I’ve replaced my old (non-RouterOS) router with an hAP ax2, and am now stuck at trying to get a RPi server that is behind the router to be accessible from the internet.
It worked fine on the old router with port forwarding, but now I only get timeouts when trying to connect on ssh, and no connection to http or https.
I have the default firewall rules:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
5 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Does the mikrotik have the same internal ip address as the old router?
Presumably .100 and .102 are set up with static ip configurations.
Perhaps static arps have been configured somewhere
Can .100 and .102 connect to the internet?
Traceroute from these to 8.8.8.8 does it go via the mikrotik?
These two are in opposite order in default firewall rules … As they are now, the rule #4 blocks all traffic which rule #5 is supposed to pass.
Not the game changer in your case though…
But this one:
You really should be sticking to default config concept … which uses interface list. You’re saying that your WAN internet access is via PPPoE … and that means that your in-interface is not ether1 (even though ether1 port is carrying PPPoE frames), it’s pppoe-out1. But if you stick to default config concept (that would be IMO a very good decision), then the rule should read:
(i.e. use in-interface-list=WAN instead of in-interface=ether1 … and no need to explicitly set to-ports if it’s the same as dst-port … NAT only changes properties of packets which are explicitly configured, the rest are kept unaltered if possible.
And similar for the rest of DST-NAT rules.
Beware that if you’ll ever try to access port-forwarded services using WAN IP address from inside your LAN, you’ll have to rework the DST NAT rules … to create hairpin NAT.
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
and all the ports are working (can access SSH and webpages from WAN). However, now I’m worried that this might create a security problem, is there away to enable this rule in such a way that will allow non-LAN traffic?
---- original message
mkx, I changed the order of rules in the firewall rule set, as well as the interfaces for each NAT rule, but it didn’t help.
rplant, I ran traceroute google.com and got this ( 192.168.0.1 is the router IP, x.x.x in step 2 and 3 is the PPPoE gateway IP first three parts)
traceroute to google.com (216.58.207.238), 30 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.253 ms 0.172 ms 0.165 ms
2 <ISP URL> (x.x.x.7) 0.485 ms 0.431 ms 0.377 ms
3 <ISP URL> (x.x.x.30) 0.610 ms 0.544 ms 0.560 ms
4 87.245.239.4 (87.245.239.4) 1.255 ms 1.466 ms 1.379 ms
5 ae1-1.rt.tc1.sto.se.retn.net (87.245.232.51) 7.156 ms ae9-7.rt.lim.waw.pl.retn.net (87.245.233.221) 10.106 ms 14.420 ms
6 gw-as15169.retn.net (87.245.245.87) 10.127 ms 87.245.208.1 (87.245.208.1) 23.529 ms 23.427 ms
7 * 142.251.225.169 (142.251.225.169) 23.154 ms *
8 142.251.65.82 (142.251.65.82) 30.585 ms 142.251.48.38 (142.251.48.38) 31.037 ms 142.250.227.86 (142.250.227.86) 30.957 ms
9 172.253.69.240 (172.253.69.240) 30.429 ms 192.178.83.131 (192.178.83.131) 42.514 ms 192.178.104.134 (192.178.104.134) 8.208 ms
10 arn09s19-in-f14.1e100.net (216.58.207.238) 7.662 ms 216.239.57.100 (216.239.57.100) 16.600 ms 142.250.235.254 (142.250.235.254) 11.835 ms
I also tried to connect to the router using
ssh admin@<WAN IP>
, and also got a timeout, so the problem might not be with the NAT rules.
You should be worried as you potentially opened your LAN for external attacks.
Read the rule I posted again. I didn’t change the rule to in-interface=WAN but rather to in-interface-list=WAN.
Since you don’t complain about internet not working, I assume that the SRC NAT (masquerade) rule worjs as intended. Which means that WAN interface list membership is correct. So try to get the rule exactly as I wrote it (pay attention to details).
The order of firewall filter rules should stay as they are in default config, my comment was saying that you already deviated from default and for no reason. But, as I already wrote, that was not the reason for port forwarding not behaving.
I have a feeling that there are some other (minor?) issues with your config. Can you export complete config and post it here? Execute /export file=anynameyouwish from terminal window, fetch the resulting file, open it in your favourite text editor, redact any remaining sensitive data (such as passwords, serial number, public WAN IP if it’s statically set) and copy-paste it in a post here … include it inside [__code] [/code] environemnt (that’s the “” button on top of post editing frame).
Regarding NAT not working: from where are you trying to use it? Is it via truly internet access (e.g. via mobile ISP) or is it from inside your LAN by connecting WAN IP address? If the later, it won’t work unless you implement hair pin NAT and it comes with a gotcha (which bothers some people a lot and doesn’t bother other people).
Another question: is your WAN IP address actually public (routable world wide) or is it one of private addresses (a.k.a. RFC 1918 address) or one of CGNAT addresses (a.k.a. shared address space or RFC 6598 address)? If the later, then ability to port forward depends on ISP setup and most likely it’s not possible.
I tried to use ssh, connect with winbox and visit a website on the server from devices within the network and from my smartphone with mobile internet. It would time out from outside the network, and refuse from within the network.
I’m pretty sure the ip is public, I set up the server without any changes made by my ISP.
Something doesn’t add up … there’s no configuration line (neither firewall or anything else) which would explain “refuse from within the network” … firewall rules, which “refuse” connections, are “action=reject”. All firewall rules shown are either accept or “drop” … and those cause clients to timeout.
If you can, try to sniff traffic on client (use wireshark) and analyse the ICMP reject message, which informs client about rejected attempt to connect. Verify if MAC address of ICMP message sender belongs to MT device.
Not sure if the router added this in (netmask), but if you put it in manually please remove. /ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=
192.168.0.1 netmask=24
Dont recommend or use UPNP but wondering if this new construct is interferening with it or each other.
/ip nat-pmp
set enabled=yes