Hi, I’m having some issue with my Mikrotik Router.
Two of my ISPs incoming is via PPPOE connection. Thus, i’ve been splitting them up with routing rules and tables. Since I have some needed to go through VPN, some through normal routes, and etc. Recently, I am trying my dynamic ip connection trying to port forward to my pfsense firewall. Apparently there is some issue, based on the dst-nat firewall filter it shows → nat correctly, but in the NAT side logs showing direct public IP and out interface = unknown. P.S my apologies for a very very confusing firewall rules. Please look below for the configurations.
2024-07-30 12:36:55 by RouterOS 7.15.1
software id = PSI7-EAMH
model = RB4011iGS+
serial number =
/interface bridge
add name=vlan1-bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether9 ] name=maxis
set [ find default-name=ether10 ] name=unifi
/interface pppoe-client
add disabled=no interface=maxis name=pppoe-out2 use-peer-dns=yes user=\/interface wireguard
add disabled=yes listen-port= mtu=1420 name=wireguard1
add listen-port=51821 mtu=1420 name=wireguard2
/interface vlan
add interface=unifi name=vlan500 vlan-id=500
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether2,ether3,ether4,ether5
transmit-hash-policy=layer-2-and-3
/interface pppoe-client
add disabled=no interface=vlan500 max-mtu=1480 name=pppoe-out1 use-peer-dns=
yes
/interface vlan
add interface=bonding1 name=vlan4 vlan-id=4
add interface=bonding1 name=vlan5 vlan-id=5
add interface=bonding1 name=vlan6 vlan-id=6
add interface=bonding1 name=vlan7 vlan-id=7
/interface list
add name=LAN
add name=WAN
/ip pool
add name=pool1 ranges=192.168.3.100-192.168.3.200
add name=vmpool ranges=192.168.4.100-192.168.4.200
add name=lanpool ranges=192.168.0.113-192.168.0.240
add name=pool2 ranges=192.168.5.100-192.168.5.200
/ip dhcp-server
add address-pool=lanpool interface=vlan1-bridge name=server1
add address-pool=vmpool interface=vlan4 name=vmpool
add address-pool=pool2 disabled=yes interface=vlan5 name=server2
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=out-maxis
add disabled=no fib name=vpn-virtualizor2
add disabled=no fib name=test-ip
add disabled=no fib name=out-unifi
/interface bridge port
add bridge=vlan1-bridge interface=bonding1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=none lldp-poe-power=no
/ip settings
set max-neighbor-entries=8192 rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes
forward=no max-neighbor-entries=4096
/interface list member
add interface=bonding1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=pppoe-out2 list=WAN
add interface=vlan4 list=LAN
add interface=vlan7 list=LAN
add interface=vlan5 list=LAN
add interface=vlan6 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=
endpoint-port= interface=wireguard1 name=peer1 persistent-keepalive=
5s public-key=“”
add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port=
interface=wireguard2 name=peer2 persistent-keepalive=5s public-key=
“”
/ip address
add address=192.168.0.1/24 interface=bonding1 network=192.168.0.0
add address=192.168.4.1/24 interface=vlan4 network=192.168.4.0
add address=192.168.5.1/24 interface=vlan5 network=192.168.5.0
add address=172.16.6.1/24 interface=vlan6 network=172.16.6.0
add address=10.20.0.2/24 interface=wireguard2 network=10.20.0.0
add address=10.8.0.2/24 interface=wireguard1 network=10.8.0.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.6.1 gateway=172.16.6.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
netmask=24
add address=192.168.7.0/24 dns-server=192.168.7.1 gateway=192.168.7.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 verify-doh-cert=yes
/ip firewall address-list
add address=192.168.0.0/24 list=lan
add address=192.168.4.0/24 list=lan
add address=192.168.4.11 list=exception
add address=1.1.1.1 list=dns
add address=8.8.8.8 list=dns
add address=1.0.0.1 list=dns
add address=1.0.0.2 list=dns
add address=1.1.1.2 list=dns
add address=8.8.4.4 list=dns
add address=192.168.5.0/24 list=lan
add address=10.10.0.0/24 list=lan
add address=172.16.6.0/24 list=lan
add address=10.20.0.0/24 list=lan
add address=192.168.0.112 list=pfsenseWAN
add address=192.168.0.113 list=pfsenseWAN
add address=192.168.0.115 list=pfsenseWAN
/ip firewall filter
add action=accept chain=forward comment=“Allow Port Forwarding”
connection-nat-state=dstnat connection-state=new in-interface=pppoe-out1
log=yes
add action=accept chain=input comment=“Accept DNS - UDP” connection-state=“”
port=53 protocol=udp
add action=accept chain=input comment=“Accept DNS - TCP” connection-state=“”
port=53 protocol=tcp
add action=accept chain=forward comment=“Accept DNS - UDP” port=53 protocol=
udp
add action=accept chain=forward comment=“Accept DNS - TCP” port=53 protocol=
tcp
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=
192.168.4.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=
192.168.4.0/24
add action=accept chain=forward dst-address=192.168.4.0/24 src-address=
192.168.4.0/24
add action=accept chain=forward dst-address=172.16.6.0/24 src-address=
192.168.4.0/24
add action=accept chain=forward dst-address=192.168.7.0/24 src-address=
192.168.4.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=
192.168.0.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=
192.168.0.0/24
add action=accept chain=forward dst-address=192.168.4.0/24 src-address=
192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=
192.168.5.0/24
add action=accept chain=forward dst-address=192.168.4.0/24 src-address=
192.168.5.0/24
add action=accept chain=input dst-address=172.16.6.1 src-address=
172.16.6.0/24
add action=drop chain=input dst-address=172.16.6.0/24 src-address=
172.16.6.0/24
add action=accept chain=input src-address=192.168.4.0/24
add action=accept chain=input src-address=192.168.5.0/24
add action=accept chain=input src-address=192.168.0.0/24
add action=accept chain=input comment=“Allow Winbox” dst-port=xx
in-interface=vlan4 protocol=tcp
add action=accept chain=input comment=“Allow Winbox” dst-port=xx
in-interface=vlan1-bridge protocol=tcp
add action=accept chain=input comment=wireguard dst-port=xx protocol=udp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“Drop All Else”
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward in-interface=vlan1-bridge out-interface=vlan4
add action=accept chain=forward comment=“allow LAN to WAN traffic”
in-interface=vlan1-bridge out-interface=pppoe-out1 src-address-list=
pfsenseWAN
add action=accept chain=forward comment=“allow LAN to WAN traffic”
in-interface=vlan1-bridge out-interface=pppoe-out2
add action=accept chain=forward comment=“allow LAN to WAN traffic”
in-interface=vlan4 out-interface=pppoe-out2 src-address=192.168.4.12
add action=accept chain=forward comment=“allow LAN to WAN traffic”
in-interface=vlan4 out-interface=pppoe-out2 src-address=192.168.4.0/24
add action=accept chain=forward comment=“allow LAN to WAN traffic”
in-interface=vlan5 out-interface=wireguard2
add action=accept chain=forward comment=“Allow Port Forwarding”
connection-nat-state=dstnat connection-state=new in-interface=wireguard2
add action=drop chain=forward comment=“drop all else” log=yes
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=
yes new-connection-mark=test passthrough=yes src-address=
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=
yes dst-address= in-interface=wireguard1
new-connection-mark=test passthrough=no
add action=mark-routing chain=prerouting connection-mark=test disabled=yes
in-interface=vlan7 new-routing-mark=test-ip passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes out-interface=wireguard1
src-address= to-addresses=
add action=dst-nat chain=dstnat disabled=yes dst-address=
in-interface=wireguard1 protocol=tcp to-addresses=
add action=dst-nat chain=dstnat dst-port=3389 in-interface=pppoe-out1 log=yes
protocol=tcp to-addresses=192.168.0.112 to-ports=3389
add action=masquerade chain=srcnat out-interface=wireguard2 src-address=
172.16.6.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface=wireguard2 protocol=
tcp to-addresses=192.168.5.100 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=wireguard2
protocol=tcp to-addresses=192.168.5.100 to-ports=443
add action=masquerade chain=srcnat out-interface=pppoe-out2 src-address=
192.168.4.12
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address-list=
pfsenseWAN
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=
192.168.4.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=
192.168.0.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out2 src-address=
192.168.0.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out2 src-address=
192.168.4.0/24
add action=masquerade chain=srcnat out-interface=wireguard2 src-address=
192.168.5.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=/32 gateway=pppoe-out2
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=vlan1-bridge
routing-table=out-maxis scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=vlan5
routing-table=out-maxis scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2
routing-table=out-maxis scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=
vpn-virtualizor2 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=vlan5
routing-table=vpn-virtualizor2 scope=10 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=172.16.6.0/24 gateway=vlan6
routing-table=vpn-virtualizor2 scope=10 suppress-hw-offload=no
target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2
routing-table=vpn-virtualizor2 scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=vlan4
routing-table=out-maxis scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=vlan4
routing-table=vpn-virtualizor2 scope=10 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=vlan1-bridge
routing-table=vpn-virtualizor2 scope=10 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=172.16.6.0/24 gateway=vlan6
routing-table=out-maxis scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.7.0/24 gateway=192.168.0.112
routing-table=out-maxis scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1
routing-table=out-unifi scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=vlan5
routing-table=out-unifi scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=vlan4
routing-table=out-unifi scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=vlan1-bridge
routing-table=out-unifi scope=10 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.4.0/24,192.168.0.0/24,10.10.0.0/24
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.5.0/24 table=
vpn-virtualizor2
add action=lookup-only-in-table disabled=no src-address=172.16.6.0/24 table=
vpn-virtualizor2
add action=lookup-only-in-table disabled=no src-address=192.168.0.112/32
table=out-unifi
add action=lookup-only-in-table disabled=no src-address=192.168.0.113/32
table=out-unifi
add action=lookup-only-in-table disabled=no src-address=192.168.0.115/32
table=out-unifi
add action=lookup-only-in-table disabled=no src-address=192.168.0.0/24 table=
out-maxis
add action=lookup-only-in-table disabled=no src-address=192.168.4.12/32
table=out-maxis
add action=lookup-only-in-table disabled=no src-address=192.168.4.0/24 table=
out-maxis
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.asia.pool.ntp.org
add address=1.asia.pool.ntp.org
add address=2.asia.pool.ntp.org
add address=3.asia.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tr069-client
set periodic-inform-enabled=no periodic-inform-interval=5m
It seems that dst-nat doesn’t know nat the incoming request to my rdp3389 but firewall filter is showing the correct portion.
Issue shown below : -
EDIT : It seems nothing was wrong, i’ve just fixed it trying to pass everything to that IP address