I am currently struggling to forward a few ports.
The issue is that the target IP adress is not selectable within the Router as I can only access the last number (192.168.0. is a given).
Because all the traffic is going through a MikorTik hap ac lite I thought that it might be possible to forward the needed port on for example: 192.168.0.666 and have the MikroTik Router change the adress to the needed 153.46.whatever.irrelevant:666
Is there such a feature? And if so: how is it called?
Also: what is the HTTP protocol? (all except one port are TCP)
Thank you all in advance.
Shadow of Revenge
So, to clarify, what you want to do is take a local IP address and forward it to an external ip?
I’d like to convert an IP adress coming into the MikroTik Router / Switch into an other IP adress because I’d like to open a port but I can’t open it to the IP adress of the device.
Device: >>>>>>>>>>>>>>> MikroTik: >>>>>>>>>>>>> UPC Router:
153.123.666 >> IP change to 192.168.0.XXX >> port forwarding to internet
(upper and lower things belong together)
Hope that helps
Thank you for the help.
Shadow of Revenge
This playlist shows you the basics of how port forwarding works, from end-to-end, and how to set up a home router to conform to IANA standards so you can get the best internet connection quality possible with whatever you’ve got. It is my belief that so many other video’s on this topic aren’t effective because they don’t distinguish source from destination ports, from the endpoint within one NAT to the internal and external interface of a source NAT, to the external and internal interfaces of a receiving NAT and receiving device.
These are important distinctions because they are all unique and can vary in many ways. The starting point for understanding external and internal port transactions is in video 2 of this playlist. However, to really understand the topic for your home I recommend watching them all from beginning to end. Then, take the activities you see and figure out how to do them for your router.
That’s going to be on the top my watchlist before bed.
I’ll post again once I watched them.
have a nice evening.
Shadow of Revenge
No problem. If you have any questions I’ll be happy to answer them here or you can leave a comment below the video if you think others may have that same question.
So, I went into the firewall settings and found the routing options I need.
From what I’ve gathered I need to the connection rules on both directions i.e. 153.123.666.0:1291 in, 192.168.0.99:1291 out and 192.168.0.99:1291 in and 153.123.666.0:1291 out.
That way the device can send data to the internet (with the forwarded port) and receive informatioin from the internet.
Is that understanding correct?
Here are some pictures of the Rules I thought I’d make (they’re not made yet, because I’m slightly scared of opening the wrong port and getting ransacked)
Thank you again for sharing the videos. I was really sceptic after the first video had a lot of unreadable text (white on white) in it.
Shadow of Revenge
Yeah, those videos.
I’d be, uh, um, take them with a pinch of salt?
Like the low powered devices always connected to the internet aren’t more secure because they are wired.
The WiFi itself isn’t the problem, avoid buying cheap devices and make sure you are updating/checking their security.
As for closing unused ports, sure that is safer, but restricts the services you can use, so don’t be surprised if an app or game or server breaks.
And the tunnel/forwarding rules look okay for the specific port, but that won’t tie the device to only use that port/tunnel, it means any time the devices wants that port, it’ll go to the one outside site. Other times it should just use the net normally
Thank you for your info.
Since I can’t specifically block ports on my Router (from UPC) anyway, I won’t do it.
I found it a bit sad that so much of the video is making the lists - it makes them longer than they need to be.
Also, I’m not that certain that Wifi is as bad as smoking: A few years ago a company put op a new radio tower to provide better service in the area.
After the tower was completed they reported a 30% increase in doctors visits - the catch is that the tower was still off and nothing came from it.
Same with WiFi: I had to go to my friends house one day because his dad was “feeling really bad” because they couldn’t disable the WiFi on their router. As I arrived there I noticed that they had accidentaly bridged the router, disabling the WiFi in the process. With the okay of my friend I turned on the WiFi 24/7 and we never had an issue related to that ever since. With that experience everything seems a bit scetchy when it comes to WiFi causing problems.
Furthermore: I am not certain why these IP Adresses are needed, but I’m going to do what I’m being told.
Thank you for the help.
Shadow of Revenge
My apologies. I’m new to the rendering software and have, so far, been unable to find a way of making the text more visible. I will keep looking into that, you’re not the first person to mention it.
