Community discussions

MikroTik App
 
Floatas
just joined
Topic Author
Posts: 9
Joined: Mon Aug 03, 2020 12:59 am

Problems with portforwarding.

Fri Dec 18, 2020 1:21 pm

Hello, i'm trying to add portforward rule and hairpin nat on port 25565, but the problem is, the rules only work on minecraft but not other games. It was working before, but then i had to reset to factory settings, am i missing some option?
Port is showing open from https://www.yougetsignal.com/tools/open-ports/ after i add chain forward rule to firewall and deleted all other firewall rules (i know thats bad practice, but i was out of options). Any help?
[admin@MikroTik] > /export compact
# dec/18/2020 13:16:51 by RouterOS 6.44.6
# software id = B19J-K8YI
#
# model = RB750Gr3
# serial number = CC210B1EE3A8
/interface bridge
add admin-mac=C4:AD:34:CC:CD:EC auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on
set [ find default-name=ether2 ] loop-protect=on
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
set [ find default-name=ether5 ] loop-protect=on
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward connection-state=established,related,new,untracked
/ip firewall mangle
add action=log chain=postrouting dst-port=25565 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=MinecraftHairpin dst-address=192.168.88.198 dst-port=25565 out-interface=bridge protocol=tcp src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.198 dst-port=25565 out-interface=bridge protocol=udp src-address=192.168.88.0/24 to-ports=\
    25565
add action=dst-nat chain=dstnat dst-address=94.244.64.198 dst-port=25565 protocol=tcp to-addresses=192.168.88.198 to-ports=25565
add action=dst-nat chain=dstnat dst-address=94.244.64.198 dst-port=25565 protocol=udp to-addresses=192.168.88.198 to-ports=25565
add action=dst-nat chain=dstnat comment="upnp 192.168.88.198: GTA V" dst-address=94.244.64.198 dst-port=61455-61458 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.198 to-ports=61455-61458
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add host=192.168.88.1 interval=1s
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=0 traffic=received
EDIT: I added these rules just now
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related"  connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problems with portforwarding.

Fri Dec 18, 2020 8:18 pm

Still no good as I dont see any INPUT CHAIN firewal rules and thus not secure to attach to the internet.
Also your forward rules are cumbersome and thus confusing. keep it simple, clean and default.

This is the default list that you cant go wrong with!!!!
/ip firewall filter
{INPUT}
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
{FORWARD}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
	
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
...

Typically I recommend changing from an allow everything with some key block rules, to block everything with a few key allow rules.

So one adds the following in the input chain
ALLOW ADMIN ACCESS TO ROUTER - usually via firewall address list - which list devices I will use to access winbox ( desktop, laptop, ipad etc)
ALLOW LAN USERS ACCESS TO ROUTER but ONLY FOR SERVICES - typically DNS only port 53 udp, tcp
DROP ALL ELSE
Notes:
- only put in the drop all else rule when you have the allow admin rule in place otherwise one is locked out of the router LOL
- once the above rules are in place you can then remove this redundant rule
(add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN)
- So what the above does is not give everyone access to the router, ONLY the admin and block all traffic not specifically allowed.

In the forward chain.
One adds
Before the last rule (which will also be)
DROP ALL ELSE
any rules required to enable services typically
ALLOW SUBNETS or VLANS access to the INTERNET
ALLOW ADMIN to access ALL subnets and VLANS (if required)
ALLOW USERS any other access across subnet or vlan for shared devices, like a printer (If required)
ALLOW PORT FORWARDING (if required). ***
DROP ALL ELSE

Notes:
- once the above are in place you can remove this rule
(add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN)
- So what the above does is allow only the traffic you wish to permit and block everything else, it also separate out port forwarding and its an optional rule which looks like this.
*** add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

- all these rules in your forward chain can be removed as they are covered by DROP ALL ELSE. :-)
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problems with portforwarding.

Fri Dec 18, 2020 8:30 pm

As for the port forwarding rules, not sure how mangle will affect your config, but normally its not used for basic port forwarding, so you must have some purpose with it not communicated??
As for the hairpin source nat rule, its better not to be specific and the rule should be as follows and remove the ones in red).
add action=masquerade chain=srcnat comment=hairpinnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=MinecraftHairpin dst-address=192.168.88.198 dst-port=25565 out-interface=bridge protocol=tcp src-address=\
192.168.88.0/24
(<----remove this rule)
add action=masquerade chain=srcnat dst-address=192.168.88.198 dst-port=25565 out-interface=bridge protocol=udp src-address=192.168.88.0/24 to-ports=\
25565
(<---- remove this rule)
add action=dst-nat chain=dstnat dst-address=94.244.64.198 dst-port=25565 protocol=tcp to-addresses=192.168.88.198 to-ports=25565
add action=dst-nat chain=dstnat dst-address=94.244.64.198 dst-port=25565 protocol=udp to-addresses=192.168.88.198 to-ports=25565


As for this rule, I have no idea what you are trying to do here??? This has nothing to do with UPNP as that is handled in a separate location???
If its simply a port forwarding rule you would have get rid of the in-interface=ether1

add action=dst-nat chain=dstnat comment="upnp 192.168.88.198: GTA V" dst-address=94.244.64.198 dst-port=61455-61458 in-interface=ether1 protocol=udp \
to-addresses=192.168.88.198 to-ports=61455-61458
 
Moba
Member Candidate
Member Candidate
Posts: 213
Joined: Sun Sep 27, 2020 6:15 pm

Re: Problems with portforwarding.

