Forwarding ports

webnoob · April 27, 2024, 2:07pm

Hi!
I have server with simple web page (ports 80 & 443). On Tomato I had it was working very nice. Now, on MT I’m failing with configuration. I found this one: http://forum.mikrotik.com/t/port-80-redirect/131808/1 so I tried to do similar thing:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.5
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=udp to-addresses=192.168.88.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=udp to-addresses=192.168.88.5

First I tried TCP only and when it wasn’t working I tried also UDP. Each time I’m ending with RouterOS login page on my public IP. What I’m doung wrong?

anav · April 27, 2024, 2:42pm

probably running into hairpin nat.
Are local router users trying to reach the server via its LANIP address or by some DYNDNS URL ( aka the WANIP ).
Should not affect external users ( did you test like with cell phone via cellular )?

webnoob · April 27, 2024, 8:12pm

I tried to access via cellphone and on it it’s not working. You’re right. It was somehow local page. So maybe I need to add firewall rules?

[EDIT]
I tried with adding this:

add action=accept chain=forward dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN protocol=tcp

And it helped. Thank you!

[EDIT2]
Yeah… Now I have DDNS configured and working. When I use my WAN IP I can see what I want, but when I use my DDNS subdomain it’s not loading… What I need to look for?

anav · April 27, 2024, 11:40pm

need to see full config

webnoob · April 28, 2024, 9:37am

Here it is:

# 2024-04-28 11:15:28 by RouterOS 7.14.2
# software id = YEVK-ILAI
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Trk
set [ find default-name=ether2 ] name=ether2-Trk
set [ find default-name=ether3 ] name=ether3-Trk
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7-mgmt
set [ find default-name=ether8 ] mtu=1492 name=ether8-WAN
/interface vlan
add interface=ether8-WAN mtu=1492 name=wan-vlan35 vlan-id=35
add interface=bridge name=vlan1 vlan-id=11
add interface=bridge name=vlan2 vlan-id=12
add interface=bridge name=vlan3 vlan-id=13
add interface=bridge name=vlan99-work vlan-id=99
add interface=bridge name=vlan100-mgmt vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan-vlan35 name=pppoe-wan use-peer-dns=yes user=user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN-mgmt
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.10.220-192.168.10.229
add name=dhcp_pool2 ranges=192.168.20.220-192.168.20.239
add name=dhcp_pool3 ranges=192.168.30.220-192.168.30.229
add name=dhcp_pool4 ranges=192.168.40.100-192.168.40.109
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan1 lease-time=5m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan2 lease-time=1m name=dhcp2
add address-pool=dhcp_pool3 interface=vlan3 lease-time=1m name=dhcp3
add address-pool=dhcp_pool4 interface=vlan99-work lease-time=1m name=dhcp4
/interface bridge port
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3-Trk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-mgmt pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN-mgmt
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether7-mgmt vlan-ids=100
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether6 vlan-ids=12
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether4 vlan-ids=13
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk vlan-ids=99
/interface list member
add interface=bridge list=LAN-mgmt
add interface=vlan1 list=LAN-mgmt
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan99-work list=LAN
add interface=vlan100-mgmt list=LAN-mgmt
add interface=pppoe-wan list=WAN
add interface=bridge list=LAN
add interface=vlan1 list=LAN
add interface=vlan100-mgmt list=LAN
/ip address
add address=192.168.100.1/24 interface=vlan100-mgmt network=192.168.100.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan99-work network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether8-WAN
/ip dhcp-server lease
add address=192.168.30.5 mac-address=10:10:10:10:10:10 server=dhcp3
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-state=new disabled=yes in-interface-list=LAN-mgmt out-interface-list=WAN
add action=accept chain=forward connection-state=new in-interface-list=LAN-mgmt out-interface-list=LAN
add action=accept chain=forward connection-state=new in-interface=vlan2 out-interface=vlan3
add action=accept chain=forward disabled=yes in-interface=vlan1 out-interface=vlan2
add action=accept chain=forward dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=input disabled=yes dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=drop chain=forward comment="Drop all" connection-state=invalid,established,related,new,untracked
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=WAN protocol=udp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=WAN protocol=udp to-addresses=192.168.30.5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/system scheduler
add disabled=yes interval=1h name=duckdns-ip-update on-event="/system script run duckdns-ip-update;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-04-24 start-time=22:42:00
/tool mac-server
set allowed-interface-list=LAN-mgmt
/tool mac-server mac-winbox
set allowed-interface-list=LAN-mgmt

webnoob · May 3, 2024, 10:15am

Any ideas?

anav · May 3, 2024, 1:20pm

(1) The Management VLAN/SUBNET has no pool, no dhcp etc. Which makes sense if you are attempting to use the setup to config the router OFF the bridge and highly recommended.
In this case, no VLAN is defined and ether 7 is NOT associated from the bridge. This is what I will show.

