Port Forwarding (AND MORE) Still Not Working

pedroSwan · Mon Jul 01, 2019 12:56 am

I have tried everything I possibly can to get my Port Forwarding working.

I have a VDSL2 modem sat ahead of my Mikrotik Router. Router is at 192.168.1.1. WAN is static address at 82.xxx.xxx.xxx (we'll call it 82.111.111.111 for ease of explanation)

I really would like to get the Port Forwarding set up but I fear there are some issues ahead of this which need fixing.

Setup:
Netgear DM200 Modem PPPoE VDSL Connection
RB2011 UiAS-RM
Ubiquiti AC-Lite Wireless AP

What is good:

- All my devices connect well to the Mikrotik and all go out onto the internet just fine.
- Internally they can all communicate between themselves
- DHCP internally works perfectly
- Data rates are good
- WinBox wired is perfect

Not so good:

- Wireless connection to 192.168.1.1 fails on my Mac
- Port Forward to IP Camera at 192.168.1.222, TCP, Port 8081 Fails
I have used this command for the camera forward:

/ip firewall nat
add chain=dstnat dst-address82.111.111.111 protocol=tcp dst-port=8081 action=dst-nat to-addresses=192.168.1.222

I used this code for the basic Firewall settings:

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
 d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
 need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
 Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
 "MC, Class D, IANA # Check if you need this subnet before enable it" \
 list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
 Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1

But I have tried the forwarding with this rules off and on

It will be something this noob has done but I've given it a good go so calling out for some help now please

Thanks

anav · Tue Jul 02, 2019 4:23 pm

add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp

What are those for? The only ports you should be allowing to or across your router is NONE!!
(well maybe DNS to your router but only from the LAN side + admin access on the lan side to the router for router management)
Remove these rules, unless you have a clear reason???

/ip firewall nat
add chain=dstnat dst-address=82.111.111.111 protocol=tcp dst-port=8081 action=dst-nat to-addresses=192.168.1.222

On the surface nothing seems wrong with this rule except I had to insert the equal side but figured that was a typo not an error in your config??

/ip firewall filter
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1

What is eth1 connected to? I am assuming this is the static WANIP from your netgear modem?

I would get rid of this rule.....
add action=drop chain=input in-interface=ether1

Instead at the end of your input chain (last rule) simply put
add action=drop chain=input (drop all other traffic).

pedroSwan · Tue Jul 02, 2019 9:05 pm

Thanks anav, really appreciate the reply.

Ether1 is connected directly to the VDSL router which is at 192.168.1.1

As for the forward to 69, that is typo and should have read 6690 for VPN. I have moved on a little now, or backwards and have gone back to a clean but probably vulnerable config.

Sorry for the double post the moderation didn't appear to have taken affect, it has now.

To save duplicate posting and threads off topic here is the link viewtopic.php?f=13&t=149847

anav · Wed Jul 03, 2019 5:23 am

What you should start fresh with is the default setup as that is safe and a good place to start.

pedroSwan · Wed Jul 03, 2019 7:22 am

Thanks, I resorted to that. Linked thread is where I’m at. Thanks

viewtopic.php?f=13&t=149847

Port Forwarding (AND MORE) Still Not Working [SOLVED]

Port Forwarding (AND MORE) Still Not Working

Re: Port Forwarding (AND MORE) Still Not Working [SOLVED]

Re: Port Forwarding (AND MORE) Still Not Working

Re: Port Forwarding (AND MORE) Still Not Working

Re: Port Forwarding (AND MORE) Still Not Working

Who is online