I'm trying to allow access from the internet to a Shoutcast server and a web server from a server I have at home. Can anyone help me figure out what i'm doing wrong ? Thx

I have an external Dynamic IP from my ISP
external router ip 1.1.1.1
internal router ip 192.168.0.1
internal server ip 192.168.0.101


Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Local access
chain=input action=accept protocol=tcp src-address-list=local
dst-port=8291

1 chain=input action=accept protocol=tcp dst-port=7778

2 chain=input action=accept protocol=tcp dst-port=8000

3 chain=input action=accept protocol=tcp dst-port=8001

4 chain=input action=accept protocol=tcp src-port="" dst-port=443

5 chain=input action=accept protocol=tcp dst-port=22

6 chain=inbound action=drop src-address=50.19.91.18

7 chain=output action=drop dst-address=50.19.91.18

8 X chain=output action=drop protocol=tcp dst-port="" port=!80

9 ;;; wLAN
chain=input action=accept in-interface=wlan1

10 ;;; eLAN
chain=input action=accept in-interface=ether2

11 ;;; bridge
chain=input action=accept in-interface=bridge1

12 ;;; Treat all traffic equally
chain=input action=jump jump-target=inbound

13 ;;; Treat all traffic equally
chain=forward action=jump jump-target=inbound

14 ;;; Drop invalid
chain=inbound action=drop connection-state=invalid

15 ;;; Allow limited icmp
chain=inbound action=accept protocol=icmp limit=50/5s,2

16 ;;; Drop excess icmp
chain=inbound action=drop protocol=icmp

17 ;;; Accept established
chain=inbound action=accept connection-state=established

18 ;;; Accept related
chain=inbound action=accept connection-state=related

19 ;;; Internal traffic can do what it wants.
chain=inbound action=accept src-address-list=local

20 ;;; And drop everything else
chain=inbound action=drop

21 ;;; Allow everything out
chain=output action=accept


[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT
chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.0.101 to-ports=8000
protocol=tcp dst-port=8000

2 chain=dstnat action=dst-nat to-addresses=192.168.0.101 to-ports=8001
protocol=tcp dst-port=8001

3 chain=dstnat action=dst-nat to-addresses=192.168.0.101 to-ports=7778
protocol=tcp dst-port=35000

Hi sir
may you show me how did you define the local src-address list (chain=inbound action=accept src-address-list=local )?

Just to be sure that local addresses can forward without be catched by the drop rule


thanks

Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 ;;; LAN
local 192.168.0.0/24

The 3 accept rules

1 chain=input action=accept protocol=tcp dst-port=7778
2 chain=input action=accept protocol=tcp dst-port=8000
3 chain=input action=accept protocol=tcp dst-port=8001

will never be matched because the correct chain is forard and not input . Change the chain to forward and it will work:
Hoping this will help you

Thx guys, changing the chain to forward seems to have done the trick.

Thanks for this. So is this correct that to do a proper port forward I need to:

- add port in first tab "Filter Rules"
- add NAT forwarding destination address and port
?

I thought on the NAT rule would suffice, but I need both. What a long night to figure this one out.

Thanks for this. So is this correct that to do a proper port forward I need to:

- add port in first tab "Filter Rules"
- add NAT forwarding destination address and port
?

I thought on the NAT rule would suffice, but I need both. What a long night to figure this one out.

Hi ricotrevisan,
Yes you do need both because NAT is not the same as filtering.
Say you have a packet headed for your public IP that you want to forward to an internal host, so from 2.2.2.2 to 1.1.1.1:80
the first thing that happens is the router looks in the NAT table for a rule that matches, lets say we have a rule translating anything headed to TCP port 80 to the internal address 192.168.1.1.

So now the router will alter that packets ip header, from src:2.2.2.2 dst:1.1.1.1 to src:2.2.2.2 dst:192.168.1.1

The packet has been translated, but now we need to check if it is allowed.

The router looks at it's filter rule table from the top down for a matching rule, remember it has to match the ip header that now has the internal ip 192.168.1.1 in the dst field. The first rule it hits that matches will fire. So if you have a default drop rule at the bottom of that list, but no valid accept rule, the traffic will not get through.

It has been translated, but not allowed through the filter part of the firewall.

It's can be confusing, becasue of how consumer routers handle NAT. On a consumer router often adding a NAT rule automagically adds an accept rule in the background that you never know about.
Pro routers and firewalls do not do this.

Having said all of that, you can program similar functionality on RouterOS using the following filter rule: This rule simply states that if the router has NATted the packets dst-ip field then it is accepted.

Hope that helps,
tslytsly

Awesome! Extremely clear explanation and great little tip!

Your post should be a sticky and/or a part of the wiki from Mikrotik.

No problem ricotrevisan,
Not sure it should be stickied, the grammar is terrible! (But I cannot be bothered to edit it  )

If you get chance to uprate the post for me that would be great, thanks.

tslytsly

Will do! (but I still don't have any reputation points...)