I’m struggling to make a DMZ without losing control remotely or locally on the mikrotik.
I have a Mikrotik router and a Draytek router.
I want to put a dmz from the mikrotik to the draytek.
I want to pass all the flows from the mikrotik to the draytek while keeping control remotely and locally on the mikrotik.
I created a dnat rule but it is too broad I think, when I apply it I lose control of my mikrotik remotely and locally.
how to refine this rule so that I can access the mikrotik remotely and locally.
the ip address of the mikrotik : 192.168.88.1
the ip address of the draytek : 192.168.88.2
“DMZ” typically means “forward whatever incoming request comes to my WAN address further to a particular LAN address”, which by definition includes incoming request towards remote management services of the device performing such forwarding. So if you want “whatever incoming request except the ones to my own management”, you must exempt these request from the effect of the DMZ rule. This is easiest done by placing an action=accept rule matching on these specific requests before (above) the DMZ one. As you haven’t specified which service you use for remote management and whether you have kept the default port for it, I can only suggest chain=dstnat action=accept protocol=tcp dst-port=. Bear in mind that action=accept in nat does not substitute action=accept in filter. In any case, you have to use different ports on the Mikrotik and on the Draytek for each service on Mikrotik that should be exempted from the DMZ rule.
Other than that, you normally only need the DMZ treatment only for requests coming from the internet, so you should add a match condition in-interface= or in-interface-list=WAN to the DMZ rule (and maybe also the exemption one); which one is more appropriate depends on the rest of your configuration.
