Hi guys

So I've got a production router that I need to open some ports on for a Vodafone Sure Signal unit. Thought I'd done everything right but it still didn't work so I decided to remove Vodafones IP and do some basic port tests with www.yougetsignal.com/tools/open-ports/

I see the packets register in the firewall/NAT tab but the site still says the port is closed. I did have a rule blocking outgoing icmp requests but i disabled it temporarily for this, still not showing as open. I even disabled the entire firewall for a minute but still the same result.

Can anyone point me in the right direction for this one please?

MT

Do you allow dstnat packets in your forward filter table?
By default there is a rule for that but maybe you have deleted it.

Would that of been in the default conifg? Do you have a CLI example I can see?

If you configure port forwarding then you have to have a NAT rule, proper path back for reply from local service, srcnat which replaces address back and forward rule which allows forwarded, dstnatted packets:
https://wiki.mikrotik.com/wiki/Tips_and ... n_RouterOS

Thanks Strods

Following the Wiki: I already had the masquerade rule in place, I have set up the forward rule for dstnat connection state but it still isn't working

Please provide NAT rules export and Filter rules export.

Did you ever get this working?

We have a number of clients sitting behind a Cloud Core Router which is our route out to the internet.
All individual clients have a SRC-NAT rule on the CCR so that they have a unique IP address to the outside world eg
0 chain=srcnat action=src-nat to-addresses=185.52.xxx.xxx src-address=10.10.20.221 out-interface=sfp1 log=no log-prefix=""

By default we don't have matching DST-NAT rules, so any traffic generated from outside our network is dropped at the firewall.

The last rule in our NAT table is a catch call which puts any remaining outgoing traffic on our default external IP address
143 chain=srcnat action=src-nat to-addresses=94.142.xxx.xxx out-interface=sfp1 log=no log-prefix=""

This was what we used for all traffic until we were provided with static IP addresses for each client.

Unfortunately we have a problem with SureSignal - it does not work for anyone that has been assigned a static IP address, but works fine if we disable their rule and allow the catch all at the end.
Any ideas?

When you have static IP addresses for the clients, you should simply route their traffic instead of using NAT.
That way you avoid all possible issues that are related to NAT.