(2) Dont need connection=new in firewall rules. Each rule is implied as new upon the first packets hitting the rule, and then subsequent packets travel through fastrack or established,related rule.

(3) The port forwarding rules are put in the dstnat chain

(4) Disable IPV6 service if not using and remove ipv6 address lists and firewall rules..

\

model = RB5009UG+S+

/interface vlan
add interface=bridge name=vlan100-mgmt vlan-id=100 < —- REMOVE

/interface pppoe-client
add add-default-route=yes disabled=no interface=wan-vlan35 name=pppoe-wan use-peer-dns=yes user=user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN-mgmt
add name=LAN

/interface bridge port
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3-Trk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-mgmt pvid=100 <---- REMOVE

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk vlan-ids=99,100
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether6 vlan-ids=12
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether4 vlan-ids=13

/interface list member
add interface=pppoe-wan list=WAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan99-work list=LAN
add interface=ether7-mgmt list=LAN
add interface=vlan1 list=LAN-mgmt
add interface=ether7-mgmt list=LAN-mgmt

/ip address
add address=192.168.100.1/24 interface**=ether7-mgmt** network=192.168.100.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan99-work network=192.168.40.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“only if in management interface” in-interface-list=LAN-mgmt
add action=accept chain=input comment=“user to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment=“user to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { put this rule in last or will lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN-mgmt out-interface-list=LAN
add action=accept chain=forward in-interface=vlan2 out-interface=vlan3
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { only rule in forward chain required for port forwarding }
add action=drop chain=forward comment=“Drop all else”

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
/tool mac-server
set allowed-interface-list=NONE **** { not secure so dont allow access via mac only }
/tool mac-server mac-winbox
set allowed-interface-list=LAN-mgmt

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now your port forwarding should work from external users.
If you have users IN VLAN3 ( subnet 30 ) trying to reach servers on VLAN3 then we need to make more changes.
If you have other local users from VLAN1,2, mananament trying to reach servers on VLAN3 you should be good to go.

To reach your router for config purpose on ether7, simply change the nic settings on your PC/laptop and change IPV4 ip to 192.168.100.X for example.
Otherwise if you are on vlan1, you should also be able to reach the config ( this time from a place on the bridge).

webnoob · May 5, 2024, 9:45am

I modified original post. So now most important thing is rule below kills Internet access for all vlans except vlan1.
add action=drop chain=input comment=“Drop all else”
Rule below helps, but doesn’t look like clever idea…
add action=accept chain=forward connection-state=“” in-interface-list=LAN out-interface-list=WAN

Hi!
I made only firewall modifications (VLAN100 and management I want to talk about this later). Now I can access my server, but only from outside. From vlan1 & vlan2 I can only use static local DNS address. Also I don’t want to use google’s DNS - I have configured pihole and that’s what I’ll jump on after everything else will work.

(disabled rules are underlined)

/ipv6 settings
set disable-ipv6=yes
{…}
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“only if in management interface” in-interface-list=LAN-mgmt
add action=accept chain=input comment=“user to services” dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input disabled=yes in-interface=vlan99
[u]add action=accept chain=input disabled=yes dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN [/u]
protocol=tcp
add action=drop chain=input comment=“Drop all”
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-state=“” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-state=“” disabled=yes in-interface-list=LAN-mgmt out-interface-list=WAN
add action=accept chain=forward connection-state=“” in-interface-list=LAN-mgmt out-interface-list=LAN
add action=accept chain=forward connection-state=“” in-interface=vlan2 out-interface=vlan3
add action=accept chain=forward disabled=yes in-interface=vlan1 out-interface=vlan2
add action=accept chain=forward dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all” connection-state=invalid,established,related,new,untracked

You also wrote:
(1) The Management VLAN/SUBNET has no pool, no dhcp etc. Which makes sense if you are attempting to use the setup to config the router OFF the bridge and highly recommended.
In this case, no VLAN is defined and ether 7 is NOT associated from the bridge. This is what I will show.
I’ll leave it for later to fix one issue at a time.

