Hello

I seem to have trouble opening ports for outside access. I need to open up port xxxx to access a webgui and port yyyy to access another webui.

Internally evertything is working, externally both port xxxx and yyyy is closed.

This is my setup, directly from mikrotik wiki:

IP, Firewall, NAT,

Chain: DSTNAT
Protocol: TCP
DST port: xxxx
Action: DST-NAT
To adress: Internal IP of sever
To ports: xxxx

Second one is the same but with yyyy instead. The funny thing is that this did work untill I upgraded to firmware 3.30, I saw that the other day it was removed and 3.24 was the latest again. So I downgraded and it is still not working...

Any ideas on how to troubleshoot?

Too many information, but you also need to accept this ports in forward chain.

You need such firewall filter rule:

chain=forward connection-nat-state=dstnat action=accept

You need such firewall filter rule:

chain=forward connection-nat-state=dstnat action=accept

Hi have added this but still nothing... port 80 is open as before but the ones I want to open are still closed...

You list rules configured as dst-port=xxxx / to-ports=xxxx (external / internal port numbers)

Are the servers themselves listening on port xxxx or just on port 80 if you're behind the firewall?
If just regular old port 80, then change "to-ports" from xxxx and yyyy to be 80 instead.

You list rules configured as dst-port=xxxx / to-ports=xxxx (external / internal port numbers)

Are the servers themselves listening on port xxxx or just on port 80 if you're behind the firewall?
If just regular old port 80, then change "to-ports" from xxxx and yyyy to be 80 instead.

The server is listening to both xx and yy, one is for the web gui and one is for the server to connect to other peers.

You list rules configured as dst-port=xxxx / to-ports=xxxx (external / internal port numbers)

Are the servers themselves listening on port xxxx or just on port 80 if you're behind the firewall?
If just regular old port 80, then change "to-ports" from xxxx and yyyy to be 80 instead.

The server is listening to both xx and yy, one is for the web gui and one is for the server to connect to other peers.

I think the problem might be because I have not done the "default settings" installation.

What rules should be in IP/Firewall/filter rules as default?

I have followed this setup and done the following:

Router protection

/ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
in-interface=!ether1
add chain=input action=drop comment="Drop everything else"

Customer protection

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"

And the rule mentioned above, am I missing something?

you can put established and related on the same rule....
(do this for both input and forward chains)

Then add to forward chain: (at the end of what's already there)

action=accept connection-nat-state=dstnat
action=drop in-interface=ether1

(assuming that ether1 is the WAN interface)

you can put established and related on the same rule....
(do this for both input and forward chains)

Then add to forward chain: (at the end of what's already there)

action=accept connection-nat-state=dstnat
action=drop in-interface=ether1

(assuming that ether1 is the WAN interface)

Could you explain what you mean with "related"? "Found out and fixed it"

Also your last rule has two actions, or am I missing something?

Could you explain what you mean with "related"? "Found out and fixed it"

Also your last rule has two actions, or am I missing something?

Related means a connection which is related to another existing connection - examples would be the data transfer connection that FTP uses, or the audio stream (RTP) of a VoIP call set up using SIP - ICMP responses from remote sites would also count - for instance sending a DNS query to a host that isn't running a nameserver would result in the remote host sending an ICMP port unreachable message - this is strictly a new connection from a tracking point of view, but it's related to the previous UDP packet. In any case, you generally want to allow established and related connections from the WAN.

And the last rule is actually two rules. The first allows packets which are being forwarded as the result of a dst-nat mapping (which is what you started this thread about) and the second is the default catch-all drop rule. If no other rule has applied (i.e. if I haven't explicitly permitted it yet) then discard the packet. This is security 101 - specifically allow what's wanted/needed, and discard everything else.

Hi, ok, so this is what I have now:

FIlter rules:

add action=drop chain=input comment="drop invalid connections" \
connection-state=invalid
add chain=input comment="Allow established connections" \
connection-state=established
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input comment="Drop everything else" in-interface=!ether1 \
src-address=192.168.1.0/24
add action=drop chain=input comment="Drop invalid connections"
add action=drop chain=forward comment="drop invalid connetions" \
connection-state=invalid protocol=tcp
add chain=forward comment=\
"allow already established and related connections" \
connection-state=established,related
add chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment=forward2 in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1


In NAT I have the following:
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp \
to-addresses=192.168.1.11 to-ports=51413

This still does not work...

Btw thank you for your help, it is really appreciated

I have now tried to follow this setup:
http://wiki.mikrotik.com/wiki/Manual:De ... igurations

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
established in-interface=ether1
add chain=input comment="default configuration" connection-state=related \
in-interface=ether1
add action=drop chain=input comment="default configuration" \
in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp \
to-addresses=192.168.1.11 to-ports=51413

Even this does not help...

Yeah, I am having problems too, confusing what actions to use, as some say it is this, and others say it is that.

If you check youtube videos they help, but from what I can tell some of them are doing things the wrong way. Anyway, what works for me but not to 100% is that the action should be "netmap".

The strange thing is that sometimes (at least on 5.26 that I was using a few days ago) it would say the ports are not open. Wonder if it problems is gone with 6.34.4 or am I using the wrong action ?

add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp \
to-addresses=192.168.1.11 to-ports=51413

Change "add action=dst-nat" you want netmap, should work now ?

Or am I wrong ?