Right I think I've got somewhere.
ether5 is no longer a slave, its on its own. It has an address of 10.2.15.1:
[admin@router] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.1.1/24 192.168.1.0 wlan1
1 D 77.**.**.**/24 77.**.**.0 ether1-gateway
2 10.2.15.1/24 10.2.15.0 ether5
DHCP setup for 10.2.15.0/24 network
[admin@router] > ip dhcp-server network print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 10.2.15.0/24 10.2.15.1
1 192.168.1.0/24 192.168.1.1
2 ;;; default configuration
192.168.88.0/24 192.168.88.1 192.168.88.1
The server now gets a static lease for 10.2.15.10 and it has connectivity. I've set up the following nat:
[admin@router] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway
1 chain=srcnat action=src-nat to-addresses=77.**.**.**
out-interface=ether1-gateway
2 chain=dstnat action=dst-nat to-addresses=10.2.15.10 protocol=tcp
dst-address=77.**.**.** dst-port=80,443
I now have two problems. The first is the nat is using my external ip, which could change at some point. Is it possible to set up a nat rule to allow access without specifying the ip directly?
Secondly, I can't seem to fully shut off access from the server to my network. ping is now disabled, and the samba share seems to be stopped but I can still access a mongoose webserver on port 8080 inside the 192.168 subnet. I have a drop all from ether5 on input chain, surely that should stop it?
Rules below:
[admin@router] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=drop in-interface=ether5
1 ;;; #DMZ1 - DROP INVALID INPUT
chain=input action=drop connection-state=invalid
2 ;;; DROP INVALID CONNECTIONS
chain=forward action=drop connection-state=invalid
3 ;;; #DMZ6 - Drop ICMP from ether5
chain=input action=drop in-interface=ether5
4 ;;; ALLOW ICMP
chain=input action=accept protocol=icmp
5 ;;; ALLOW ESTABLISHED
chain=input action=accept connection-state=established
6 ;;; ALLOW RELATED
chain=input action=accept connection-state=related
7 ;;; allow established connections
chain=forward action=accept connection-state=established
8 ;;; allow related connections
chain=forward action=accept connection-state=related
9 ;;; #DMZ2 - ALLOW INSIDE CONNECTIONS
chain=input action=accept in-interface=bridge-local
10 ;;; UPNP 1900 UDP
chain=input action=accept protocol=udp dst-address-list=239.255.255.250
dst-port=1900
11 ;;; UPNP 2828 TCP
chain=input action=accept protocol=tcp dst-port=2828
12 ;;; allow TCP
chain=forward action=accept protocol=tcp
13 ;;; allow ping
chain=forward action=accept protocol=icmp
14 ;;; allow udp
chain=forward action=accept protocol=udp
15 ;;; #DMZ4 - Allow outgoing forward
chain=forward action=accept in-interface=bridge-local
16 ;;; #DMZ5 - Allow DMZ out
chain=forward action=accept in-interface=ether5
out-interface=ether1-gateway
17 ;;; #DMZ6 - Allow incoming to server
chain=forward action=accept protocol=tcp dst-address=10.2.15.10
dst-port=80,433
18 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
19 ;;; drop everything else
chain=forward action=drop
20 ;;; #DMZ3 - Drop any remaining input
chain=input action=drop