Is this possible because I can’t make this work in the Forward or Dstnat chain rules but it works GREAT on the Input chain?
Example, I have a port knock scenario that adds an IP to an Address List named “Safe”
On the Input chain firewall rule for router access I reference the list “Safe” (under Advanced → Src. Address List) and it works great! It will deny access to the router unless the source IP is on the “Safe” list.
However, when I try adding my “Safe” list into the Forward chain or Dstnat rules I lose connectivity to the server behind the firewall and I have verified the IP I’m using is on the “Safe” list. Removing the “Safe” list from the filter rule restores access to the server.
Any ideas why that is happening? I’m trying to avoid VPN access for a certain reason.
Hi there, very good question and one that I wrestled with first coming to mikrotik from zyxel routers.
On zyxel routers one had to create a port forwarding rule and a firewall rule.
On the mikrotik devices one creates a Destination Nat Rule and one can provide the granularity within the dstnat rule to limit access to one or more IPs.
As the previous poster noted, he created an address list and then applied the list (on winbox, the advanced tab one can find source-address-list).
I use this for access to a solar panel and a septic panel for the associated companies.
If you just had one IP and DONT ever think you will need more than one external IP to have access you can simply enter the IP in source address on the first tab.
I should note that you can add multiple ports separated by commas in dst-port.
By the way one can do port translation here as well. For any case where the port forwarding traffic (unsolicited traffic) comes in on port xxxxx and you want it to actually go to a server but on port zzzz, then that is easy too