Hello, I am hoping someone can find the error in my ways on this.

I setup an RB750 as a gateway router with a firewall/nat/pptp server per the wiki articles. I thought I had it working but it appears that not all is working. I can ping the devices on on the local lan, I can ftp to the devices that support it, but i cannot connect to a NAS that is serving files for the remote users. I type in windows explorer \192.168.1.200 (NAS) and windows reports that it cannot contact the device. Ping confirms i have connectivity though! I suspect it has something to do with my firewall and nat, as i don’t know exactly what i am doing with all of it. I have included a print of these settings.

If there is any help that someone can give me to straighten this out?

/ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; default configuration
192.168.1.1/24 192.168.1.0 192.168.1.255 ether2-local-master
1 D 66.xxx.xxx.xxx/21 66.xxx.xxx.xxx 66.xxx.xxx.xxx ether1-gateway
2 D 192.168.1.1/32 192.168.88.1 0.0.0.0

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 ADS 0.0.0.0/0 reachable 66.xxx.xxx.xxx 0 ether1-gateway
1 ADC 66.xxx.xxx.xxx/21 66.xxx.xxx.xxx 0 ether1-gateway
2 ADC 192.168.1.0/24 192.168.1.1 0 ether2-local-master
3 A S 192.168.88.0/24 reachable 192.168.88.1 1
4 ADC 192.168.88.1/32 192.168.1.1 0

/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=yes protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established disabled=yes in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration” connection-state=related disabled=yes in-interface=ether1-gateway
add action=drop chain=input comment=“default configuration” disabled=yes in-interface=ether1-gateway
add action=accept chain=forward comment=“allow established connections” connection-state=established disabled=no
add action=accept chain=forward comment=“allow related connections” connection-state=related disabled=no
add action=drop chain=forward comment=“drop invalid connections” connection-state=invalid disabled=no
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment=“Drop Messenger Worm” disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment=“ndm requester” disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment=“ndm server” disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment=“screen cast” disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment=“Bagle Virus” disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment=“Drop Beagle” disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.C-K” disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment=“Drop Backdoor OptixPro” disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment=“Drop Sasser” disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.B” disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment=“Drop Dabber.A-B” disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=10000 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom.B” disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus comment=“Drop NetBus” disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus comment=“Drop Kuang2” disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus comment=“Drop SubSeven” disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus comment=“Drop PhatBot, Agobot, Gaobot” disabled=no dst-port=65506 protocol=tcp
add action=jump chain=forward comment=“jump to the virus chain” disabled=no jump-target=virus
add action=accept chain=forward comment=“Allow HTTP” disabled=no dst-port=80 protocol=tcp
add action=accept chain=forward comment=“Allow SMTP” disabled=no dst-port=25 protocol=tcp
add action=accept chain=forward comment=“allow TCP” disabled=no protocol=tcp
add action=accept chain=forward comment=“allow ping” disabled=no protocol=icmp
add action=accept chain=forward comment=“allow udp” disabled=no protocol=udp
add action=accept chain=forward comment=“Allow Winbox” disabled=no dst-port=8291 protocol=tcp
add action=accept chain=forward comment=“Allow PPTP” disabled=no dst-port=1723 protocol=tcp
add action=accept chain=forward comment=“Allow GRE” disabled=no dst-port=47 protocol=tcp
add action=drop chain=forward comment=“drop everything else” disabled=no

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=0.0.0.0 dst-port=1723 protocol=tcp to-addresses=192.168.1.1 to-ports=1723

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Thanks for any help. Also, I added the dst-address=0.0.0.0 in the nat so that a user on the lan is able to contact another remote site via vpn.

What IP address does the client have that you’re trying to reach 192.168.1.200 from? Does it start with 192.168.1.x as well? If so, that traffic isn’t going through the router and the firewall has nothing to do with your issues.

The client gets an ip from a pool between 192.168.1.60-192.168.1.89 Yeah so since the client is already on the lan side the firewall does nothing right? It must be NAT related?

Aren

I don’t mean to be rude, but you installed something from a wiki without understanding it at all?

I type in windows explorer \192.168.1.200 (NAS) and windows reports that it cannot contact the device.

Let’s see if we can figure out why.

Ping confirms i have connectivity though! I suspect it has something to do with my firewall and nat, as i don’t know exactly what i am doing with all of it. I have included a print of these settings.

You are on target.

/ip firewall filter

add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment=“Drop Messenger Worm” disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=445 protocol=udp

>

You are trying to browse windows shares and you have netbios blocked?  If you want to run netbios, I suggest not blocking it in the firewall.  Or at least permit it in the firewall when the traffic is traversing the VPN.