I think I need a little more information to answer your question. The IANA registry says the protocol in question is “seagulllms”. I have no idea what that is, lol, as you would expect. There are probably very few of us that are very experienced with most of the protocols on this list (at least I would think since so many of them are esoteric and they change).
When I’m configuring these settings for home purposes, I usually don’t define a specific endpoint because those specifications are also usually not provided by the vendors themselves. I tried to get the full PS3 Network protocol specs to provide an additional example of what’s really going on for these and didn’t get any response or interest in a discussion about it from Sony. This is what really annoys me about these vendors and their specs. There really shouldn’t be a lack of transparency there. Anywho…
In Apple’s case, for example, I could set all the rules relevant to Apple’s iCloud to the 18.104.22.168/24 address block, in order to add an extra layer of restraint to the connections that would be allowed. I have chosen not to do this because the OS, itself, is designed to make those connection decisions and interface with Apple on its own, so it’s a bit of overkill in this case.
However, if you are setting up a persistent connection to something like a virtual AWS or Azure instance that belongs to you, I can see how it could be beneficial to define the external address in this case.
In my “Basic Home Router” example series, defining two separate rules for the source or destination range, reflexively as you have shown, is redundant because the rules themselves allow the definition of “Inbound and Outbound” connections in a single rule, mapping to particular static internal IP address.
I don’t want you to get ransacked either. I understand that you can put a lot of work into the internal server setup itself and it’s a huge pain when any of the zillions of misanthropes go after you for sport.
So, I guess this is where you have to look really closely at your router’s manuals, and whatever examples it provides, for setting up and allowing an incoming connection. If the examples you see for that hardware are telling you that you need two rules for the reflexive connection relationship, then this looks right. I’ve only seen rules defined this way on routers that support VLAN’s, because source and destination port definitions are required for inter-vlan routing. I haven’t seen it shown this way for more conventional routers, but that’s not to say my memory on that is perfect or that it’s impossible.
On the topic of source and destination ports. When we say “source” port in this situation, the insipid and confusing thing about this language is that what we are really usually talking about is the “destination port” on the outside (the WAN interface, rather than the internal LAN interface), of your router when we’re referring to the incoming source port. So a machine connecting from the outside will connect to your router’s IP address at port 1291 (the source port from the perspective of your UI, the destination port from the perspective of the source address making the incoming connection, but not the source port from the perspective of where the packet originated which will usually be an ephemeral port if the protocol adheres to IANA recommended standards), and then that port will be mapped to the given internal ip at the same port. You can, and it’s not uncommon in business, to send these connections to a different port. For example, an external machine can connect to your routers WAN interface on port 12345 and then get mapped to port 1291 after traversal.
Without knowing the inner workings of the particular protocol you’re using, it’s very hard to say for sure. This is why I wanted to get this info from Playstation to validate that they are, indeed, adhering to IANA’s port mapping standards. I don’t have the time to do the port mirroring myself and dismantle the protocol…It’s also unnecessary for this video series because it’s intent is to show folks how to set up your home devices to work based on those standards (which were fairly recently established in the last 15 or so years).
The worse part about all of this is that there is no hard set of rules that says, “Thou must use the ephemeral port range we’ve defined as source ports for connections”. You can map any port to any port for any protocol you want, period. This caused a lot of consternation and unnecessary complexity in the Windows Server 2008 and earlier days, when Microsoft themselves were not using these standards.
So, the shorter answer is that the Src and Dst ports, though misnomers, look good from what I know about how these usually work based on those standards. If there’s deviation from them you would have to make further customizations that would take longer to get into.
Protocol 6 (TCP) also looks fine, as long as that’s the spec for whatever application you’re running on port 1291. I don’t know so I assume that’s okay.
Trooper_Ish’s comments are also all true, and I’m sorry for this lengthy response. I’d just like to add that the purpose of the video series is to define what you want for your home given that there are typically very few ports you need to allow (5 Core) at a basic level and to show how to make adjustments for common entertainment and productivity services like consoles, VPN, etc.
I guess the hardest thing is that most home modems are supplied by the ISP’s, and most people don;t bother with a router/switch/firewall.
So it ends up with the huge ISP buying 5 million units at super low cost, so they can pass them on to the customer.
The end customer knows, nor cares nothing for networking or security, they just want a socket to plug into, like the POTS system, and have “The Internet” readily available.