(2) Dont need connection=new in firewall rules. Each rule is implied as new upon the first packets hitting the rule, and then subsequent packets travel through fastrack or established,related rule.
done(at least on my rules)

(3) The port forwarding rules are put in the dstnat chain
That’s how I made it (I think… and it’s working strange…).

(4) Disable IPV6 service if not using and remove ipv6 address lists and firewall rules..
done

anav · May 5, 2024, 2:41pm

Post complete config for review as previous.

webnoob · May 6, 2024, 12:20pm

As you wish:

# 2024-05-06 13:55:51 by RouterOS 7.14.2
# software id = YEVK-ILAI
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Trk
set [ find default-name=ether2 ] name=ether2-Trk
set [ find default-name=ether3 ] name=ether3-Trk
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7-mgmt
set [ find default-name=ether8 ] mtu=1492 name=ether8-WAN
/interface vlan
add interface=ether8-WAN mtu=1492 name=wan-vlan35 vlan-id=35
add interface=bridge name=vlan1 vlan-id=11
add interface=bridge name=vlan2 vlan-id=12
add interface=bridge name=vlan3 vlan-id=13
add interface=bridge name=vlan99-work vlan-id=99
add interface=bridge name=vlan100-mgmt vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan-vlan35 name=pppoe-wan use-peer-dns=yes user=user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN-mgmt
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.10.220-192.168.10.229
add name=dhcp_pool2 ranges=192.168.20.220-192.168.20.239
add name=dhcp_pool3 ranges=192.168.30.220-192.168.30.229
add name=dhcp_pool4 ranges=192.168.40.100-192.168.40.109
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan1 lease-time=5m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan2 lease-time=1m name=dhcp2
add address-pool=dhcp_pool3 interface=vlan3 lease-time=1m name=dhcp3
add address-pool=dhcp_pool4 interface=vlan99-work lease-time=1m name=dhcp4
/interface bridge port
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3-Trk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-mgmt pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN-mgmt
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether7-mgmt vlan-ids=100
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether6 vlan-ids=12
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether4 vlan-ids=13
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk vlan-ids=99
/interface list member
add interface=bridge list=LAN-mgmt
add interface=vlan1 list=LAN-mgmt
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan99-work list=LAN
add interface=vlan100-mgmt list=LAN-mgmt
add interface=pppoe-wan list=WAN
add interface=bridge list=LAN
add interface=vlan1 list=LAN
add interface=vlan100-mgmt list=LAN
/ip address
add address=192.168.100.1/24 interface=vlan100-mgmt network=192.168.100.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan99-work network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether8-WAN
/ip dhcp-server lease
add address=192.168.30.5  mac-address=10:10:10:10:10:10 server=dhcp3
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="only if in management interface" in-interface-list=LAN-mgmt
add action=accept chain=input comment="user to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input disabled=yes in-interface=vlan99-work
add action=accept chain=input disabled=yes dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN \
    protocol=tcp
add action=drop chain=input comment="Drop all"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-state="" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-state="" disabled=yes in-interface-list=LAN-mgmt out-interface-list=WAN
add action=accept chain=forward connection-state="" in-interface-list=LAN-mgmt out-interface-list=LAN
add action=accept chain=forward connection-state="" in-interface=vlan2 out-interface=vlan3
add action=accept chain=forward disabled=yes in-interface=vlan1 out-interface=vlan2
add action=accept chain=forward dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all" connection-state=invalid,established,related,new,untracked
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=WAN protocol=udp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=WAN protocol=udp to-addresses=192.168.30.5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/system scheduler
add disabled=yes interval=1h name=duckdns-ip-update on-event="/system script run duckdns-ip-update;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-04-24 start-time=22:42:00
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN-mgmt

I didn’t touch management VLAN/port. This will be last thing to set up.

anav · May 6, 2024, 1:15pm

(1) Why do you keep adding bridge to the interface lists… its not required!

