Need help with NAT for home server(s)

hook · December 12, 2023, 10:13pm

I respect and fear my MikroTik 2011UiAS-2HnD router – it just works and keeps on working, but whenever I touch something (apart from updating FW) I break it.

So here I am after several years when I needed to make big changes to the firewall/NAT and I’m completely utterly stuck.

The set up is as follows:

connected via WiFi to the router
a few laptops (Hermes @ .80, Ducky @ .81, a few others I haven’t given static IPs yet), typically only 1-2 are on at the same time
- a desktop (Nuit @ .71) (I think Kibla does not exist anymore)
- a printer (Epson @ .101)
- a handful of smartphones, eReaders etc.
home servers connected via Ethernet to the router
Juno @ .110 – legacy, currently running the webserver with Pelican blog and Nextcloud
- Kalipso @ .111 – legacy, currently running Borg backup server and IRC bouncer
- Monolith @ .112 – new, running YunoHost, planned to replace both legacy servers

Several years ago, when I bought Juno and Kalipso, I set up IP firewall rules 0-13 (see below) and it worked.

Now I added Monolith into the network, added the IP firewall rules 14-29 and set up reverse proxy from Monolith to Juno, but Monolith is not accessible via any of the ports. I am testing this using YunoHost’s Diagnosis tool (and simply trying to reach the server via browser or ssh).

If I keep things as they are, only Juno and Kalipso are accessible. Monolith’s YunoHost Diagnosis says ports 80 and 443 are the only ones working (true, but they point to Juno, so not really).

If I disable rules 3-6 (i.e. http(s) to Juno), Monolith’s YunoHost Diagnosis says no ports are working.

The day before yesterday I disabled rules 1,3-6 and suddenly things worked as intended – all of Monolith’s needed ports were working and the reverse proxy as well.

But then yesterday late morning it suddenly stopped working – I swear I did not touch anything! – and I had to re-enable 3-6 in order to at least have the legacy webserver accessible again.

I’m frustrated and confused … some help would be very appreciated.

This is my current config:

