Hi all,
My primary motivation is I am trying to expose a self-hosted server to the internet (running in a VM on a machine on ether3).
Though I am also open to completely reconfiguring my network. I notably would love input on my firewall and changes you would suggest.
I currently have 3 vlans - ‘trusted’, iot, and guest. Wondering if I should make a 4th for my servers… though also have no clue if my vlans are set up properly.
I set up NAT but that didn’t work. (though question - my public IP can change; is there a way to have the dst-address be a dynamic variable?. Going to 192.168.88.197 on my
[admin@MikroTik] /ip firewall nat> print
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
<3 disabled rules removed>
4 chain=dstnat action=dst-nat to-addresses=192.168.88.197 protocol=tcp dst-address=<myPublicIP> dst-port=443
And my firewall filter:
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
I ran /user export file=myconfigTest and outputed
# feb/09/2025 13:38:23 by RouterOS 6.49.11
# software id = 3WF5-RY4S
#
# model = RB952Ui-5ac2nD
# serial number = <cut>
/user
add comment="system default user" group=full name=admin
Thanks!
I have two desired end results - one (ultimate) is plex access; with an intermediary goal of being able to use SWAG (Which is configured with authelia) for access.