I am trying to replace my old reliable RB4011 WAN router (terminates the gigabit pppoe connection to my ISP and then serves a default route for one /24 along with some port-forwarding for 5-6 different services) with a CCR2004-16G-2S+.
So now I have the feed from my ISP on port 16 of the CCR, it’s on VLAN 201 because it’s qwest and the pppoe client comes up just fine. I am hanging 7 gigabit devices off the first bank of switch ports on the CCR and then sfp+2 is connected via twinax into a CRS312 where my 10gig devices are hanging. All ports except the pppoe-out interface are in a bridge group.
This is what I always do on mikrotik routers, and I’m not an expert but this is not my first rodeo. For the most part, everything works as expected on 7.2rc3 and 7.1.2 but (here’s the actual problem):
Any NAT policy I make under IP>Firewall>NAT is (edit) not working. Other the masquerade rule for outgoing traffic, nothing else works! None of the “port forwarding” or dst-nat works.
I see there are problems with this device with NAT and connections tracking. Honestly, I expected some early adopter pains, but reading about a similar issue in the older CCR2004 makes me wonder if there’s a hardware problem with these devices that may not be able to be fixed.
What’s the suggested code rev now? What can I do about the NAT policies not working? I thought maybe I hadn’t properly defined my ingress interface in the policy, but no matter what I do (select pppoe-out or use the WAN group) the NAT will not work properly. Has anyone else had huge problems with NAT on this device? (I feel like I see hints of this on the forums and in rel notes.)
I’m not trying to do anything very intense. I just want to make a handful of “port forward” rules and let the device do it’s job. Please help.
If you’re wondering if I’m being pointlessly pedantic, remember that computers are even more pedantic than I am. Fine details and distinctions matter to them. Perhaps you have overlooked or handwaved some important distinction in the case leading to this post, too.
this is not my first rodeo
And yet you leave out your configuration. “/export hide-sensitive”, please!
I can actually only get one of the tcp rules to work
This is why we need the configuration. To speculate on that simple statement is nearly pointless, except in a scattergun debugging sort of way.
I read your post as one of a techie, perhaps one who has worked in customer support. Give us the sort of problem report you’d like to receive.
the rule I make for plex going from a random external port to tcp port 32400 on an internal server
Personally, I’d use a modern VPN of some sort to make the internal services “local” to your remote locations, but in this specific case, even that isn’t necessary.
None of the inbound NAT rules were working. The reason why plex was working is because they (edited) were using the correct IP address and I was not! This actually makes more sense!
I solved my own issue. I was way overcomplicating this, and there was nothing wrong with my logic or my config, but I had a memory blip.
The way I connect to my home network is via a DNS CNAME that relies first upon the Mikrotik DDNS. When I swapped the routers, I also swapped DNS A names. So since I got the new router in -place, I have been trying to connect to the wrong IP address since the name hadn’t been updated with the new a record for the new mikrotik dns name.
Wow! I was overcomplicating this, and it was just a DNS issue the whole time. Live and learn!
Reading forum posts about problems, some flaky behavior from the box and also seeing some packets come in out-of-order caused me to overthink this one, but its’ resolved now!