proper nat rule is allowed by the LAST RULE in the default firewall.

anav · Wed Jul 21, 2021 2:12 pm

THe confusion is attempting to use forward chain rules for NAT details.
All that is required in the forward chain is a singe rule that says, I will allow port forwarding packets through the firewall.

The work is done in the NAT rules where one delineates the port details, protocol, any translation and preferably source-address-list (limiting access).

Port Forwarding done right?

Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Re: Port Forwarding done right?

Who is online