/interface list member
add interface=pppoe-wan list=WAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan99-work list=LAN
add interface=vlan100-mgmt list=LAN
add interface=vlan1 list=LAN-mgmt
add interface=vlan100-mgmt list=LAN-mgmt
add interface=bridge list=LAN-mgmt <— REMOVE
add interface=bridge list=LAN <— REMOVE

(2) MISSING DHCP Server, IP pool, and dhcp-server network for vlan-id=100

(3) ERROR → DISABLE, you have defined PPPOE client this will interfere!!!
/ip dhcp-client
add comment=defconf interface=ether8-WAN

(4) Input chain rules still overcooked and some duplication… Keep it simple.
FROM:
add action=accept chain=input comment=“only if in management interface” in-interface-list=LAN-mgmt KEEP!
add action=accept chain=input comment=“user to services” dst-port=53 in-interface-list=LAN protocol=tcp KEEP!
add action=accept chain=input comment="users to services dst-port=53 in-interface-list=LAN protocol=udp ADD
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN REMOVE
add action=accept chain=input in-interface-list=LAN REMOVE
add action=accept chain=input disabled=yes in-interface=vlan99-work REMOVE
add action=accept chain=input disabled=yes dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN
protocol=tcp REMOVE
add action=drop chain=input comment=“Drop all” KEEP

(5) SAME with Forward CHAIN… Keep it simple.
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN REMOVE!
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN KEEP
add action=accept chain=forward disabled=yes in-interface-list=LAN-mgmt out-interface-list=WAN REMOVE
add action=accept chain=forward in-interface-list=LAN-mgmt out-interface-list=LAN KEEP
add action=accept chain=forward in-interface=vlan2 out-interface=vlan3 KEEP
add action=accept chain=forward disabled=yes in-interface=vlan1 out-interface=vlan2 REMOVE
add action=accept chain=forward dst-address=192.168.30.5 dst-port=80,443 in-interface-list=WAN protocol=tcp REMOVE
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat KEEP- only rule needed for portforwarding in forward chain!
add action=drop chain=forward comment=“Drop all” connection-state=invalid,established,related,new,untracked remove orange portion.

(6) Get rid of duplicates
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=WAN protocol=udp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=WAN protocol=udp to-addresses=192.168.30.5

(7) You have disabled IPV6, so why still show all the firewall address lists and firewall rules for iPV6…??? Delete!

(8) In terms of port forwarding this should work, unless the users access the servers are in the SAME subnet as the server and trying to reach it by WANIP DYNDNS URL.

webnoob · May 6, 2024, 4:16pm

Thank you very much! At the bottom is my current config and my comments in the modified quote.

(1) Why do you keep adding bridge to the interface lists… its not required!
DONE

(2) MISSING DHCP Server, IP pool, and dhcp-server network for vlan-id=100
This vlan is now not used. I’ll configure it later and for now I’m using vlan1 (id 11) to configure the router (hard phisicall access so I’ll keep management as it is until I have issues). But I don’t have plans for DHCP on this one.

(3) ERROR → DISABLE, you have defined PPPOE client this will interfere!!!
DONE

(4) Input chain rules still overcooked and some duplication… Keep it simple.
Part was disabled. Now I removed what you wrote.
DONE, but please check again.

(5) SAME with Forward CHAIN… Keep it simple.
Same as above.

(6) Get rid of duplicates
Was disabled, now removed.
DONE

(7) You have disabled IPV6, so why still show all the firewall address lists and firewall rules for iPV6…??? Delete!
Address list? I can see only ‘/ipv6 firewall filter’, but that’s default. It should do nothing, only use some NvM.

(8) In terms of port forwarding this should work, unless the users access the servers are in the SAME subnet as the server and trying to reach it by WANIP DYNDNS URL.
From vlan1, vlan2 and vlan99 I can’t access server webpage (it’s nextcloud with SSL), but from outside (mobile Internet) it’s working well. In vlan which have the server connected to I don’t expect any user who should have access other than via local address (srv.lan).

The current config:

