New to Mikrotik and curious about this type of product, I bought an RB760iGS router yesterday. I configured it in my lab. Everything seems to work.
I ping my gateway (192.168.2.1)
I ping 8.8.8.8
The traceront works fine
Internally, I’m able to connect via WebFig on IP address 192.168.100.2
This same IP address is able to ping the web server in the LAN
I’ve set up a dst-NAT which seems fine. I’ve done a port opening in the filter, but I’m a bit confused, because in a lot of Internet tutorials, they do NAT, but don’t talk about firewall opening. In my world, you need both.
I’m attaching my config and if anyone could tell me what’s not working, because I’ve set up a pc on the untrusted interface (192.168.2.3) and I’m not able to reach the web server. myExportedConfig-3.rsc (3.13 KB)
Thanks for your help.
In this case, you don’t need the firewall rule. If you check default rules, you’ll see that forward chain has two rules that could possibly block something. One drops packets with invalid state, that’s not it. The other drops new connections from WAN, that could be it, but only when they are not dstnatted. So it won’t block yours to forwarded port 80. And what is not blocked is by default allowed.
If you have device with 192.168.2.3/24 connected to ether2, then connecting to 192.168.2.2:80 should work and you should reach 192.168.100.5:80.
Since you have a private IP for WANIP, my inclination is to state that port forwarding will not work based soley on your config.
You would need an upstream router perhaps an ISP modem/router to forward port 80 to 192.168.2.2 on the ISP LAN.
That’s what I think too, but no matter how many times I run the test and play with the rules in place, nothing happens with the Curl command. I see the connections arriving in “Firewall/Connections”.
As far as I’m concerned, this router isn’t intended to be displayed on the Internet. Opposite it, there’s already a router which is the default gateway (192.168.2.1) for the Mikrotik. I’m trying to figure out how it works, so I’ve made a subnet at /29 which I’ll change to /30 once everything’s working. Normally, by inserting a machine in the 192.168.2.0/29 subnet to test the Mikrotik, I should be able to simulate a connection from the Internet with the Curl command. I could very well not have used address translation, but I found it interesting to watch and understand how the Mikrotik works. Quite honestly, I can’t see what’s blocking it, and no matter how much I activate the logs, I can’t see much that would tell me where the problem lies, apart from private addressing.
If the new srcnat rule helped, then either NAS has invalid or missing gateway (it should be this router’s 192.168.100.2), or it doesn’t accept connections from non-local addresses (other that 192.168.100.x).
Your solution is kludge or some workaround that is going to bite you in the ass.
Assuming if you have a private IP that the upstream router can forward ports to the mikrotik and does so for each server instance.
( in this case the ISP router would have to forward ports to 192.168.2.2)
Can you indicate if you have only external users ( and assuming they reach your servers by using a dyndns url ( my netname type thingy)?
Or do you have internal users accessing the server ( by the same URL) and not by direct LANIP?
Lets adjust any firewall rules… if required TO:
Ordering rules within chains makes reading them easy and better for spotting errors, order WITHIN a chain is critical )
ip firewall filter
(input chain)
{ default rules to keep } add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
{ admin rules } add action=accept chain=input comment=“allow ONLY LAN” in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { make 100% sure you have the just above accept rule in place before putting this rule in place }
+++++++++++++++++++
{ default rules to keep } add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules } add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
A diagram of a thousand words…
I’d like to remind you that all interconnections work. The PC is able to connect to the Internet via the router. It can ping the Mikrotik and vice versa. The test with Curl from the PC with what I’ve set up works, even if it’s not optimal and I don’t doubt it. The Mikrotik beginner is me. The Mikrotik can join the NAS and is able to go out on the Internet for updates, tracing, etc…
For the moment, nothing is open from the Internet to send the flows I want to the Mikrotik until I’m sure of what I’m doing, and my aim is to filter on layer 7, which my router/firewall isn’t doing at the moment.
I’m going to read what you’ve written and thank you for that.
FYI, this setup is for my house and yes, DDNS works and allows remote access via a VPN and a DNS domain.
