Hi.
I’m struggling with my firewall NAT config to achieve what I’ve got in my mind. I got a little knowladge of networking, but I guess it’s not enough.
I’ve got running homeassistant server running on my local network on static 192.168.13.246 and it’s accessable over LAN (+hairpin is working well). So basically from local I can reach it with my public, local or aliased (homeassistant) over port 8123. That’s great.
The problem is when I try to get there from outside of my local network - can’t reach it at all and there isn’t any package going through.
(1) Change this rule
From: add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO: add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
(2) Modify your source nat rules so they are like so…
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.13.0/24 src-address=192.168.13.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
(3) Finally change your DST NAT ADDRESS two options since its not clear.
A. if you have a fixed WANIP address (static), then: add chain=dstnat action=dst-nat dst-address=WAN_fixed_IP dst-port=8123 protocol=tcp to-address=192.168.13.246
B. if you have a dynamic WANIP, can and does change, then: add chain=dstnat action=dst-nat dst-address-list=MYWANIP dst-port=8123 protocol=tcp to-address=192.168.13.246
where the firewall address list called MYWANIP is
add ip-address=mynetnameIPCLOUD list=MYWANIP.
C. Another option for dynamic you could use but most prefer B…
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.13.1 dst-port=8123 protocol=tcp to-address=192.168.13.246
but that only works with a one subnet Structure, if you have multiple subnets you would have to put them on a firewall address list…
You didnt change your firewall rules as suggested, so I dont expect it to work.
If your not willing to try stuff to fix your problem why are you here ???
When and if you do and if still doesn’t work then the issue is not MT, and ensure you have port forwarded correctly from the main router.
It should be port forwarded to the WANIP of the MT router ( its LANIP on the main router subnet ).
IF that doesnt fix it then there are still a few things to consider, is the ISP is blocking the traffic.
Perhaps also check the server, sometimes they have built in firewalls that can block traffic, or even the PC firewall if the server is behind a PC.
I’m not sure what do you mean.. I basically did what you suggested, just checked with diff checker:
(1) I disabled mentioned rule instead of deleting, yea - I didn’t know it makes a difference, it still shouldn’t apply, am I wrong? I also added three rules you wrote.
(2) all source nat rules are the same you wrote
(3) since I’ve got static IP from provider I did option A and added one dst rule feeding it with my WAN IP (and added logging, but I can’t see how it will effect anything).
I don’t know what I’ve missed there. Sorry if it looked like I just ignored your suggestion, but I don’t know what I did wrong there =/
Sorry I didn’t clear it out - I was at work and didn’t have access to my network (I should’ve clarify that). Router that is accessing Internet is from ISP, so it has limited functionality I can change, but after double checking I had my 8123 port forwarded and DMZ was set to my HA IP.
EDIT: I’ve figured it out. Thanks for that config and pointing out that there’s another router in the middle. Turns out I just needed to point dst-address in dst-nat to my MT ip in subnet created by my ISP router.