NAT issues

MachineVision · June 12, 2020, 3:35pm

I am having weird nat issues. If I reset the switch & configure a basic wan & LAN interface with NAT enabled via winbox, I can ping Internet addresses, dig & update my OS. Once I start adding DST nat rules to access computers behind the wan ip, I can no longer update my os yet I can still ping & resolve. I have to enable IP fragment to run updates. I then removed the masq nat & set up src nat to access internet & access machines behind ip. I still cannot update.

my very basic setup is as follows:
jun/12/2020 11:17:50 by RouterOS 6.44.5

software id = BP1D-Z2VM

model = CRS125-24G-1S

serial number = 944F09C6EEE5

/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.3.57/26 interface=ether1 network=192.168.3.0
add address=192.168.8.2/26 interface=ether2 network=192.168.8.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat connection-state=
established,related
add action=accept chain=input disabled=yes dst-address=192.168.8.6 dst-port=22
log=yes protocol=tcp
add action=accept chain=forward disabled=yes dst-port=80 log=yes protocol=tcp
add action=accept chain=forward disabled=yes dst-address=192.168.8.6 dst-port=
5240 log=yes protocol=tcp
add action=drop chain=input connection-state=invalid log=yes
/ip firewall nat
add action=src-nat chain=srcnat fragment=no log=yes out-interface-list=WAN
src-address=192.168.8.0/26 to-addresses=192.168.3.57
add action=dst-nat chain=dstnat dst-address=192.168.3.57 dst-port=22 fragment=
no log=yes protocol=tcp to-addresses=192.168.8.6
add action=dst-nat chain=dstnat fragment=no log=yes protocol=tcp to-addresses=
192.168.8.6 to-ports=5240
add action=dst-nat chain=dstnat disabled=yes fragment=yes log=yes protocol=tcp
to-addresses=192.168.8.6 to-ports=10000
add action=dst-nat chain=dstnat disabled=yes fragment=yes log=yes protocol=tcp
to-addresses=192.168.8.6 to-ports=443
/ip route
add distance=1 gateway=192.168.3.3

anav · June 12, 2020, 5:02pm

my very basic setup is as follows:
jun/12/2020 11:17:50 by RouterOS 6.44.5

software id = BP1D-Z2VM

add address=192.168.8.2/26 interface=ether2 network=192.168.8.0

/ip firewall filter {WHERE ARE YOUR INPUT CHAIN RULES??}
Forward chain not much good.

In fact this is a firewall filter that needs to be scrapped entirely and replaced with default rules.
Then add in required rules but correctly formatted.

Nat rules are no better and can be worked on when the rest is corrected.
Format is
add chain=dstnat action=dst-nat protocol=tcp (or udp) dst-port=xxxx dst-address=192.168.3.57
to-address=IPofServer to-ports=?? (only required if different from dst port - doing port translation)