Mikrotik - How to open a port?

I have recently bought a Mikrotik hAP ac^2 and I am trying to figure out how to connect to my NUC QBittorrent from "outside". This is all new to me...

My ISP has bridged its router and I connected my new Mikrotik to it and configured some basic things like WiFi.

I found my public DNS name: XXXXXXXXcd.sn.mynetname.net.

These are my settings:

/ip firewall export
# dec/26/2018 15:12:03 by RouterOS 6.43.4
# software id = EBLA-R903
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXXX
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=input in-interface=ether1
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="QBitTorrent Web UI" dst-port=8100 in-interface=ether1 protocol=tcp to-addresses=192.168.88.239 to-ports=8100

My NUC is 192.168.88.239. When I try to connect to XXXXXXXXXcd.sn.mynetname.net:8100 my connection is Unable to connect. I figured out I should be using ether1 because I connected my bridged router to it and confirmed it by unplugging and checking the state in Interfaces tab of my Mikrotik...

What am I doing wrong?

alturkovic

Posted 2018-12-27T18:17:03.230

Reputation: 73

Are you connecting from inside of the LAN, or from the outside? – user1686 – 2018-12-27T18:29:13.207

Answers

It seems to me that you're trying to connect from inside the LAN to your public facing interface XXXXXXcd.sn.mynetname.net (which resolves to a public IP).

You simply can't. Well, you can if your router is able to and you configure it, but this is a waste of resources, I see it more like a hack thant a feature. You should always use the private IP when connecting from inside your LAN.

What I do at home is have a private DNS server which resolves my public domain to a private IP, in your case your DNS server should resolve XXXXXXXcd.sn.mynetname.net to 192.168.88.239 (otherwise use your private IP instead of your domain)

Oh, and in case you are wondering, your configuration is OK. I can publicly connect to your port 8100 (using TPC and UDP):

$ nmap -sU -P0 -p8100 XXXXXXXcd.sn.mynetname.net
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-03 12:24 CET
Nmap scan report for XXXXXXXcd.sn.mynetname.net (188.252.X.X)
Host is up.

PORT     STATE         SERVICE
8100/udp open|filtered xprint-server

Nmap done: 1 IP address (1 host up) scanned in 8.60 seconds

$ nmap -sT -P0 -p8100 XXXXXXcd.sn.mynetname.net 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-03 12:24 CET
Nmap scan report for XXXXXXcd.sn.mynetname.net (188.252.X.X)
Host is up (0.057s latency).

PORT     STATE SERVICE
8100/tcp open  xprint-server

Nmap done: 1 IP address (1 host up) scanned in 6.63 seconds

NOTICE: I've edited your question and my answer to anonimize your public IP

mTorres

Posted 2018-12-27T18:17:03.230

Reputation: 164

Exactly what I was asking, thank you! And thanks for the advice, I realized it a bit late :) Firewall should do its job :) – alturkovic – 2019-01-03T11:45:02.307

Oh, by the way, if you feel that my answer solved your problem, you should mark it as accepted by clicking the thick icon below the arrows on top-right of the answer. Cheers :-) – mTorres – 2019-01-03T11:46:53.077

There is a bounty for 2 more days, I'll wait to see if this question receives any more attention before I accept, don't worry :) – alturkovic – 2019-01-03T11:49:23.237

1Ok, I really didn't notice that! Comming from stackoverflow, most novices do not realize they have to accept the answer, sorry! – mTorres – 2019-01-03T11:50:53.290

You probably need to forward the port on the isp’s router and possibly yours. I can’t tell you the specific instructions for the isp router, but if you search ‘port forward ’ then that should give you some answers.

JCA122204

Posted 2018-12-27T18:17:03.230

Reputation: 31

My ISP router is in bridge mode, so I am doubtful about that. I tried connecting via mynetname and I can see some incoming traffic on my router, but I think it is getting dropped and cannot figure out why. – alturkovic – 2019-01-02T11:19:39.473

It is called PORT FORWARDING on outside facing router, that points to a Internal IP and PORT to allow passthrough same as IPtables jsut via GUI usually. – dExIT – 2019-01-03T07:28:14.760

ISP router is bridged as I already said... – alturkovic – 2019-01-03T10:46:14.543

You may need to setup a dmz between the 2 routers. – JCA122204 – 2019-01-04T20:21:50.230