MikroTik

Community discussions
https://forum.mikrotik.com/

Super basic port forwarding doesn't work

https://forum.mikrotik.com/viewtopic.php?t=71307

Page 1 of 1

Super basic port forwarding doesn't work

Posted: Sun Mar 31, 2013 7:44 am
by WhatWhereAmI
I can't get a basic dstnat to work at all. Ports show up as open, but traffic doesn't seem to get forwarded to the server behind the router. Port forwarding with my last router in the same exact configuration worked perfectly. Any help greatly appreciated.
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     dst-address=*.*.*.* dst-port=25565 

 2   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     dst-address=*.*.*.* dst-port=8080

Re: Super basic port forwarding doesn't work

Posted: Sun Mar 31, 2013 8:12 am
by lambert
Just to make sure, was your last router a MikroTik?

I've not tried matching all IPs with the syntax you are showing, Did you '*' out the real public IP? Or does your config really contain the '*'s?

If so, you might try this instead, untested:
Code: Select all
/ip firewall nat
   add chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp in-interface=ether1-gateway dst-port=25565
   add chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp in-interface=ether1-gateway dst-port=8080

Re: Super basic port forwarding doesn't work

Posted: Sun Mar 31, 2013 9:56 am
by WhatWhereAmI
Now these ports seem to just be timing out.
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     in-interface=ether1-gateway dst-port=25565 

 2   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     in-interface=ether1-gateway dst-port=8080

Re: Super basic port forwarding doesn't work

Posted: Sun Mar 31, 2013 10:07 am
by docmarius
Is it possible that your server doesn't accept non-local connection requests (e.g. a windows machine with default firewall settings)?
In this case an additional
Code: Select all
chain=srcnat action=masquerade out-interface=ether2-master-local
(put your internal interface there...) would do the trick.

Re: Super basic port forwarding doesn't work

Posted: Mon Apr 01, 2013 6:25 am
by WhatWhereAmI
I upgraded to v6.0rc12 because I've been having so many problems with this router.

My previous router was a random linksys. I had no problem forwarding these ports with it. The servers I have running are definitely configured to receive any incoming connections, as again, they were working fine before I got this MikroTik router.

This is what my firewall rules look like currently:
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     in-interface=ether1-gateway dst-port=25565 

 2   chain=dstnat action=dst-nat to-addresses=192.168.88.100 protocol=tcp 
     dst-address=**.**.**.** dst-port=8080 

 3   chain=srcnat action=masquerade out-interface=ether2-master-local
I've tried a whole bunch of different configurations which should all work, but nothing ever seems to. Is there anything I could be missing?

Super basic port forwarding doesn't work

Posted: Mon Apr 01, 2013 6:45 am
by cbrown
Post your whole config just incase something else is messed up.

/export compact

Re: Super basic port forwarding doesn't work

Posted: Mon Apr 01, 2013 10:50 pm
by WhatWhereAmI
Most of this stuff is just default. I added a couple static addresses, a public dns server, and the firewall rules. Please let me know if there's anything here I can improve.
Code: Select all
[admin@MikroTik] > /export compact
# jan/02/1970 16:39:19 by RouterOS 6.0rc12
# software id = 2V3C-5786
#
/interface bridge
add admin-mac=D4:CA:6D:6A:CF:A3 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=\
    "MikroTik"
/interface ethernet
set 2 master-port=ether2-master-local
set 3 master-port=ether2-master-local
set 4 master-port=ether2-master-local
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=*** wpa2-pre-shared-key=***
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1 \
    network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no \
    interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.100 mac-address=00:13:D4:B9:A3:29
add address=192.168.88.200 mac-address=58:B0:35:61:EE:9D
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.2
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=\
    ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=25565 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.100
add action=dst-nat chain=dstnat dst-address=**.**.**.** dst-port=8080 protocol=\
    tcp to-addresses=192.168.88.100
add action=masquerade chain=srcnat out-interface=ether2-master-local
/system leds
set 0 interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes

Re: Super basic port forwarding doesn't work

Posted: Tue Apr 02, 2013 2:36 pm
by cbrown
Disabled the last rule (drop rule) in /ip firewall filter and see if that works.

Re: Super basic port forwarding doesn't work

Posted: Sun Apr 07, 2013 7:32 am
by lordkappa
It would be easier to use the Netmap action to perform port forwarding.
Code: Select all
add action=netmap chain=dstnat comment="Your Comment" disabled=no dst-port=8888 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.50
This statically maps the external port "8888" on ether-1 to the specified machine 192.168.1.50.

Re: Super basic port forwarding doesn't work

Posted: Tue Jun 07, 2016 10:06 am
by aghsistemas
Is it possible that your server doesn't accept non-local connection requests (e.g. a windows machine with default firewall settings)?
In this case an additional
Code: Select all
chain=srcnat action=masquerade out-interface=ether2-master-local
(put your internal interface there...) would do the trick.

You did it, thanks
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/