NAT not sufficient.

RouterOS General
1

I have 2 networks with a RB750 between them.

SETUP

RB750
Eth0: IP=192.168.0.1/24 (Local)
Eth1: IP=10.0.0.1/8 (public)

Local server: IP=192.168.0.2

NAT RULE
Chain: dstnat
Dst address: 10.0.0.1
Action: dst-nat
To Address: 192.168.0.2

Hosts on the public network can access the local server via 10.0.0.1
My problem is that they can also access the server and all the other hosts on the local network when they use the direct IP to the local network.
How can I prevent hosts on the public network from accessing the local hosts but still have access to the local server via 10.0.0.1 ?
I tried some tutorials on the web but none of them seem to be working for my setup.
a example would be appreciated.

2

So they have a route to 192.168.0.0/24 via 10.0.0.1? Huh.

You will have to use the IP firewall filter for this. You will still need to permit access to 192.168.0.2 because that’s the destination IP address of the packet after NAT. ether1 is assumed to be your LAN interface name. Adjust as required.

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=!ether1 action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=!ether1 action=accept
add chain=forward dst-address=192.168.0.2 action=accept
add chain=forward action=drop
3

Thanks fewi.
After playing around a bit more, I managed to solve my problem with a couple of Firewall filters.
Just in case anybody wants to know what I did, I added the following firewall filters.

  1. Chain: Forward
    Dst Address: 192.168.0.2/32
    Action: Accept

  2. Chain: Forward
    Dst Address: 192.168.0.0/24
    Action: reject

No. What I meant was, a host on the public network can access any host on the local network when using the local address.
Example: a host with IP 10.0.0.5 in the public network can access a host in the local network with IP 192.168.0.5

But thanks anyway.

4

You may want to narrow that “accept” rule some. Limiting it by source address or allowed ports will help reduce your exposure.