I have very limited understanding of Mikrotik and RouterOS and have generally used ‘out the box’ setup with one or two limited modifications. I’ve decided to take it slower with my new Mikrotik Hex on my journey to set up a performant Fibre/LTE failover setup. Right now, I’m just learning how NAT and the firewall works - the router sits in my garage, and I need to access it from my general network while I play around with configuration.
Question:
How do I allow access to the webfig (or any ip on the Mikrotik network) from my laptop behind the WAN on my local network on the default config? I’m confused between src-nat and dst-nat and trying to learn the basic networking and routerOS concepts as I build up my configuration, so thank you for your help!
Network Context:
Network setup | Server (192.168.88.5) > Mikrotik(192.186.88.1) ← WAN port (eth1) → TP-Link Deco (192.168.68.1) > MyLaptop(192.168.68.100)
Note |My TP-Link Router is also connected to my ISP via WAN fibre.
I don’t think however that allowing “plain” access from WAN is a good idea, besides testing/getting familiar with RoS.
Some more experience members may want to suggest some more secure method (wireguard?)
Thank you. This helped, I updated to input chain and enabled the rule. That made it work and I was able to access the webfig on the mikrotik from my deco network by going to 192.168.68.102:80 (the eth1 port leased ip for mikrotik on the wan port from the deco) and it nat’ed it succesfully to 192.168.88.1:80. However it randomly stopped working, and I’m not sure why. I’ve disabled and enabled and tried various things, but just can’t seem to figure out why it would work and then stop, unless there was some configuration change, but the only two things I touched was the firewall filter rule and the dst-nat rule.
Here is my current config:
# may/03/2024 11:53:01 by RouterOS 6.49.14
# software id = U54P-EGXI
#
# model = RB750Gr3
# serial number = HF2093JBZG0
/interface bridge
add admin-mac=78:9A:18:55:94:F7 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.68.0/24 list="local deco network"
/ip firewall filter
add action=accept chain=input dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="try allow tp-link home network linked to wan to access mikrotik interface" dst-address=192.168.68.102 dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess to-addresses=\
192.168.88.1 to-ports=80
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
is showing that the dst-nat rule isn’t being hit when I navigate to 192.168.68.102 as I would expect, would something be blocking this before it can run?
Thank you! This was actually the problem! Mikrotik does not pick up address lists names as objects, so because I’d renamed that address-list, the firewall filter rule
Well, the device/RoS does what you are telling it to do, the issue is that in many cases it allows you things that shouldn’t be done, and a tool or function that does something like a “global rename” does not exist.
So you can easily introduce a subtle mistake that causes anyway total disruption of a working setup.
A good idea is to export and save configurations while you are working on them and compare them with any text diff tool, for simple configurations like yours you can even use (as I did) a spreadsheet to compare changes between versions.