The first thing I’ve learned to check when dst-nat fails is: Does the target device (10.175.78.2 in your case) have the router (where the forward rule is being applied) as its default gateway for internet?
If it doesn’t have the mikrotik as its default gateway, then you should change that if you can (or create a specific static route on the target host pointing to the connecting host via the mikrotik as its gateway), otherwise your only option is srcnat (hairpin or masquerade) AFAIK
Basically, the traffic returning from the target device needs to route back through the same router doing the dst-nat forwarding, otherwise any other configured gateways are likely to mark the packets as invalid & drop them on the spot.
If no traffic even hits the dst-nat rule, then the problem is likely firewall-related or that your ISP is blocking access to that port from on their side so the traffic never even reaches your main router. Make sure there are no other nat rules above this one, such as a DMZ rule which could be intercepting that traffic and not letting it pass-through to your dst-nat rule
The forward chain is not normally the place to make port forwarding rules, and thus this needs to either move to dstnat, or be removed entirely
The forward chain is missing a rule to permit port forwarding. (besides the fact that the rules are rather not well put together or complete) add chain=forward action=accept connection-nat-state=dstnat
This is a rule begging for problems… first of all access to the router itself externally should ONLY be via VPN. Recommend deleting ASAP.
add action=accept chain=input comment=“ROOT toegang” src-address=217.119.224.143
The port forward is done in dst-nat chain. We are also the isp, so we know for sure that the traffic is not blocked.
Regarding the rule for accepting the dstnat traffic in filter. There is no blocking rule so than this is not needed? Mikrotik firewall accept by default right?
Yes you are right it should be permitted as the Default Concept for beginners is to allow ALL unless blocked.
Anyone with a minute of experience quickly changes this to BLOCK ALL unless allowed.
Being an ISP one would think you would be of the ILK to block ALL…
(1) Discrepancy: You have five vlans and four pools… ( which is werkplekken SALTO or EAPICTY PRINTEN ?? )
(2) Discrepancy: Which is not like the others! /ip dhcp-server
add address-pool=dhcp_pool_mgmt authoritative=after-2sec-delay disabled=no interface=mgmt lease-time=3d name=dhcp-mgmt
add address-pool=dhcp_pool_ssid-### authoritative=after-2sec-delay disabled=
no interface=ssid-### lease-time=3d name=dhcp-ssid-###
add address-pool=dhcp_pool_ssid-###-guest authoritative=after-2sec-delay
disabled=no interface=ssid-###-guest lease-time=3d name=
dhcp-ssid-###-guest
add address-pool=dhcp_pool_werkplekken authoritative=after-2sec-delay
disabled=no interface=bridge1 lease-time=3d name=dhcp-werkplekken
(3) Discrepancy: What is not right? /ip address
add address=10.180.78.1/24 interface=ether2-sw01 network=10.180.78.0
add address=10.175.78.1/24 interface=mgmt network=10.175.78.0
add address=10.176.78.1/24 interface=ssid-### network=10.176.78.0
add address=10.177.78.1/24 interface=ssid-###-guest network=10.177.78.0
add address=10.179.78.1/24 interface=ether5 network=10.179.78.0
(4) What is right about IP adddresses… can you tell ???
Yes, finally we see that perhaps there are 5 subnets and thus matches back to the initial 5 VLANS ))))
(5) I am not an ISP so I have no clue on WTF you are doing with port 4000, but this seems very WRONG to me! So can you please explain the purpose of these three rules and how they will function?? /ip firewall filter
add action=accept chain=input dst-port=4000 log=yes log-prefix=“input 4000:”
protocol=tcp
add action=accept chain=forward dst-port=4000 in-interface=pppoe-out1 log=yes
log-prefix=“forward 4000:” protocol=tcp
add action=dst-nat chain=dst-nat in-interface=pppoe-out1 log=yes log-prefix=
dstnat: port=4000 protocol=tcp to-addresses=10.175.78.2 to-ports=22
(6) Should one assume these are LAN IPs with access to the router?? (if so at least state in-interface-list=LAN add action=accept chain=input comment=“ROOT toegang” src-address-list=mgmt
If you say that you’re ISP, I guess I can’t seriously ask if you know what is public address and if you’re sure that you have it. But not having it would be one explanation for no hits on dstnat rule. Another could be if you’d be testing this from inside, it wouldn’t work because of in-interface=pppoe-out1.
@anav: About (5), dstnat is incomplete (it’s missing dst-port=4000) and the two filter rules are nonsense/wrong (input for port 4000 is useless, because dstnat won’t let if go there, and forward for port 4000 is wrong because at that point it will have destination port 22).
You failed to read point 7 but YES!! I was hoping for the OP to discover that his rules were nonsense, you know light bulb on moment, concrete learning achieved/assimilated. …sigh…
This is a lab setup. A lot of config isn’t right. One vlan should not exist anymore. That is replaced with a dedicated port ether 5. There are 5 ip networks. Only 4 dhcp-servers because one network is static assignments only.
For the dst-nat I have tried a lot of things in the firewall because I was sure it was something that is blocked in the firewall. That’s the reason why there are some strange firewall rules. It was just for learning. I know some rules are nonsense.
I know for sure it has a public ip adress. It gets an public address from our bras via pppoe.
Then double-check if there really isn’t any filtering on the way. If PPPoE gets public address and you connect to it from internet (or from your ISP network, just from router’s WAN side), then dstnat rule must get some hits. Even if the whole thing didn’t work for another reason, this is the first step that must happen.
))))