I am having one dst nat and source address list in that rule and i notice that in some random time i dont have access thorugh some of IPs from allow list. Allow list is some ddns names and ip is dinamicly learned. And its in there. I tried without list and everything is ok, but when i activate list, for some reason its not working - for some ddns names, but ip is ok, its dinamicly learned.
Is it possible that mikrotik have some bugs with that?
Without knowing what you did, we’re guessing. Please export your config.
To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
the only thing i do is this
/ip firewall nat
add action=dst-nat chain=dstnat src-address-list=allowlist comment=WEB dst-address=192.168.1.163 dst-port=\
80 in-interface=ether5 protocol=tcp to-addresses=192.168.111.155 \
to-ports=80
and allowlist is IP ddns filled with public IP from where packet come.
From source point of view, i see packet goes, and dont come to destination. And when I move allowlist, it works. Just think that its mikrotik bug.
/export file=anynameyouwish ( minus router serial # and any public WANIP information).
Since you came here for help, then why are you suddenly deciding which part of a config to show??
On one hand you have an issue and the next your an expert LoL. Its not always that clear.
Full config required.
# dec/19/2022 11:31:07 by RouterOS 6.49.7
/interface bridge
add admin-mac=CC:2D:E0:17:22:64 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] mac-address=CC:2D:E0:17:22:63 name=\
ether1 speed=100Mbps
set [ find default-name=ether4 ] mac-address=CC:2D:E0:17:22:64 name=ether2 \
speed=100Mbps
set [ find default-name=ether3 ] mac-address=CC:2D:E0:17:22:65 speed=100Mbps
set [ find default-name=ether2 ] mac-address=CC:2D:E0:17:22:66 name=ether4 \
speed=100Mbps
set [ find default-name=ether1 ] mac-address=CC:2D:E0:17:22:67 name=\
ether5 speed=100Mbps
set [ find default-name=ether6 ] comment="DMZ-MktCCR- eth6"
/interface ovpn-client
add certificate=cgbudvamainska_cert.crt_0 cipher=aes128 connect-to=\
HQ1_WAN.81 mac-address=FE:4B:4F:26:3C:B6 name=ovpn-out1 port=2013 \
user=any
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=no_country_set disabled=no mode=ap-bridge security-profile=\
profile1 ssid=company
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=yes enc-algorithms=3des
add enc-algorithms=3des name=company
/ip pool
add name=dhcp_pool1 ranges=10.30.15.100-10.30.15.199
add name=dhcp_pool2 ranges=10.5.50.30-10.5.50.254
add name=pptp_pool ranges=192.168.79.15-192.168.79.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=20m \
name=dhcp1
add address-pool=dhcp_pool2 disabled=no lease-time=20m name=dhcp2
/ppp profile
add dns-server=8.8.8.8,1.1.1.1 local-address=192.168.79.1 name=test only-one=\
yes remote-address=pptp_pool use-encryption=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=flash/log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface l2tp-server server
set default-profile=test use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=test
/ip address
add address=10.30.15.1/24 interface=bridge1 network=10.30.15.0
add address=10.5.50.1/24 network=10.5.50.0
add address=10.77.0.1/30 comment=DMZ_xy_soft interface=ether6 network=\
10.77.0.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
add default-route-distance=2 !dhcp-options disabled=no interface=ether5 \
use-peer-dns=no
/ip dhcp-server network
add address=10.5.50.0/24 gateway=10.5.50.1
add address=10.30.15.0/24 dns-server=8.8.4.4,8.8.8.8 gateway=10.30.15.1
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=HQ1_WAN.0/22 list=HQ1add
add address=10.100.0.0/16 list=HQ1add
add address=82.117.193.238 list=HQ1add
add address=192.168.5.0/24 list=HQ1add
add address=192.168.50.0/24 list=HQ2add
add address=192.168.90.0/24 list=HQ2add
add address=109.92.129.206 list=HQ2add
add address=192.168.88.0/24 list=HQ1add
add address=8.8.8.8 list=DNS
add address=8.8.4.4 list=DNS
add address=1.1.1.1 list=DNS
add address=198.20.69.72/29 list=shodan
add address=198.20.69.96/29 list=shodan
add address=198.20.70.112/29 list=shodan
add address=198.20.99.130 list=shodan
add address=93.120.27.62 list=shodan
add address=66.240.236.119 list=shodan
add address=71.6.135.131 list=shodan
add address=66.240.192.138 list=shodan
add address=71.6.167.142 list=shodan
add address=82.221.105.6 list=shodan
add address=82.221.105.7 list=shodan
add address=71.6.165.200 list=shodan
add address=216.117.2.180 list=shodan
add address=85.25.43.94 list=shodan
add address=85.25.103.50 list=shodan
add address=188.138.9.50 list=shodan
add address=209.126.110.38 list=shodan
add address=104.236.198.48 list=shodan
add address=104.131.0.69 list=shodan
add address=www.shodan.io list=shodan
add address=shodan.io list=shodan
add address=10.5.50.0/24 list=wifi
add address=HQ2_WAN list=HQ2add
add address=branch.company.rs list=allowxy
/ip firewall filter
add action=accept chain=forward comment=xy2soft dst-address=\
192.168.88.0/24 src-address=10.30.15.0/24
add action=accept chain=input dst-address=192.168.1.163
add action=drop chain=input disabled=yes dst-address=10.30.15.0/24 protocol=\
icmp src-address=!10.100.0.100 src-address-list=BlockLAN
add action=drop chain=forward disabled=yes dst-address=!10.100.0.100 \
dst-address-list=BlockLAN protocol=icmp src-address=10.30.15.0/24
add action=accept chain=input comment="PPTP VPN" disabled=yes dst-port=1723 \
in-interface=ether5 protocol=tcp
add action=accept chain=forward comment="Allow Est, Rel" connection-state=\
established,related
add action=accept chain=input comment="Allow Est, Rel" connection-state=\
established,related
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
src-address-list=HQ1add
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
src-address-list=HQ2add
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address-list=HQ2add
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address-list=HQ1add
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
src-address-list=HQ1add
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
src-address-list=HQ2add
add action=drop chain=forward comment="Drop Inv." connection-state=invalid \
disabled=yes
add action=drop chain=input comment="Drop Inv." connection-state=invalid \
disabled=yes
add action=drop chain=input comment="IN-Block Shodan" src-address-list=\
shodan
add action=drop chain=syn-attack connection-state=new disabled=yes protocol=\
tcp tcp-flags=syn
add action=drop chain=input comment="IN-defend from pingers" \
src-address-list=pingers
/ip firewall nat
add action=dst-nat chain=dstnat comment=WEB src-address-list=allowxy dst-address=192.168.1.163 \
dst-port=80 in-interface=ether5 log=yes protocol=tcp to-addresses=\
10.30.15.201 to-ports=80
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=bridge1
add action=masquerade chain=srcnat out-interface=ether5
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.50.0/24 gateway=192.168.50.99
add distance=1 dst-address=192.168.88.0/24 gateway=10.77.0.2
add comment=soft2xy distance=1 dst-address=192.168.88.0/24 gateway=\
10.77.0.2
so from SOURCE come to WEB
add action=dst-nat chain=dstnat comment=WEB src-address-list=allowxy dst-address=192.168.1.163 \
dst-port=80 in-interface=ether5 log=yes protocol=tcp to-addresses=\
10.30.15.201 to-ports=80
when i move src-address list it works, but periodiracally, like ddns resolving don’t do its magic. I see that in address list dynamicly learned correct IP, but i cant access to it.