Linux cant find mirror serwer

polandlp · August 4, 2023, 3:36pm

Hello, today I changed archer ax1500 to mikrotik hex. At first I thought everything was fine, every devices home and homelab(2 vlans) have internet i can ping all sites but I must install package on debian and it can’t connect to mirror (error 101 - no internet connection) these comunicat i have on all linux devices. I tryed install new virtual machine on proxmox but same problem can’t connect to mirror server. I tested these vlan and I can normaly use windows pc i can go to sites and donwald files. Even play CS:Source on public servers

pe1chl · August 4, 2023, 5:21pm

Do you have PPPoE internet?

polandlp · August 4, 2023, 6:59pm

No i dont

polandlp · August 5, 2023, 8:03pm

Now I see when I turn on 80 port forwarding these problem is coming back

BartoszP · August 6, 2023, 12:23am

Please show your config wit serial and passwords removed

polandlp · August 6, 2023, 11:30am

My config
When i forward port to 80 linux cant find serwers to update but i can see my website from internet and when i forward port 8080 speed test cant find serwers

# 2023-08-05 22:14:22 by RouterOS 7.10.2
#
#
# model = RB750Gr3
/interface bridge
add name=br_dom
add admin-mac=XX:XX:XX:XX auto-mac=no comment=defconf name=br_serwery
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "4 006 608 384" type=partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=br_dom name=dhcp1
add address-pool=dhcp_pool2 interface=br_serwery name=dhcp2
/port
set 0 name=serial0
/system logging action
set 0 target=disk
set 2 target=disk
/dude
set data-directory=usb1-part1/dude-data enabled=yes
/interface bridge port
add bridge=br_serwery comment=defconf interface=ether2
add bridge=br_serwery comment=defconf interface=ether3
add bridge=br_dom comment=defconf interface=ether4
add bridge=br_dom comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=br_serwery network=\
    192.168.1.0
add address=192.168.2.1/24 interface=br_dom network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add list=ddos-attackers
add list=ddos-targets
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=add-src-to-address-list address-list=bruteforce_blacklist \
    address-list-timeout=1d chain=input comment=Blacklist connection-state=\
    new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
    address-list-timeout=1h chain=input comment="Third attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
    address-list-timeout=15m chain=input comment="Second attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection1
add action=add-src-to-address-list address-list=connection1 \
    address-list-timeout=5m chain=input comment="First attempt" \
    connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
    !bruteforce_blacklist
add action=accept chain=input comment="Porty VPN" dst-port=443 protocol=tcp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=drop chain=forward comment=VPN_SSTP_RULES dst-address=\
    10.0.0.2-10.0.0.50 log=yes src-address=192.168.2.2-192.168.2.254
add action=drop chain=forward dst-address=192.168.2.2-192.168.2.254 log=yes \
    src-address=10.0.0.2-10.0.0.50
add action=drop chain=forward dst-address=10.0.0.2-10.0.0.50 log=yes \
    src-address=192.168.1.2-192.168.1.254
add action=drop chain=forward dst-address=192.168.1.2-192.168.1.254 log=yes \
    src-address=10.0.0.2-10.0.0.50
add action=drop chain=forward comment=rozdzielenie_dom-vpn in-interface=\
    br_dom out-interface=all-ppp
add action=drop chain=forward in-interface=all-ppp out-interface=br_dom
add action=drop chain=forward comment=rodzielenie_dom-lan in-interface=br_dom \
    out-interface=br_serwery
add action=drop chain=forward in-interface=br_serwery out-interface=br_dom
add action=return chain=detect-ddos comment=ANTYDDOS dst-limit=\
    32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
    protocol=tcp tcp-flags=syn,ack
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
    to-addresses=192.168.1.11
add action=dst-nat chain=dstnat dst-port=21 protocol=tcp to-addresses=\
    192.168.1.3
add action=dst-nat chain=dstnat dst-port=25565-25567 protocol=tcp \
    to-addresses=192.168.1.174
add action=dst-nat chain=dstnat dst-port=30120 protocol=tcp to-addresses=\
    192.168.1.108
add action=dst-nat chain=dstnat dst-port=30120 protocol=udp to-addresses=\
    192.168.1.108
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    192.168.1.174
add action=dst-nat chain=dstnat dst-port=6070 protocol=tcp to-addresses=\
    192.168.1.164
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
    src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8890
