Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

portforward not working  [SOLVED]

Post Reply
 
xXSwagnemitEXx
just joined
Topic Author
Posts: 9
Joined: Mon Apr 13, 2020 7:46 pm

portforward not working

Fri Jul 31, 2020 9:03 pm

Hello mikrotik forum

i have a very weird problem with NAT (Portforwarding)
The last 2 rules i added (port 8081 and 8082) doesnt seem to get forwarded to 10.2.1.2. (all the other ports are open and working)

I use the same method as always (winbox, new nat rule, dstnat, tcp, and the ip address)
can you please look at my config to see what goes wrong?
Code: Select all
[admin@kkeuter-rt01-01] > export hide-sensitive
# jul/31/2020 19:56:30 by RouterOS 6.47.1
# software id = I1GS-X6EM
#
# model = 2011UiAS
# serial number = 51F304B39629
/interface bridge
add admin-mac=4C:5E:0C:65:25:87 arp=proxy-arp auto-mac=no comment=defconf name=bridge
add arp=proxy-arp name=bridge-vpn
/interface ethernet switch port
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 12 vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.5.1.1-10.10.255.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/metarouter
add disabled=yes name=mr1
/ppp profile
add bridge=bridge-vpn local-address=dhcp name=pptp-profile remote-address=dhcp use-encryption=yes
/system logging action
set 3 remote=10.101.1.1 src-address=10.101.1.1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set default-profile=pptp-profile enabled=yes
/ip address
add address=10.1.1.1/8 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.101.1.1 allow-dual-stack-queue=no client-id=1:0:1a:64:7:f5:be mac-address=00:1A:64:07:F5:BE
add address=10.10.0.250 client-id=1:0:c:29:85:94:60 mac-address=00:0C:29:85:94:60 server=defconf
add address=10.2.1.1 client-id=ff:bc:9a:4a:2d:0:2:0:0:ab:11:82:e3:6c:60:a:b:d8:f4 mac-address=00:0C:29:48:74:5C server=defconf
add address=10.101.1.2 client-id=1:18:a9:5:77:38:54 mac-address=18:A9:05:77:38:54 server=defconf
add address=10.50.1.1 client-id=ff:9f:6e:85:24:0:2:0:0:ab:11:af:96:3a:8a:bd:61:bf:f4 mac-address=00:0C:29:F4:04:6C server=defconf
add address=10.25.1.1 client-id=ff:9f:6e:85:24:0:2:0:0:ab:11:cb:8c:9e:19:db:5d:4:17 mac-address=00:0C:29:C8:64:C7 server=defconf
add address=10.2.1.2 client-id=ff:9f:6e:85:24:0:2:0:0:ab:11:7d:bd:b8:30:6e:c2:93:ea mac-address=00:0C:29:32:C7:AF server=defconf
/ip dhcp-server network
add address=10.0.0.0/8 comment=defconf gateway=10.1.1.1 netmask=8
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.1.1.1 name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=47 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward dst-port=3389 in-interface=all-ethernet out-interface=all-ethernet port=3389 protocol=tcp src-port=3389
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="PPTP VPN" disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input protocol=tcp src-port=8081
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1400 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1400 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1400 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3389 in-interface=all-ethernet protocol=tcp to-addresses=10.10.0.250 to-ports=3389
add action=dst-nat chain=dstnat dst-port=80 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.1 to-ports=80
add action=dst-nat chain=dstnat dst-port=25565 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.1 to-ports=25565
add action=dst-nat chain=dstnat dst-port=25565 in-interface=all-ethernet port="" protocol=udp to-addresses=10.2.1.1 to-ports=25565
add action=dst-nat chain=dstnat dst-port=8192 in-interface=all-ethernet protocol=tcp src-address-list="" src-port="" to-addresses=10.101.1.1 to-ports=8192
add action=dst-nat chain=dstnat dst-port=21 in-interface=all-ethernet protocol=tcp src-port="" to-addresses=10.101.1.1 to-ports=21
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=10.2.1.1 to-ports=443
add action=dst-nat chain=dstnat dst-port=3306 in-interface=ether1 protocol=tcp to-addresses=10.10.0.250 to-ports=3306
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=10.2.1.1 to-ports=8080
add action=dst-nat chain=dstnat dst-port=902 in-interface=all-ethernet protocol=tcp to-addresses=10.101.1.1 to-ports=902
add action=dst-nat chain=dstnat dst-port=22 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.1 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=23 in-interface=all-ethernet protocol=tcp to-addresses=10.101.1.1 to-ports=22
add action=dst-nat chain=dstnat dst-port=81 in-interface=all-ethernet protocol=tcp to-addresses=10.10.0.251 to-ports=81
add action=dst-nat chain=dstnat dst-port=4430 in-interface=all-ethernet protocol=tcp to-addresses=10.10.1.1 to-ports=4430
add action=dst-nat chain=dstnat dst-port=2022 in-interface=all-ethernet port="" protocol=tcp src-port="" to-addresses=10.2.1.1 to-ports=2022
add action=dst-nat chain=dstnat dst-port=8443 in-interface=all-ethernet protocol=tcp to-addresses=10.10.1.1 to-ports=8443
add action=dst-nat chain=dstnat dst-port=4430 in-interface=all-ethernet protocol=udp to-addresses=10.10.1.1 to-ports=4430
add action=dst-nat chain=dstnat disabled=yes dst-port=81 protocol=udp to-addresses=10.10.1.1 to-ports=81
add action=dst-nat chain=dstnat dst-port=903 in-interface=all-ethernet protocol=tcp to-addresses=10.101.1.1 to-ports=903
add action=dst-nat chain=dstnat dst-port=1234 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.1 to-ports=1234
add action=dst-nat chain=dstnat dst-port=25566 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.1 to-ports=25566
add action=dst-nat chain=dstnat dst-port=25567 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.1 to-ports=25567
add action=dst-nat chain=dstnat dst-port=25568 protocol=tcp to-addresses=10.2.1.1 to-ports=25568
add action=dst-nat chain=dstnat dst-port=26000 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.1 to-ports=26000
add action=dst-nat chain=dstnat dst-port=27000 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.2 to-ports=27000
add action=dst-nat chain=dstnat dst-port=2023 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.2 to-ports=2023
add action=dst-nat chain=dstnat dst-port=30000 in-interface=all-ethernet protocol=tcp to-addresses=10.10.0.251 to-ports=30000
add action=dst-nat chain=dstnat dst-port=30001 in-interface=all-ethernet protocol=tcp to-addresses=10.10.0.251 to-ports=30001
add action=dst-nat chain=dstnat dst-port=26011 in-interface=ether1 protocol=tcp to-addresses=10.2.1.1 to-ports=26011
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp to-addresses=10.10.0.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=3001 protocol=tcp to-addresses=10.10.0.251 to-ports=3001
add action=dst-nat chain=dstnat dst-port=27001 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.2 to-ports=27001
add action=dst-nat chain=dstnat dst-port=54984 in-interface=all-ethernet protocol=tcp to-addresses=10.10.255.232 to-ports=54984
add action=dst-nat chain=dstnat dst-port=3388 in-interface=all-ethernet protocol=tcp to-addresses=10.10.255.232 to-ports=3388
add action=dst-nat chain=dstnat dst-port=6771 in-interface=all-ethernet protocol=tcp to-addresses=10.10.255.232 to-ports=6771
add action=dst-nat chain=dstnat dst-port=8081 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.2 to-ports=8081
add action=dst-nat chain=dstnat dst-port=8082 in-interface=ether1 protocol=tcp to-addresses=10.2.1.2 to-ports=8082
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set time-interval=weekly touch-screen=disabled
/ppp secret
add name=ppp1 profile=pptp-profile service=pptp
add name=ppp2 profile=pptp-profile
/routing rip interface
add send=v1-2
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=kkeuter-rt01-01
/system logging
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=critical
add action=remote topics=account,async,backup,bfd,bgp,bridge,dhcp,ddns,e-mail,dns,firewall,interface,kvm,route,write
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
xXSwagnemitEXx
just joined
Topic Author
Posts: 9
Joined: Mon Apr 13, 2020 7:46 pm

