Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Port Forwarding, firewall and self hosted game server help!  [SOLVED]

Post Reply
 
User avatar
novusopiate
just joined
Topic Author
Posts: 2
Joined: Mon Nov 29, 2021 8:47 pm

Port Forwarding, firewall and self hosted game server help!

Mon Nov 29, 2021 9:16 pm

Hello all! **Warning, noob here so Beginner Basics seemed like the right place......**

I have a new RB2011 routerboard that I am wanting to use as a residential network device. I have the unit up and running easily and am pretty happy with the unit thus far.

HOWEVER!!!! I run a very small game server (Dungeons & Dragons on the FoundryVTT platform hosting on a headless linux box). This server was recently running without any problems on localip:30000 with a port forward set up to resolve a https domain to my public ip and then into my server.

I set up NAT forwarding rules on the RB2011(forwarding set for port 80, 443, and 30000 as the server relays jitsi video) and after a bit of research tried to amend the correct firewall rules to allow my server be publicly accessible. So far all I can muster is a "connection refused". Open port check tools cannot see my service on 30000 but I can access my server locally on localip:30000 as well as ssh into the linux box locally.

I am not as up to date on networking as I used to be and wanted to take a whirl at the mikrotik boards as they seemed like a really neat resource but I am finding it difficult to decipher some of the firewall rules in particular. Below are the NAT rules and some additional info I have seen requested elsewhere.

Thank you in advance for any help and patience! Next D&D session is Thursday! Oh hell!

Nat rules:
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=*publicip* to-addresses=192.168.88.254 to-ports=30000 protocol=tcp dst-port=80
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=*publicip* to-addresses=192.168.88.254 to-ports=443 protocol=tcp dst-port=443

More details:
Code: Select all
/ip address print detail:
 0   ;;; defconf
     address=192.168.88.1/24 network=192.168.88.0 interface=ether2 actual-interface=bridge 

 1 D address=*publicip*/18 network=76.187.128.0 interface=ether1 actual-interface=ether1
Code: Select all
/ip route print detail:
 0 ADS  dst-address=0.0.0.0/0 gateway=76.187.128.1 gateway-status=76.187.128.1 reachable via  ether1 distance=1 scope=30 target-scope=10 vrf-interface=ether1 

 1 ADC  dst-address=76.187.128.0/18 pref-src=*publicip* gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge gateway-status=bridge reachable distance=0 scope=10
Top
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Port Forwarding, firewall and self hosted game server help!  [SOLVED]

Wed Dec 01, 2021 2:26 pm

1.- I assume you're using default firewall config from ROS, which opens automatically forwarded ports, check this rule actually exists:
Code: Select all
/ip firewall filter
[...]
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

This is required, otherwise firewall won't let the incoming connection pass.

2.- If D&D internal server listens on tcp/30000, this is wrong:
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=*publicip* to-addresses=192.168.88.254 to-ports=30000 protocol=tcp dst-port=80
You're forwarding external port 30000 to internal port 80... should be 30000 == 30000.

Additionally, you can make your life easier if not having a fixed public IP by referring to the in-interface or in-interface-list parameter instead of using the public IP.

i.e.:
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat in-interface-list=WAN to-addresses=192.168.88.254 to-ports=30000 protocol=tcp dst-port=30000
add chain=dstnat action=dst-nat in-interface-list=WAN to-addresses=192.168.88.254 to-ports=443 protocol=tcp dst-port=443
add chain=dstnat action=dst-nat in-interface-list=WAN to-addresses=192.168.88.254 to-ports=80 protocol=tcp dst-port=80

3.- Be sure to disable IP > Services > www and www-ssl.
Top
 
User avatar
novusopiate
just joined
Topic Author
Posts: 2
Joined: Mon Nov 29, 2021 8:47 pm

Re: Port Forwarding, firewall and self hosted game server help!

Wed Dec 01, 2021 5:12 pm

Thank you for the notes! With your help and the help of Steveocee's hairpin NAT video, I have been able to clean up the initial mess I made!

The server is accessible from outside the local network via domain and running like a champ! However, internally I am unable to access the domain or public ip. Currently reading previous posts on split DNS and other possible solutions. I can load up my server on local network using internal ip, however it will not allow SSL which I need for the Jitsi video. So close! This whole process has been fascinating and I'm looking forward to learning more as I go.
Top
 
User avatar
sunakashi
just joined
Posts: 17
Joined: Wed Nov 23, 2022 1:55 pm
Location: CZ

Re: Port Forwarding, firewall and self hosted game server help!

Tue Feb 21, 2023 10:54 pm

3.- Be sure to disable IP > Services > www and www-ssl.
Please, can you explain why this option? Thanks.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port Forwarding, firewall and self hosted game server help!

Tue Feb 21, 2023 11:01 pm

It's not needed, even if service on router uses some port and dstnat rule is for same one, dstnat sends packets elsewhere before they can reach service on router.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics