Limit NAT to specific source IP

RouterOS Beginner Basics
1

I am setting up my hAP ac to replace my Meraki MX64 and one port forward rule is set to only allow traffic from the main IP we have at work. Does that go in the src-address field? I just want as close to a drop in replacement as possible when I get home tonight :slight_smile:

And as everything sits on my hAP ac right now. Filter rule 1 will be going away soon.

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=input action=accept protocol=tcp dst-port=8291

2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

12 chain=forward action=accept connection-state=established,related



/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=input action=accept protocol=tcp dst-port=8291

2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

12 chain=forward action=accept connection-state=established,related

2

Yup, office IP is src-address when NAT or firewall filter on home router evaluates new incoming connection.

3

Thank you, now to figure out why I can’t get out to the Internet from a laptop connected to the thing.