# dec/10/2023 21:16:14 by RouterOS 6.49.10
# software id = **ELIDED**
#
# model = 2011UiAS-2HnD
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] amsdu-limit=2048 band=2ghz-g/n channel-width=20/40mhz-Ce country=slovenia disabled=no distance=indoors frequency=2432 installation=\
    indoor mode=ap-bridge ssid=<redacted> station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=<redacted> wpa2-pre-shared-key=<redacted>
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=93.103.13.254/16 interface=ether1 network=93.103.0.0
/ip arp
add address=192.168.88.101 comment="Printer: EPSON L3050" interface=bridge mac-address=38:9D:92:EB:FA:0A
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.80 mac-address=6C:88:14:BC:60:A0 server=defconf
add address=192.168.88.110 mac-address=02:51:07:41:52:61 server=defconf
add address=192.168.88.71 client-id=1:0:28:f8:aa:62:b6 mac-address=00:28:F8:AA:62:B6
add address=192.168.88.111 mac-address=02:CC:06:41:F3:07 server=defconf
add address=192.168.88.70 mac-address=00:21:6A:5B:9C:46 server=defconf
add address=192.168.88.81 mac-address=F4:8C:50:79:58:EC server=defconf
add address=192.168.88.101 client-id=1:38:9d:92:eb:fa:a comment="EPSON L3050 [Printer]" mac-address=38:9D:92:EB:FA:0A server=defconf
add address=192.168.88.100 mac-address=00:22:61:3D:C1:E4 server=defconf
add address=192.168.88.60 client-id=1:cc:9f:7a:24:41:ca comment="Telefon papi" mac-address=CC:9F:7A:24:41:CA server=defconf
add address=192.168.88.61 comment="Telefon mami" mac-address=B0:A2:E7:2B:78:22 server=defconf
add address=192.168.88.63 client-id=1:2c:59:8a:70:63:e0 comment="Telefon Jost ta star" mac-address=2C:59:8A:70:63:E0 server=defconf
add address=192.168.88.62 client-id=1:d4:38:9c:a8:6c:cf comment="Telefon Matija" mac-address=D4:38:9C:A8:6C:CF server=defconf
add address=192.168.88.64 client-id=1:44:55:c4:7d:55:73 comment="Telefon Jost" mac-address=44:55:C4:7D:55:73 server=defconf
add address=192.168.88.112 client-id=ff:0:1a:79:ae:0:1:0:1:2c:f4:fc:8c:9c:6b:0:1a:79:ae mac-address=9C:6B:00:1A:79:AE server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=84.255.209.79,84.255.210.79
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.1 name=router
add address=192.168.88.1 name=io
add address=192.168.88.110 name=juno
add address=192.168.88.111 name=kalipso
add address=192.168.88.80 name=hermes
add address=192.168.88.71 name=nuit
add address=192.168.88.81 name=ducky
add address=192.168.88.70 name=kibla
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat comment="0 A.D. za Nuit" dst-port=20595 protocol=udp to-addresses=192.168.88.71 to-ports=20595
add action=dst-nat chain=dstnat comment="HTTP za Juno" dst-address=93.103.13.254 dst-port=80 protocol=tcp to-addresses=192.168.88.110 to-ports=80
add action=src-nat chain=srcnat comment="HTTP za Juno" dst-address=192.168.88.110 dst-port=80 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="HTTPS za Juno" dst-address=93.103.13.254 dst-port=443 protocol=tcp to-addresses=192.168.88.110 to-ports=443
add action=src-nat chain=srcnat comment="HTTPS za Juno" dst-address=192.168.88.110 dst-port=443 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="ZNC za Kalipso" dst-address=93.103.13.254 dst-port=6767 protocol=tcp to-addresses=192.168.88.111 to-ports=6767
add action=src-nat chain=srcnat comment="ZNC za Kalipso" dst-address=192.168.88.111 dst-port=6767 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SSH za Kalipso" dst-address=93.103.13.254 dst-port=22111 protocol=tcp to-addresses=192.168.88.111 to-ports=22
add action=src-nat chain=srcnat comment="SSH za Kalipso" dst-address=192.168.88.111 dst-port=22 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SSH za Juno" dst-address=93.103.13.254 dst-port=22110 protocol=tcp to-addresses=192.168.88.110 to-ports=22
add action=src-nat chain=srcnat comment="SSH za Juno" dst-address=192.168.88.110 dst-port=22 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat dst-port=16000 protocol=udp to-addresses=192.168.88.71 to-ports=16000
add action=dst-nat chain=dstnat comment="HTTP za Monolith" disabled=yes dst-address=93.103.13.254 dst-port=80 protocol=tcp to-addresses=192.168.88.112 to-ports=80
add action=src-nat chain=srcnat comment="HTTP za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=80 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="HTTPS za Monolith" disabled=yes dst-address=93.103.13.254 dst-port=443 protocol=tcp to-addresses=192.168.88.112 to-ports=443
add action=src-nat chain=srcnat comment="HTTPS za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=443 protocol=tcp to-addresses=192.168.88.1
add action=src-nat chain=srcnat comment="SSH za Monolith" dst-address=192.168.88.112 dst-port=22 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SSH za Monolith" dst-address=93.103.13.254 dst-port=22 protocol=tcp to-addresses=192.168.88.112 to-ports=22
add action=src-nat chain=srcnat comment="SMTP za Monolith" dst-address=192.168.88.112 dst-port=25 protocol=tcp to-addresses=192.168.88.1 to-ports=0-65535
add action=dst-nat chain=dstnat comment="SMTP za Monolith" dst-address=93.103.13.254 dst-port=25 protocol=tcp to-addresses=192.168.88.112 to-ports=25
add action=src-nat chain=srcnat comment="SMTP (varen) za Monolith" dst-address=192.168.88.112 dst-port=587 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SMTP (varen) za Monolith" dst-address=93.103.13.254 dst-port=587 protocol=tcp to-addresses=192.168.88.112 to-ports=587
add action=src-nat chain=srcnat comment="IMAP za Monolith" dst-address=192.168.88.112 dst-port=993 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="IMAP za Monolith" dst-address=93.103.13.254 dst-port=993 protocol=tcp to-addresses=192.168.88.112 to-ports=993
add action=src-nat chain=srcnat comment="XMPP (client) za Monolith" dst-address=192.168.88.112 dst-port=5222 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="XMPP (client) za Monolith" dst-address=93.103.13.254 dst-port=5222 protocol=tcp to-addresses=192.168.88.112 to-ports=5222
add action=src-nat chain=srcnat comment="XMPP (server) za Monolith" dst-address=192.168.88.112 dst-port=5269 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="XMPP (server) za Monolith" dst-address=93.103.13.254 dst-port=5269 protocol=tcp to-addresses=192.168.88.112 to-ports=5269
/ip route
add distance=1 gateway=93.103.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=<redacted> disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl certificate=<redacted>
/ip ssh
set forwarding-enabled=remote host-key-size=4096 strong-crypto=yes
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=io
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Or just the /ip/firewall part:

