hAP ac no Internet on LAN

smccloud · February 18, 2019, 6:35pm

I am in the process of setting up my hAP ac to replace my Meraki MX64. Initially, I had Internet access on it, but now I have lost it, I cannot think of a reason for this unless I have my NAT rules wrong.

# feb/18/2019 12:33:38 by RouterOS 6.43.12
# software id = RSZ9-Z8D6
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = NOWAY
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3390 protocol=tcp src-address=\
    216.251.177.50 to-addresses=172.16.6.11 to-ports=3389
add action=dst-nat chain=dstnat dst-port=32400 protocol=tcp to-addresses=\
    172.16.6.2 to-ports=32400
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=\
    172.16.6.2 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=\
    172.16.6.2 to-ports=51413
add action=dst-nat chain=dstnat dst-port=5631 protocol=tcp to-addresses=\
    172.16.6.2 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=443 protocol=tcp \
    to-addresses=172.16.6.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=55555 protocol=udp to-addresses=\
    172.16.6.2 to-ports=55555
add action=dst-nat chain=dstnat dst-port=8100 protocol=tcp to-addresses=\
    172.16.6.7 to-ports=80

Do I have my NAT wrong? Internet came back when I disabled the port 443 one.

proximus · February 18, 2019, 6:58pm

Include a “in-interface=” parameter. As it is, the destination 443 rule is catching all 443 traffic.

smccloud · February 18, 2019, 7:05pm

That did it, thank you. I wish more guides online would have that included.

anav · February 19, 2019, 1:34pm

I think the key here is to think of MT functionality as being general and not specific.
In other words destination NAT and source NAT do not mean exclusively from WAN to LAN and LAN to WAN.
Its simply a way of tracking packets coming into one interface and going to another interface.

Thus its important to let the router know that the packets are coming in from the WAN side…
Otherwise how is it to know??
Concur the examples in the WIKI are sheite in this regard.

smccloud · February 19, 2019, 2:12pm

Still trying to get IPv6 working, specifically DNS. But I will figure it out.