Fri Dec 18, 2020 11:49 pm

Why are LAN clients connecting to your game server from the WAN ip? If you forward ports, why are you using UPnP?

By default, only outbound connections are allowed for all LAN clients in the firewall filter. NAT is setup both ways accordingly.

Logically, for clients to connect from the WAN side to your server, you first need to open a port in the firewall's forward chain so those clients can connect. Then, you make a dstnat rule for the server connections. I have no idea why you have so many rules....
 
Floatas
just joined
Topic Author
Posts: 9
Joined: Mon Aug 03, 2020 12:59 am

Re: Problems with portforwarding.

Mon Dec 21, 2020 2:56 pm

As for the port forwarding rules, not sure how mangle will affect your config, but normally its not used for basic port forwarding, so you must have some purpose with it not communicated??
As for the hairpin source nat rule, its better not to be specific and the rule should be as follows and remove the ones in red).
add action=masquerade chain=srcnat comment=hairpinnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=MinecraftHairpin dst-address=192.168.88.198 dst-port=25565 out-interface=bridge protocol=tcp src-address=\
192.168.88.0/24
(<----remove this rule)
add action=masquerade chain=srcnat dst-address=192.168.88.198 dst-port=25565 out-interface=bridge protocol=udp src-address=192.168.88.0/24 to-ports=\
25565
(<---- remove this rule)
add action=dst-nat chain=dstnat dst-address=94.244.64.198 dst-port=25565 protocol=tcp to-addresses=192.168.88.198 to-ports=25565
add action=dst-nat chain=dstnat dst-address=94.244.64.198 dst-port=25565 protocol=udp to-addresses=192.168.88.198 to-ports=25565


As for this rule, I have no idea what you are trying to do here??? This has nothing to do with UPNP as that is handled in a separate location???
If its simply a port forwarding rule you would have get rid of the in-interface=ether1

add action=dst-nat chain=dstnat comment="upnp 192.168.88.198: GTA V" dst-address=94.244.64.198 dst-port=61455-61458 in-interface=ether1 protocol=udp \
to-addresses=192.168.88.198 to-ports=61455-61458
i need that hairpin to see if i actually portforwarded the port. GTA V rule was made automatically by GTA Online i think, because i have upnp enabled.
 
Floatas
just joined
Topic Author
Posts: 9
Joined: Mon Aug 03, 2020 12:59 am

Re: Problems with portforwarding.

Mon Dec 21, 2020 2:57 pm

Why are LAN clients connecting to your game server from the WAN ip? If you forward ports, why are you using UPnP?

By default, only outbound connections are allowed for all LAN clients in the firewall filter. NAT is setup both ways accordingly.

Logically, for clients to connect from the WAN side to your server, you first need to open a port in the firewall's forward chain so those clients can connect. Then, you make a dstnat rule for the server connections. I have no idea why you have so many rules....
Im trying to connect from lan to wan, so i can check if i actually portforwarded the port. How do i add forfward chain rule?
 
Moba
Member Candidate
Member Candidate
Posts: 213
Joined: Sun Sep 27, 2020 6:15 pm

Re: Problems with portforwarding.

Mon Dec 21, 2020 5:46 pm

add action=accept chain=forward dst-address=192.168.88.xxx
    dst-port=xxxx in-interface=xxxxx protocol=xxx

If you need to forward more than one port, you can add all of them to the same rule. The more you add rules, the more confusing your config gets and the more resources are required to process everything. ROS is very efficient, until you add things that you don't need. The last thing most people want for gaming servers/clients is adding useless processing delays on packets...
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problems with portforwarding.

Mon Dec 21, 2020 8:13 pm

To allow all forwarded ports at once (you most likely want that, otherwise why would you forward them at all), use this:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problems with portforwarding.

Tue Dec 22, 2020 2:13 pm

Sob he already had the default rule in place........ (but I much prefer the cleaner rule you suggested)
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 265
Joined: Mon Oct 07, 2019 11:42 pm

Re: Problems with portforwarding.

Tue Dec 22, 2020 2:35 pm

Sob he already had the default rule in place........ (but I much prefer the cleaner rule you suggested)
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT

Why would you need "connection-state=new" here? "Established,Related" and "Invalid" will be picked by above rules.

Who is online

Users browsing this forum: No registered users and 13 guests