I’ve been running Mikrotik RB4xx for several years now. Typical setups have been main wifi router, ip filtering, ip masquerade, ipsec tunneling between tik->tik and tik->cisco etc. I just came across the need to set up dst-nat to port forward to an internal host at my office. I am also only allowing certain net blocks to access my office from the outside.
Here’s the scenario. I’m currently running a Mikrotik RB433AH for my router here at my office. I have several firewall rules setup and all is good. I am also configured for NAT. I’m at a point now where I need to retrieve data from a host located on the inside network “192.168.0.10”, protocol TCP and port 502. I will be accessing this internal host from a server that is located in a remote location with a static IP address. I need to allow this IP and everything else will need to be denied.
I add my dst-nat rule and once again all is fine there. However, since adding a dst-nat rule I can access this internal host from the outside where I need to have this internal host only accessible from my equipment that is located at a datacenter.
From what I’ve read so far I do believe that NAT rules are processed first and then the firewall filter rules. So this explains why I’m able to access this device from the outside. How do I filter the outside world from accessing this internal device?
Do I need to add another rule perhaps on the filter rule for chain=forward ? I’ve read a lot of documentation thus far and now things are quite hazy so any help would be awesome at this point.
Thanks in advance!