Post Reply
- Print view
- vidicantavi
just joined
- Posts: 6
- Joined: Wed May 03, 2023 7:19 pm
Topic Author
port forward help
- Quote
- #1
Wed May 03, 2023 7:57 pm
hi,
new to mikrotik. i can't figure out what i'm missing
i have a RB750Gr3 trying to forward port 10000, 80 and 443 to a lan ip. this is my export. i dunno what i'm doing wrong. all services from local ip are accesible, none from wan
Code: Select all
# may/03/2023 19:34:22 by RouterOS 6.49.7# software id = JDLJ-1RYF## model = RB750Gr3# serial number = xxxxxDEYHY/interface bridgeadd admin-mac=18:FD:74:7F:BD:D9 auto-mac=no comment=defconf name=bridge/interface ethernetset [ find default-name=ether2 ] name=Orangeset [ find default-name=ether1 ] name=digi_eth/interface pppoe-clientadd add-default-route=yes disabled=no interface=digi_eth name=DIGI user=\ xxxxx/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp ranges=10.10.0.10-10.10.0.254add name=vpn ranges=10.10.1.2-10.10.1.255/ip dhcp-serveradd add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\ bridge name=defconf/ppp profileset *FFFFFFFE local-address=192.168.89.1 remote-address=vpn/interface bridge portadd bridge=bridge comment=defconf interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=ether5/ip neighbor discovery-settingsset discover-interface-list=LAN/interface l2tp-server serverset enabled=yes use-ipsec=yes/interface list memberadd comment=defconf interface=bridge list=LANadd interface=DIGI list=WAN/interface pptp-server serverset enabled=yes/interface sstp-server serverset default-profile=default-encryption enabled=yes/ip addressadd address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0/ip cloudset ddns-enabled=yes ddns-update-interval=1m/ip dhcp-clientadd disabled=no interface=Orange/ip dhcp-server leaseadd address=10.10.0.16 client-id=\ ff:5b:f8:df:8c:0:1:0:1:2b:e5:24:3b:bc:30:5b:f8:df:8c mac-address=\ BC:30:5B:F8:DF:8C server=defconf/ip dhcp-server networkadd address=10.10.0.0/24 comment=defconf dns-server=\ 1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=10.10.0.1/ip dnsset allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4/ip dns staticadd address=10.10.0.1 comment=defconf name=router.lan/ip firewall address-listadd address=tavi.xxxx.xxx list=hostnamesadd address=xxxxdeyhy.sn.mynetname.net list=hostnames/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \ protocol=udpadd action=accept chain=input comment="allow IKE" dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udpadd action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcpadd action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcpadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,relatedadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall mangleadd action=mark-connection chain=prerouting connection-mark=no-mark \ in-interface=DIGI new-connection-mark=DIGI_input passthrough=yesadd action=mark-connection chain=prerouting connection-mark=no-mark \ in-interface=Orange new-connection-mark=Orange_input passthrough=yesadd action=mark-routing chain=output connection-mark=DIGI_input \ new-routing-mark=DIGI_output passthrough=yesadd action=mark-routing chain=output connection-mark=Orange_input \ new-routing-mark=ORANGE_output passthrough=yes/ip firewall natadd action=masquerade chain=srcnat out-interface=DIGIadd action=masquerade chain=srcnat out-interface=Orangeadd action=dst-nat chain=dstnat comment=webmin dst-address-list=hostnames \ dst-port=10000 protocol=tcp to-addresses=10.10.0.16 to-ports=10000add action=dst-nat chain=dstnat comment=apache dst-address-list=hostnames \ dst-port=80 protocol=tcp to-addresses=10.10.0.16 to-ports=80add action=dst-nat chain=dstnat comment=https dst-address-list=hostnames \ dst-port=443 protocol=tcp to-addresses=10.10.0.16 to-ports=443add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\ 192.168.89.0/24/ip routeadd check-gateway=ping disabled=yes distance=1 gateway=DIGI routing-mark=\ DIGI_outputadd check-gateway=ping disabled=yes distance=1 gateway=Orange routing-mark=\ ORANGE_outputadd check-gateway=ping disabled=yes distance=1 gateway=90.xxx.xxx.1,DIGI/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yes/ppp secretadd name=vpn/system clockset time-zone-name=Europe/Bucharest/system routerboard settingsset auto-upgrade=yes force-backup-booter=yes/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN
Last edited by vidicantavi on Tue May 09, 2023 8:14 am, edited 1 time in total.
Top
- anav
Forum Guru
- Posts: 19825
- Joined: Sun Feb 18, 2018 11:28 pm
- Location: Nova Scotia, Canada
- Contact:
Re: port forward help
- Quote
- #2
Fri May 05, 2023 7:09 pm
(1) I am not a big fan of this default rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
Suggest change it to
add action=accept in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
(2) Your routes are bit funny.
What is the setup supposed to do for you.........
Is there a primary or secondary?
Do some subnets only go out one WAN etc....
Do some external users come in on any wans.
This might help explain the need for mangling or not for example.