# 2024-05-06 17:47:04 by RouterOS 7.14.2
# software id = YEVK-ILAI
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Trk
set [ find default-name=ether2 ] name=ether2-Trk
set [ find default-name=ether3 ] name=ether3-Trk
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7-mgmt
set [ find default-name=ether8 ] mtu=1492 name=ether8-WAN
/interface vlan
add interface=ether8-WAN mtu=1492 name=wan-vlan35 vlan-id=35
add interface=bridge name=vlan1 vlan-id=11
add interface=bridge name=vlan2 vlan-id=12
add interface=bridge name=vlan3 vlan-id=13
add interface=bridge name=vlan99-work vlan-id=99
add interface=bridge name=vlan100-mgmt vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan-vlan35 name=pppoe-wan use-peer-dns=yes user=user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN-mgmt
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.10.220-192.168.10.229
add name=dhcp_pool2 ranges=192.168.20.220-192.168.20.239
add name=dhcp_pool3 ranges=192.168.30.220-192.168.30.229
add name=dhcp_pool4 ranges=192.168.40.100-192.168.40.109
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan1 lease-time=5m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan2 lease-time=1m name=dhcp2
add address-pool=dhcp_pool3 interface=vlan3 lease-time=1m name=dhcp3
add address-pool=dhcp_pool4 interface=vlan99-work lease-time=1m name=dhcp4
/interface bridge port
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3-Trk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-mgmt pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN-mgmt
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether7-mgmt vlan-ids=100
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether6 vlan-ids=12
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether4 vlan-ids=13
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk vlan-ids=99
/interface list member
add interface=vlan1 list=LAN-mgmt
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan99-work list=LAN
add interface=vlan100-mgmt list=LAN-mgmt
add interface=pppoe-wan list=WAN
add interface=vlan1 list=LAN
add interface=vlan100-mgmt list=LAN
/ip address
add address=192.168.100.1/24 interface=vlan100-mgmt network=192.168.100.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan99-work network=192.168.40.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether8-WAN
/ip dhcp-server lease
add address=192.168.30.5 mac-address=10:10:10:10:10:10 server=dhcp3
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.5 name=srv.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="only if in management interface" in-interface-list=LAN-mgmt
add action=accept chain=input comment="user to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward connection-state="" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-state="" in-interface-list=LAN-mgmt out-interface-list=LAN
add action=accept chain=forward connection-state="" in-interface=vlan2 out-interface=vlan3
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all" connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN-mgmt

anav · May 6, 2024, 4:58pm

I still see iPV6 lists and firewall rules LOL

(2) what is the purpose of this rule…
Lets get rid of it for now (DISABLE)
/ip dns static
add address=192.168.30.5 name=srv.lan ???

Also add this
/ip dns
set allow-remote-requests=yes servers**=1.1.1.1** { unless using ISP dns, if so ignore the addition }

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now for some magic, Going to ensure the dyndns url approach works properly
/ip firewall address-list
add address= mynetname list=MyWANIP

Whatever your users are using to reach the server ( ip cloud name or third party dyndns name etc. ) ( assuming not using direct IP address 192.168.30.5: Port # )

add action=dst-nat chain=dstnat dst-port=80 dst-address=MyWANIP protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 dst-address=MyWANIP protocol=tcp to-addresses=192.168.30.5

webnoob · May 6, 2024, 5:55pm

I still see iPV6 lists and firewall rules LOL
You’re right:
/ipv6 firewall address-list
/ipv6 firewall filter
But in WinBox I can’t see addresses (IPv6 → Addresses)… Firewall - OK It’s there. But if IPv6 is globally disabled I expect only more NvM usage and no performance issues. For the future if I decide to use v6 - the base will be there.

(2) what is the purpose of this rule…
Lets get rid of it for now (DISABLE)
/ip dns static
add address=192.168.30.5 name=srv.lan ???
To do things like this:
$ ping srv.lan
PING srv.lan (192.168.30.5) 56(84) bytes of data.
64 bytes from nc.lan (192.168.30.5): icmp_seq=1 ttl=63 time=0.651 ms
64 bytes from srv.lan (192.168.30.5): icmp_seq=2 ttl=63 time=0.624 ms

Also add this
/ip dns
set allow-remote-requests=yes servers**=1.1.1.1** { unless using ISP dns, if so ignore the addition }
Yes, I want to use ISP’s. For now… For the future I have configured PiHole.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now for some magic, Going to ensure the dyndns url approach works properly
/ip firewall address-list
add address= mynetname list=MyWANIP
I don’t get it. Should I replace this parts:
mynetname - is DDNS name (like example.ddns.net)
MyWANIP - obvious, WAN IP
?

Whatever your users are using to reach the server ( ip cloud name or third party dyndns name etc. ) ( assuming not using direct IP address 192.168.30.5: Port # )
Depends… But local IP option is working (like srv.lan) and not always easy/possible.

add action=dst-nat chain=dstnat dst-port=80 dst-address=MyWANIP protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 dst-address=MyWANIP protocol=tcp to-addresses=192.168.30.5
This I understand. I think…

webnoob · May 6, 2024, 8:46pm

I had some time to try this and it works (IP and address). Maybe for the future I’ll use this approach only modifying DDNS script to also update this. But now it should work without that kind of workarounds… It was already working on Tomato router with automatic DDNS refresh and port forwarding (80 & 443 only).
Only thing is when WAN IP changes I still can access via old IP. In ‘/ip/firewall/address-list’ dynamic entry appears, but as you wrote: it’s a ‘magic’, not a solution.

webnoob · May 6, 2024, 10:17pm

OK, I lost the moment when vlan2, vlan3 and vlan99 lost Internet connection. I made some additional changes and I have quite old backup… I made the changes again. IP v6 partially is still there.

