Hello,
Im kinda new to networking and im learning mikrotik
I have a task to complete now.
Got 5 public ip address that i need them only to connect to two ports on the server that is 192.168.88.125
Ports are 8081 and 6666.
And i need to block every other ip for these two ports only.
I know how to add firewall rules for these ip’s only but im struggling to block other ip. If i add a rule to drop all ip for the ports specified but i lose internet connection
…
Right so lets do this one step at at time.
(1) Need to ensure firewall ruled in the forward chain allow Port Forwarding or Destination NAT.
add chain=forward action=accept connection-nat-state=dstnat
(2) Need to ensure Source NAT is set up properly
add chain=srcnat action=srcnat out-interface=ether1 to-address=WANIP { Fixed Static WANIP } (ether1, ppoe1-out, vlan etc… whatever wan port is)
add chain=srcnat action=masquerade out-interface-list=WAN ( the default rule ) { Dynamic WANIP } ( not good enough for users on LAN using WANIP though ******* )
******* If you want users on the same LAN as the server to access the server via WANIP then you will run into hairpin NAT → https://forum.mikrotik.com/viewtopic.php?t=179343
(3) Need to ensure DST NAT is set up properly
add chain=dstnat action=dst-nat dst-address=WANIP dst-port=XXX protocol=YYY to=address=192.168.88.125 [/color]{ fixed/static WANIP } (if dst-port=to port, the to port is not required)
OR
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=XXX protocol=YYY to-address=192.168.88.125 { dynamic wanip } (see same not above *** if you are running into hairpin nat)
(4) NOW ADDING THE ALLOWED USERS ONLY
a. MAKE AN IP FIREWALL ADDRESS LIST
add IP=user1 list=authorized
add IP=user2 list=authorized
…
add IP=user5 list=authorized
Note: the user could also provide a dyndns name, be it from NOIP, another Mikrotik using mynetnameID etc…
add IP=mynetnameID list=authorized.
b. Add to the current dstnat rule!
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=XXX protocol=YYY to-address=192.168.88.125 src-address-list=authorized
DONE, you dont need to worry about blocking anyone as you have done so by creating the authorized list.
If you have two ports to that server then…
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=XXX,AAA protocol=YYY to-address=192.168.88.125 src-address-list=authorized
Lovely man super thank you. I was trying to block them on firewall list. It kinda worked but now its super. Tnx again