Page 1 of 1
How to forward port?
Posted: Thu Jan 30, 2025 9:17 pm
by keg415
I'm replacing a Comcast Business router with an hAP ax2. I have dual WAN failover from ether1 to ether2 with DHCP working, and need to forward TCP/UDP port 81 to cascaded router IP 10.1.10.151. Here's what I have configured that is not working:
2 [admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=srcnat action=masquerade out-interface=ether2
2 chain=srcnat action=masquerade out-interface=ether1
3 ;;; blueiris tcp
chain=dstnat action=dst-nat to-addresses=10.1.10.151 to-ports=81 protocol=tcp in-interface-list=WAN dst-port=81 log=yes
log-prefix="blueiris"
4 ;;; blueiris udp
chain=dstnat action=dst-nat to-addresses=10.1.10.151 to-ports=81 protocol=udp in-interface-list=WAN dst-port=81 log=yes
log-prefix="blueiris"
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
12 chain=forward action=accept protocol=tcp dst-port=81
13 chain=forward action=accept protocol=udp dst-port=81
Where am I going wrong? Thanks.
Re: How to forward port?
Posted: Thu Jan 30, 2025 9:41 pm
by keg415
Moving the firewall rules up didn't help:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; blueiris tcp port 81
chain=forward action=accept protocol=tcp in-interface-list=WAN dst-port=81 log=yes log-prefix="blueiris"
6 ;;; blueiris udp port 81
chain=forward action=accept protocol=udp in-interface-list=WAN dst-port=81 log=yes log-prefix="blueiris"
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Re: How to forward port?
Posted: Thu Jan 30, 2025 9:52 pm
by TheCat12
Probably the ISPs are to blame if the WAN IPs aren't public or their devices aren't in bridge mode
Re: How to forward port?
Posted: Fri Jan 31, 2025 12:45 am
by keg415
Probably the ISPs are to blame if the WAN IPs aren't public or their devices aren't in bridge mode
The ISP is Monkeybrains. They replied to the ticket I opened that port forwarding should work if properly configured. Also, I just realized that I have an Asus router on Monkeybrains elsewhere in the building that forwards external tcp port 8083 to internal port 443 OK. All works when I connect the cascaded router to the Comcast router, and I can see that the DNS record is updated.
So this must be a problem with my routeros configuration, but I'm stumped.
Re: How to forward port?
Posted: Fri Jan 31, 2025 12:47 am
by anav
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Re: How to forward port?
Posted: Fri Jan 31, 2025 3:30 am
by keg415
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Thanks!
Re: How to forward port?
Posted: Fri Jan 31, 2025 12:13 pm
by TheCat12
Try removing the src-port parameter from the NAT rules
Re: How to forward port?
Posted: Fri Jan 31, 2025 2:41 pm
by anav
Other points
1. missing wan member
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
2. If you manually added netmask=24 on this line, remove it.
/ip dhcp-server network
add address=10.1.10.0/24 comment=defconf dns-server=10.1.10.1 gateway=\
10.1.10.1 netmask=24????
3. Keep chains together for easy reading, so these forward rules should be moved down to at least after the block invalid rule in the forward chain.
add action=accept chain=forward comment="blue iris tcp port 81" dst-port=81 \
log=yes log-prefix=blueirirs protocol=tcp src-port=81
add action=accept chain=forward comment="blue iris udp port 81" dst-port=81 \
log=yes log-prefix=blueirirs protocol=udp src-port=81
4. However, looking at those rules, it would appear you are trying to use forward chain rules vice dstnat rules..... they seem out of place. So forget about moving them, REMOVE THEM.
5. To make it clearer on what this default rule is saying, replace with three clearer rules and actually better security as well.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add chain=forward action=accept comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat
add chain=forward action=drop comment="Drop all else"
6. REMOVE THESE TWO RULES as they are already accomplished by the first rule.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether1
or remove the first rule and keep the two rules, up to you.
7. FORMAT for dstnat rules as per the CAT, src port is not required, and if the to-port matches the dst port, no need to include it.
add action=dst-nat chain=dstnat comment="blue iris tcp port 81" dst-port=81 \
in-interface-list=WAN log=yes log-prefix=blueiris protocol=tcp to-addresses=10.1.10.151
add action=dst-nat chain=dstnat comment="blue iris udp port 81" dst-port=81 \
in-interface-list=WAN log=yes log-prefix=blueiris protocol=udp to-addresses=10.1.10.151
8. This route has the wrong distance, should be 2!
add comment=dhcp2 disabled=no distance=1 dst-address=9.9.9.9/32 gateway=\
100.186.129.1 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
Re: How to forward port?
Posted: Fri Jan 31, 2025 8:37 pm
by keg415
I made the recommended changes, but port forwarding still fails. Updated configuration attached.
I noticed these messages in the log:
radvd warning invalid mtu 9100 on ether1 from fe80::c6b3:6aff:fe43:6b7a
firewall info blueiris dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac c4:b3:6a:43:6b:7a, proto TCP (SYN), 45.156.129.48:56635->158.51.83.139:81, len 60
To eliminate Monkeybrains as the problem, I disabled ether1, waited until the router failed over to T-Mobile, the DNS record was updated, and Blue Iris web server had picked up the T-Mobile IP -- still failed.
I could try replacing the Mikrotik with an old Asus router to see if the port forwarding on that works, but I'm running out of ideas. Any help greatly appreciated.
Re: How to forward port?
Posted: Sun Feb 02, 2025 12:45 am
by keg415
Resetting the router to the default configuration and then setting up only enough for port forwarding worked. Sort of. I think what's happening is that when I access the router from another Monkeybrains connection in the building, the router doesn't receive the packets via the WAN, so port forwarding isn't triggered. Not sure how to fix this. Need to run more tests.
Re: How to forward port?
Posted: Sun Feb 02, 2025 4:29 am
by anav
If connecting to a server using the DYNDNS URL of the server and the user doing so is in the same subnet then this is called hairpin nat.
Requires a hairpin source nat rule.
add chain=srctnat action=masquerade src-address=serverSUBNET dst-address=serverSUBNET
Re: How to forward port?
Posted: Sun Feb 02, 2025 5:17 am
by nichky
try this maybe:
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=bridge
Re: How to forward port? [SOLVED]
Posted: Thu Feb 06, 2025 8:22 pm
by keg415
Instead of port forwarding, I set up Blue Iris to use
ZeroTier P2PVPN, which is secure:
3 ways to access Blue Iris remotely.