Forwarding Ports for Xbox?? MikroTik

[AMD Lover]

So a little while back I got rid of my ISP router for a MikroTik CR125 Cloud Router Switch. I love it because I can conceal everything in my media panel and keep everything neat and tidy. However, I wanted to keep UPnP disabled for security reasons (And the fact I couldn't get it to work). So I googled the ports I needed to forward and created my rules and went to clickin. Buttt, it doesn't look like my port forwards are actually working. I have minimal packet flow and my NAT type on the Xbox went from Moderate to Strict. I set my Xbox to have a static IP of 192.168.100.5 and you can see that in my settings.

 

Can someone tell me how to correctly forward these ports. I'll included screenshots of my settings that I tried and also have the ports needed listed. Should they be configured as source NAT?

[Windows7ge]

Forwarding ports is fairly strait forward you find it somewhere near or under firewall settings. Pick what ports you want to forward. Weather you need TCP, UDP, or both, then select an IP to associate with the ports. You'll have to create an individual entry for each IP.

 

Unfortunately step by step instructions for your router is only really going to be possible for people who own the same WebUI as you. I do not.

 

You can check if the ports were successfully opened with a online port checker.

 

If you're just looking to forward network traffic to specific devices you shouldn't have to edit anything for NAT.

[brwainer]

In you dst-nat rules to have to set the “to port” on every rule, it is right under the “to address”.

 

Can you show us the rules from webfig (the http interface) or winbox? I’ve not used the android tikapp before (I think that’s what you’re using?) so things look a bit different to me.

 

Edit: also with dst-nat you should only be putting port numbers into the dst-port not the src-port. 

[brwainer]

2 hours ago, Windows7ge said:

Forwarding ports is fairly strait forward you find it somewhere near or under firewall settings. Pick what ports you want to forward. Weather you need TCP, UDP, or both, then select an IP to associate with the ports. You'll have to create an individual entry for each IP.

 

Unfortunately step by step instructions for your router is only really going to be possible for people who own the same WebUI as you. I do not.

 

You can check if the ports were successfully opened with a online port checker.

 

If you're just looking to forward network traffic to specific devices you shouldn't have to edit anything for NAT.

He is using RouterOS, the same OS run by all Mikrotik devices. He’s in the right section for port forwarding just needs help with the rules. The fundamentals are the same as setting it up on PFSense because they both do it via the NAT section of the firewall config, and both have more or less the same configuration options. Anyway there is a fairly indepth wiki for RouterOS, the page for NAT is https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

[AMD Lover]

1 hour ago, brwainer said:

In you dst-nat rules to have to set the “to port” on every rule, it is right under the “to address”.

 

Can you show us the rules from webfig (the http interface) or winbox? I’ve not used the android tikapp before (I think that’s what you’re using?) so things look a bit different to me.

 

Edit: also with dst-nat you should only be putting port numbers into the dst-port not the src-port. 

 

[brwainer]

58 minutes ago, AMD Lover said:

 

On the General tab, take the ports you have in "Src. Port" and move it to "Dst. Port". Then on Action put in the same port number. Your Plex Server rule appears to be correct, although I can't see the "To Ports"column in your screenshot (it isn't added by default, you can do so by clicking the down arrow to the right of Packets)

[AMD Lover]

12 minutes ago, brwainer said:

On the General tab, take the ports you have in "Src. Port" and move it to "Dst. Port". Then on Action put in the same port number. Your Plex Server rule appears to be correct, although I can't see the "To Ports"column in your screenshot (it isn't added by default, you can do so by clicking the down arrow to the right of Packets)

Thanks! That appears to have worked. As far as I know Plex doesn't require the port to be in the "To Ports"??

[brwainer]

47 minutes ago, AMD Lover said:

Thanks! That appears to have worked. As far as I know Plex doesn't require the port to be in the "To Ports"??

I wouldn't be terribly surprised if the system assumes a blank value for "To. Ports" means to use the same as the Dst. Port, but that is relying on an assumption that might change in future updates.

[beersykins]

It's a good idea to create some input filter rules, you should have rules to permit to destination port on the input interface for your port forwards and a 'permit established/related' rule, but deny other inbound traffic.

[AMD Lover]

1 hour ago, beersykins said:

It's a good idea to create some input filter rules, you should have rules to permit to destination port on the input interface for your port forwards and a 'permit established/related' rule, but deny other inbound traffic.

I'm a little confused on this. I'm still pretty new to setting up firewall rules. I think I've already done this? I'll send a screenshot here in about 30 mins however if I haven't I would like to know how. I'm all about securing my network and learning more!

[AMD Lover]

2 hours ago, beersykins said:

It's a good idea to create some input filter rules, you should have rules to permit to destination port on the input interface for your port forwards and a 'permit established/related' rule, but deny other inbound traffic.

Here's another screenshot

6 hours ago, brwainer said:

I wouldn't be terribly surprised if the system assumes a blank value for "To. Ports" means to use the same as the Dst. Port, but that is relying on an assumption that might change in future updates.

@brwainer, Any input on what beersykins is saying? Is it needed and how would I implement it?

[brwainer]

1 hour ago, AMD Lover said:

Here's another screenshot

@brwainer, Any input on what beersykins is saying? Is it needed and how would I implement it?

You already have what @beersykins was suggesting that you do, because you have the default rules that Mikrotik made. It is important to understand that these default firewall rules only apply to devices that Mikrotik intends for SOHO use (generally anything that has wireless or less than 8 ports) and also that even if you have one of these SOHO devices it is possible to not have any firewall rules if you reset to defaults and then don't use one of the Quick Set profiles as a starting point. The general rule of thumb is to use Quick Set the first time you log into a device, and then never touch it afterwards again. Anyway, let's discuss the suggestion in specifics.

 

3 hours ago, beersykins said:

It's a good idea to create some input filter rules, you should have rules to permit to destination port on the input interface for your port forwards and a 'permit established/related' rule, but deny other inbound traffic.

"input rules" are anything that is on the "Chain" of "Input". Input is anything whose destination is the router's own IP. The other possible chains are Forward (anything whose destination is some other IP), and Output (anything that the router itself is sending , this does not include traffic leaving the router due to forwarding). If you look at your Input rules you'll see that you are accepting ICMP (pings), anything from the LAN, anything to do with l2tp, a couple other rules that I can't see the details of in the screenshot, and then dropping everything else. This is a pretty standard and good input filter list.

The mention of "established/related" is a bit odd since that is a Forward chain thing, not an Input Chain. But you do have that rule, as well as the other normal things like FastTrack, dropping invalid, and dropping anything from WAN that is going through dstnat (this protects you from someone being on the WAN side of the router but trying to directly access your internal devices via IP - with your internet connection being over PPPoE this is basically impossible, this default rule exists because there are other circumstances where your "WAN" might really be a shared network and other people's equipment might be on the same network and able to reach your router directly)

Overall your firewall rules look normal and I have no concerns.