Apertura puertos MikroTik tras IP Fija

Buenas, hoy hemos configurado un router MikroTik con la siguiente configuración y al intentar abrir puertos nos da cerrado y no entiendo muy bien porqué ni cual sería la solución. Gracias

CONFIG:
# mar/28/2022 12:30:14 by RouterOS 7.1.5
# software id = 4XIF-7HGI
#
# model = RB760iGS
# serial number = E1F10F96E61E
/interface bridge
add admin-mac=DC:2C:6E:28:A2:AD auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=Nexo vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Nexo list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
add comment=defconf interface=Nexo
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=1.1.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=Nexo
add action=dst-nat chain=dstnat dst-port=8080 in-interface-list=WAN protocol=\
tcp src-address-list=192.168.1.100 to-addresses=192.168.1.100 to-ports=\
10001
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


1648467182537.png
1648467222384.png


1648467261186.png

1648467133958.png
 
Porque estás abriendo el 8080, no el 10001. Si quieres abrir el 10001, apuntando al 8080, dale la vuelta a la tortilla (dst-port=10001, to-port=8080)

Saludos!
 
Buenas, quiero acceder por el puerto 8080 y que internamente el que está abierto en la ip privada es el 10001. Aún así, los puertos en el comprobador me siguen dando cerrados. Te dejo por aquí el export de la config para ver si sabemos cual es el problema.

Un saludo,
Gracias

1648469078812.png

CONFIG:


# mar/28/2022 13:05:08 by RouterOS 7.1.5
# software id = 4XIF-7HGI
#
# model = RB760iGS
# serial number = E1F10F96E61E
/interface bridge
add admin-mac=DC:2C:6E:28:A2:AD auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=Nexo vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Nexo list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
add comment=defconf interface=Nexo
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=1.1.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=Nexo
add action=dst-nat chain=dstnat dst-port=10001 in-interface=Nexo \
in-interface-list=WAN protocol=tcp src-address-list=192.168.1.100 \
to-addresses=192.168.1.100 to-ports=8080
add action=dst-nat chain=dstnat dst-port=10001 in-interface=Nexo \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.101 to-ports=\
8181
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Pues sigues haciéndolo mal, ¿no? lee tus dos reglas de nat
Código: 
add action=dst-nat chain=dstnat dst-port=10001 in-interface=Nexo \
in-interface-list=WAN protocol=tcp src-address-list=192.168.1.100 \
to-addresses=192.168.1.100 to-ports=8080

add action=dst-nat chain=dstnat dst-port=10001 in-interface=Nexo \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.101 to-ports=\
8181

Aparte de estar usando el mismo puerto externo par las dos reglas, cosa que está mal porque la el tráfico entrará por la primera regla y a la segunda no llegarás nunca, la regla dice textualmente: lo que llegue por la WAN y con destino el puerto 10001, se lo mandas a la IP 192.168.1.100, al puerto interno 8080.

Es decir, estás abriendo el 10001, no el 8080. Quizá te he liado yo con el primer comentario, puesto que viendo de nuevo tus pantallazos, lo tenías bien al principio, si lo que pretendías era abrir el 8080 (me despistó el segundo pantallazo donde probabas el 10001 en el check de puertos). Y también usas el src-address-list en la primera regla, cosa que es incorrecta.

PS: la primera regla de masquerade en el NAT, la que tienes deshabilitada, es la buena. La segunda, te sobra. Ya tienes la vlan20 (Nexo) en la lista WAN, no necesitas para nada esa segunda regla.

Es decir, con todo corregido, tus reglas de NAT quedarían así:
Código: 
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
  ipsec-policy=out,none out-interface-list=WAN
add chain=dstnat in-interface-list=WAN \
  protocol=tcp dst-port=8080 action=dst-nat \
  to-addresses=192.168.1.100 to-ports=10001

Saludos!
 
Última edición:
Debes estar conectado o registrado para responder aquí.

Similar threads

V
DIGI + MikroTik hAPax3 + ZTE ZXHN H3600. No funciona teléfono fijo
2 3
Respuestas
45
Visitas
2,063
negronoir
E
Cerbot renovación
Respuestas
2
Visitas
374
pokoyo
D
Dudas hAP ax3
2
Respuestas
22
Visitas
1,687
Donette
P
Problemas Vodafone TV NEBA
Respuestas
3
Visitas
393
PaNg
leptismame
configurar Digi 10 g - RB4011
Respuestas
6
Visitas
513
leptismame
Arriba