But increasingly, they want WiFi too, and the devices don’t cost more, but end up with more functionality, so end up compromising further.
All one can do is ensure the device from ISP is updated Regularly, and get a separate switch + access point + firewall, and use the ISP’s router as dumb as possible, and control it once the connection reaches the home…
It looks like you may have a more advanced router, so if you can only setup allow rules, it might function like the more advanced ones do in a “Default Block” mode.
It’s funny that business routers will explicitly tell you which mode you can set them to, but consumer devices can be much more difficult to configure because all the fundamentals of how it’s working are not disclosed. It’s kinda ridiculous, lol.
Port blocking is really great though. I’m a lot happier with the quality of the connections I get trimming the fat out with block rules.
Yea, I put the info about WIFI and “xG” because a lot of people are loosing their jobs for speaking out about it and I’ve been affected by it in my personal life. It’s becoming similar to climate denial response, mountains of evidence being ignored, and totally disconcerting.
The main purpose of the video’s is to clear up what people may be interested to know about how little they really need from a port perspective, and the wireless stuff is just recommended for folks to be aware of.
If it’s not too much trouble… I’ve been trying to get more feedback but I haven’t got much. I’ve got a fair amount of views but no comments positive or negative.
The video’s give powerful information for everyday people, and I have no doubt people will love them if they manage to stay awake and interested through them… but the content is one of the boringest topics I think I can imagine… truth be told, I hate routers, and the only reason I know so much about them (other than through business experience) is because of how dangerous they are and how compelled I am to control what I allow them to do.
I’m very new to this movie making business, and my question for you is, was it simple enough to follow and engaging enough for you to not feel like it was painful to watch? I’ve described this work to my parents as “trying to make art out of trash”, not because the content is trash, but because the content is sticky, complicated and unpleasant. Was it palatable enough to get through? Were there any parts where you wanted to punch your computer screen?
You don’t need to specify IP when opening a port.
What you need is a firewall rule to accept packets related to and part of established connections. You probably have that already, check. Second thing you need is a rule to accept incoming traffic from wan on a port number. To port forward on top of that, you need a Third rule, a dstnat rule in the nat table (aka chain) that will trigger on incoming traffic matching a port number, and redirect to (rewrite the) destination IP.
risk… Thank you for adding this to this thread.
I actually have a few questions for you based on your response…
" firewall rule to accept packets related to and part of established connections"… Isn’t this true of all “stateful” firewalls, which is essentially all modern firewalls?
The UI’s that come with these home routers usually perform the following commands you listed regarding rule creation for incoming connections, dstnat, and redirection. Is there some reason you’re expanding the topic in this way?
I’m just curious…
On 1) They said they have a Mikrotik hap ac lite, which is running RouterOS. I have some experience with Mikrotik. There’s a gazillion guides out there all slightly different, and who knows what setup they ended up with on their router os by this time. It’s unlikely but possible they somehow disabled connection tracking, it’s also helpful to them to internalize the difference between packets and connections further.
On 2) the Router OS UI literally has you adding these rules, there’s no forwarding the port wizard web form. Try spinning up the CHR edition of router os in a VM, and opening the webfig UI, it’s choc-full of “advanced options” as you’d say, bgp and mpls via webui almost alongside your wifi ssid for $20. It’s very easy to accidentally screw things up. On Mikrotik forums, they have people dropping to cli and posting the output of /export into a zippy, and then having them make minimal reproducer configs … it’s not a very friendly place.
Wow, you said it. Reading your suggestions reminds me of configuring the built in firewall for Linux, an odious and frustrating procedure…
I could look it up and I’m feeling pretty lazy right now, but that must be a more professional piece of equipment then, maybe? Or is it just kind of antiquated? I’m surprised to hear of such things, lol…
Their niche is basically “gear for power users” except their idea of a power users is an eastern european kid neglected to grow up in an ISP basement during the dot com boom era of internet expansion.
They basically have a GUI driving a config engine, and their own CLI that built around the same features driving that same config engine, and they just wrap anything anyone like the above people could have wanted to do with Linux into a “feature”. For example, they’re definitely not hiding iptables, but they have a ui to build the rules out of all possible options you could normally use on Linux short of building your own drivers to do packet processing in c.