Top
- vidicantavi
just joined
- Posts: 6
- Joined: Wed May 03, 2023 7:19 pm
Topic Author
Re: port forward help
- Quote
- #3
Tue May 09, 2023 7:41 am
sorry for lack of details, its supposed to do be a load balance, one wan connection is dhcp and one is pppoe thats why the routes are a bit funny, load balance seems to work since i can speedtest up to 1.4 gbps whit one 1gbps connection and one 500mbps connection. the "vpn" part is me trying to get some cammeras from another site that are behind a cg-nat to a nvr in yet another site to record. haven't finished that, just checked the vpn thing and didn't have time to finish setting it up or testing it.
i've tried disableding the not established not dstnated drop rule. i've tryed disableing all drop rules. still port forwarding didn't work
ive tryed setting up your 3 rules, drop all else rule make internet unfunctional, the allow forward dstnated counter goes up every time i try to acces it but its still not working.
Top
- broderick
Member Candidate
- Posts: 263
- Joined: Mon Nov 30, 2020 7:44 pm
Re: port forward help
- Quote
- #4
Tue May 09, 2023 2:45 pm
The Mikrotik device seems to be behind another router
If it is so, how did you set it?
Did you open the same port on it too?
Top
- anav
Forum Guru
- Posts: 19825
- Joined: Sun Feb 18, 2018 11:28 pm
- Location: Nova Scotia, Canada
- Contact:
Re: port forward help
- Quote
- #5
Tue May 09, 2023 2:58 pm
There is no load balancing going on you are missing rules for PCC load balancing if that is what you are attempting.
All you have setup thus far is ensuring traffic coming in a particular WAN leaves the same WAN.
Top
- vidicantavi
just joined
- Posts: 6
- Joined: Wed May 03, 2023 7:19 pm
Topic Author
Re: port forward help
- Quote
- #6
Tue May 09, 2023 3:25 pm
The Mikrotik device seems to be behind another router
If it is so, how did you set it?
Did you open the same port on it too?
it is not behind another, just one of my providers has dhcp from their gpon to my router/pc etc. the gpon is set to bridge mode.
There is no load balancing going on you are missing rules for PCC load balancing if that is what you are attempting.
All you have setup thus far is ensuring traffic coming in a particular WAN leaves the same WAN.
well, i'm ok whit the missing load balancing crap since i've enough bandwidth outgoing to get my things done. and i mostly wanna have different services available when i call from wan ip to be routed through different providers therefore the marked connections / incoming addresses should do the trick, issue is i still can't access crap behind the router
Top
- anav
Forum Guru
- Posts: 19825
- Joined: Sun Feb 18, 2018 11:28 pm
- Location: Nova Scotia, Canada
- Contact:
Re: port forward help
- Quote
- #7
Tue May 09, 2023 6:00 pm
Well, you have to have some direction, if not load balancing then which one is primary and which one is failover?
Top
- vidicantavi
just joined
- Posts: 6
- Joined: Wed May 03, 2023 7:19 pm
Topic Author
Re: port forward help
- Quote
- #8
Wed May 10, 2023 12:05 pm
Well, you have to have some direction, if not load balancing then which one is primary and which one is failover?
honestly it feels like its loadbalancing since if i visit whatismyip or speedtest sometimes it shows one iip sometimes it shows the other, on speedtest in multi file format shows the cumulative speeds. one connection has static ip the other one has isp provided ddns. also my forward rules are for both hostnames. . even if i unplug 1 connection the forward isn't working, tried resetting the router to use only one isp forward still isn't working. i even tried using the simple web browser forward whit only 1 isp and forward isn't working
Top
- vidicantavi
just joined
- Posts: 6
- Joined: Wed May 03, 2023 7:19 pm
Topic Author
Re: port forward help
- Quote
- #10
Wed May 10, 2023 8:06 pm
This is not a therapy class, what you feel is irrelevant. I asked for your planning and requirements.
that really was funny, and yes, i agree, i just wanna get the port forwarding working from both wan connections if possible.
Top
- anav
Forum Guru
- Posts: 19825
- Joined: Sun Feb 18, 2018 11:28 pm
- Location: Nova Scotia, Canada
- Contact:
Re: port forward help
- Quote
- #11
Wed May 10, 2023 8:10 pm
And I would love to help you do that but one needs context and planning before configuring otherwise its a waste of time.
Make up your mind on how you want to use your WAN connections, then we can properly deal with port forwarding on both wans.
Top
- vidicantavi
just joined
- Posts: 6
- Joined: Wed May 03, 2023 7:19 pm
Topic Author
Re: port forward help
- Quote
- #12
Wed May 10, 2023 8:50 pm
And I would love to help you do that but one needs context and planning before configuring otherwise its a waste of time.
Make up your mind on how you want to use your WAN connections, then we can properly deal with port forwarding on both wans.
ok,
i'm really sorry if i'm not getting what your asking me to do. i'm not really a network admin. i will try to explain as best as i can.
i have 2 wan connections. i have a nextcloud server on my network. i want to open 80, 443 and 10000(webmin) to wan so i can get to my files from outside (phone and stuff) and if possible i would love to have load balancing configured properly to get most of my connections. then i have another mikrotik lte modem in another site that i would like to have it connect thorough vpn to this one so i can have my nvr record those ip cameras. nvr and cameras are in different site and ddns doesn't work because of cgnat.
basically that is all i need. and i really appreciate the support
Top
Post Reply
- Print view
Who is online
Users browsing this forum: Siravijbb and 13 guests