V012 of the config:

# 2024-05-07 00:31:51 by RouterOS 7.14.2
# software id = YEVK-ILAI
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Trk
set [ find default-name=ether2 ] name=ether2-Trk
set [ find default-name=ether3 ] name=ether3-Trk
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7-mgmt
set [ find default-name=ether8 ] mtu=1492 name=ether8-WAN
/interface vlan
add interface=ether8-WAN mtu=1492 name=wan-vlan35 vlan-id=35
add interface=bridge name=vlan1 vlan-id=11
add interface=bridge name=vlan2 vlan-id=12
add interface=bridge name=vlan3 vlan-id=13
add interface=bridge name=vlan99 vlan-id=99
add interface=bridge name=vlan100-mgmt vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan-vlan35 name=pppoe-wan use-peer-dns=yes user=user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN-mgmt
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.10.220-192.168.10.229
add name=dhcp_pool2 ranges=192.168.20.220-192.168.20.239
add name=dhcp_pool3 ranges=192.168.30.220-192.168.30.229
add name=dhcp_pool4 ranges=192.168.40.100-192.168.40.109
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan1 lease-time=5m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan2 lease-time=1m name=dhcp2
add address-pool=dhcp_pool3 interface=vlan3 lease-time=1m name=dhcp3
add address-pool=dhcp_pool4 interface=vlan99 lease-time=1m name=dhcp4
/interface bridge port
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3-Trk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-mgmt pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN-mgmt
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether7-mgmt vlan-ids=100
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether6 vlan-ids=12
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether4 vlan-ids=13
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk vlan-ids=99
/interface list member
add interface=vlan1 list=LAN-mgmt
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan99 list=LAN
add interface=vlan100-mgmt list=LAN-mgmt
add interface=pppoe-wan list=WAN
add interface=vlan1 list=LAN
add interface=vlan100-mgmt list=LAN
/ip address
add address=192.168.100.1/24 interface=vlan100-mgmt network=192.168.100.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan99 network=192.168.40.0
/ip dhcp-server lease
add address=192.168.30.5 mac-address=10:10:10:10:10:10 server=dhcp3
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.5 name=srv.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="only if in management interface" in-interface-list=LAN-mgmt
add action=accept chain=input comment="user to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="user to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward connection-state="" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-state="" in-interface-list=LAN-mgmt out-interface-list=LAN
add action=accept chain=forward connection-state="" in-interface=vlan2 out-interface=vlan3
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all" connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN-mgmt
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN-mgmt

webnoob · May 10, 2024, 5:00am

@anav, would you be so kind to help me? Or that “magic trick” is the final option? But after IP change I have new dynamic rule. And this doesn’t look nice. Like 2 IPs redirected to my local server. And also - it’s local and I want to have access to my server like everybody else.

anav · May 11, 2024, 3:06pm

I look at a lot of configs so at this point before I relook at the config above, let me know the requirements

a. identify all the user(s)/device(s0 / groups of users and devices including admin, including internal and external users
b. identify what traffic they need.

Number and type of WAN connections ( static/dynamic, public/private)
Any VPN to the WAN
Any Servers on the LAN

webnoob · May 13, 2024, 2:08pm

Thank you very much!

I look at a lot of configs so at this point before I relook at the config above, let me know the requirements

a. identify all the user(s)/device(s0 / groups of users and devices including admin, including internal and external users
Do you mean network users or accounts on MT device? 2nd - only one admin account.
b. identify what traffic they need.
All should have access to the internet. Also vlan2 should have no access to vlan1. vlan3 needs only access to internet and it’s own vlan. vlan99 should have access only to the internet. Access to vlan99 should be available only from vlan1.

Number and type of WAN connections ( static/dynamic, public/private)
PPPoE on ether8
Any VPN to the WAN
Not yet, but I’ll need one with access to vlan2 and vlan3.
Any Servers on the LAN
mopidy on vlan2 and nextcloud on vlan3

anav · May 13, 2024, 2:46pm

admin is not an account, just a special user LOL, will look at this later when have time