Re: portforward not working

Fri Jul 31, 2020 10:58 pm

the packets are being shown, ufw is disabled so its not a problem there
Top
 
User avatar
floaty
Member
Member
Posts: 370
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E
Contact:
Contact floaty

Re: portforward not working  [SOLVED]

Sat Aug 01, 2020 12:05 am

the packets are being shown, ufw is disabled so its not a problem there
.
shown ... ? where ?
.
do you wanna say, you were able to see the already DST-NAT'ed packets at the target-system [10.2.1.2] ?? ... if not check first !
.
there is a rule to another port on the same system ... do you checked if it's still working ?!
.
Code: Select all
add action=dst-nat chain=dstnat dst-port=27001 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.2 to-ports=27001
a
.
routing check on the destination system [10.2.1.2] ... ? ... done ? ... a good (networking-)housewife would have already done it !
Top
 
xXSwagnemitEXx
just joined
Topic Author
Posts: 9
Joined: Mon Apr 13, 2020 7:46 pm

Re: portforward not working

Sat Aug 01, 2020 12:45 am

the packets are being shown, ufw is disabled so its not a problem there
.
shown ... ? where ?
.
do you wanna say, you were able to see the already DST-NAT'ed packets at the target-system [10.2.1.2] ?? ... if not check first !
.
there is a rule to another port on the same system ... do you checked if it's still working ?!
.
Code: Select all
add action=dst-nat chain=dstnat dst-port=27001 in-interface=all-ethernet protocol=tcp to-addresses=10.2.1.2 to-ports=27001
a
.
routing check on the destination system [10.2.1.2] ... ? ... done ? ... a good (networking-)housewife would have already done it !
i feel very stupid and dumb. i am very sorry for wasting your time

when digging deeper into this, i ran into a bigger issue i found NAT was disabled somehow (dont know if this has to do with the current issue but it probaly does).

port 27001 is not working aswell, but 8081 is (probaly because nothing is listening on 27001).
Top
 
User avatar
floaty
Member
Member
Posts: 370
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E
Contact:
Contact floaty

Re: portforward not working

Sat Aug 01, 2020 1:04 am

.
not a problem ... had a beer aside ... thats why I'm doing the easy cases ...
... enlarge forum-karma ... drinking beer ... like bodhisattva recommended
Top
Post Reply
  4. RouterOS
  5. Beginner Basics