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Mikro
/system note
set show-at-login=no
/system script
add dont-require-permissions=no name=script1 owner=polandlp policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall address-list\r\
    \nadd address=0.0.0.0/8 comment=RFC6890 list=not_in_internet\r\
    \nadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internet\r\
    \nadd address=192.168.0.0/16 comment=RFC6890 list=not_in_internet\r\
    \nadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internet\r\
    \nadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internet\r\
    \nadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internet\r\
    \nadd address=224.0.0.0/4 comment=Multicast list=not_in_internet\r\
    \nadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internet\r\
    \nadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internet\r\
    \nadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internet\r\
    \nadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internet\r\
    \nadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internet\r\
    \nadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internet\r\
    \nadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internet\r\
    \nadd address=192.88.99.0/24 comment=\"6to4 relay Anycast [RFC 3068]\" lis\
    t=not_in_internet"
add dont-require-permissions=no name=script2 owner=polandlp policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd action=fasttrack-connection chain=forward comment=FastTrack connecti\
    on-state=established,related\r\
    \nadd action=accept chain=forward comment=\"Established, Related\"  connec\
    tion-state=established,related\r\
    \nadd action=drop chain=forward comment=\"Drop invalid\" connection-state=\
    invalid log=yes log-prefix=invalid\r\
    \nadd action=drop chain=forward comment=\"Drop incoming packets that are n\
    ot NATted\" connection-nat-state=!dstnat connection-state=new in-interface\
    =ether1 log=yes log-prefix=!NAT\r\
    \nadd action=drop chain=forward comment=\"Drop incoming from internet whic\
    h is not public IP\" in-interface=ether1 log=yes log-prefix=!public src-ad\
    dress-list=not_in_internet"
add dont-require-permissions=no name=script3 owner=polandlp policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd action=add-src-to-address-list address-list=bruteforce_blacklist add\
    ress-list-timeout=1d chain=input comment=Blacklist connection-state=new ds\
    t-port=22 protocol=tcp src-address-list=connection3\r\
    \nadd action=add-src-to-address-list address-list=connection3 address-list\
    -timeout=1h chain=input comment=\"Third attempt\" connection-state=new dst\
    -port=22 protocol=tcp src-address-list=connection2,!secured\r\
    \nadd action=add-src-to-address-list address-list=connection2 address-list\
    -timeout=15m chain=input comment=\"Second attempt\" connection-state=new d\
    st-port=22 protocol=tcp src-address-list=connection1\r\
    \nadd action=add-src-to-address-list address-list=connection1 address-list\
    -timeout=5m chain=input comment=\"First attempt\" connection-state=new dst\
    -port=22 protocol=tcp\r\
    \nadd action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
    !bruteforce_blacklist"
add dont-require-permissions=no name=script4 owner=polandlp policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall address-list\r\
    \nadd list=ddos-attackers\r\
    \nadd list=ddos-targets\r\
    \n/ip firewall filter\r\
    \nadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresse\
    s/10s\r\
    \nadd action=add-dst-to-address-list address-list=ddos-targets address-lis\
    t-timeout=10m chain=detect-ddos\r\
    \nadd action=add-src-to-address-list address-list=ddos-attackers address-l\
    ist-timeout=10m chain=detect-ddos\r\
    \n/ip firewall raw\r\
    \nadd action=drop chain=prerouting dst-address-list=ddos-targets src-addre\
    ss-list=ddos-attackers"

polandlp · August 6, 2023, 11:50am

I must only add dst addres and everyfing work thanks for all help

tangent · August 6, 2023, 11:52am

…snip…

add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp
to-addresses=192.168.1.11

>

Your rule affects packets going _both_ directions! You need to add a qualifier like in-interface=WAN to make it affect inbound connections only.

Notice that dst-nat is the first thing in the bridging decision packet flow:

![](https://help.mikrotik.com/docs/download/attachments/328227/PacketFlowDiagram_v6_b.svg)

See the rest of the [packet flow docs](https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS) for more information.