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=srcnat action=masquerade out-interface=ether1 

 2    ;;; 0 A.D. za Nuit
      chain=dstnat action=dst-nat to-addresses=192.168.88.71 to-ports=20595 protocol=udp dst-port=20595 log=no log-prefix="" 

 3    ;;; HTTP za Juno
      chain=dstnat action=dst-nat to-addresses=192.168.88.110 to-ports=80 protocol=tcp dst-address=93.103.13.254 dst-port=80 

 4    ;;; HTTP za Juno
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.110 dst-port=80 log=no log-prefix="" 

 5    ;;; HTTPS za Juno
      chain=dstnat action=dst-nat to-addresses=192.168.88.110 to-ports=443 protocol=tcp dst-address=93.103.13.254 dst-port=443 

 6    ;;; HTTPS za Juno
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.110 dst-port=443 

 7    ;;; ZNC za Kalipso
      chain=dstnat action=dst-nat to-addresses=192.168.88.111 to-ports=6767 protocol=tcp dst-address=93.103.13.254 dst-port=6767 

 8    ;;; ZNC za Kalipso
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.111 dst-port=6767 

 9    ;;; SSH za Kalipso
      chain=dstnat action=dst-nat to-addresses=192.168.88.111 to-ports=22 protocol=tcp dst-address=93.103.13.254 dst-port=22111 

10    ;;; SSH za Kalipso
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.111 dst-port=22 

11    ;;; SSH za Juno
      chain=dstnat action=dst-nat to-addresses=192.168.88.110 to-ports=22 protocol=tcp dst-address=93.103.13.254 dst-port=22110 

12    ;;; SSH za Juno
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.110 dst-port=22 

13    chain=dstnat action=dst-nat to-addresses=192.168.88.71 to-ports=16000 protocol=udp dst-port=16000 log=no log-prefix="" 

14    ;;; HTTP za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=80 protocol=tcp dst-address=93.103.13.254 dst-port=80 log=no log-prefix="" 

15    ;;; HTTP za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.112 dst-port=80 log=no log-prefix="" 

16    ;;; HTTPS za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=443 protocol=tcp dst-address=93.103.13.254 dst-port=443 log=no log-prefix="" 

17    ;;; HTTPS za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.112 dst-port=443 log=no log-prefix="" 

18    ;;; SSH za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.112 dst-port=22 log=no log-prefix="" 

19    ;;; SSH za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=22 protocol=tcp dst-address=93.103.13.254 dst-port=22 log=no log-prefix="" 

20    ;;; SMTP za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 to-ports=0-65535 protocol=tcp dst-address=192.168.88.112 dst-port=25 log=no log-prefix="" 

21    ;;; SMTP za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=25 protocol=tcp dst-address=93.103.13.254 dst-port=25 log=no log-prefix="" 

22    ;;; SMTP (varen) za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.112 dst-port=587 log=no log-prefix="" 

23    ;;; SMTP (varen) za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=587 protocol=tcp dst-address=93.103.13.254 dst-port=587 log=no log-prefix="" 

24    ;;; IMAP za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.112 dst-port=993 log=no log-prefix="" 

25    ;;; IMAP za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=993 protocol=tcp dst-address=93.103.13.254 dst-port=993 log=no log-prefix="" 

26    ;;; XMPP (client) za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.112 dst-port=5222 log=no log-prefix="" 

27    ;;; XMPP (client) za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=5222 protocol=tcp dst-address=93.103.13.254 dst-port=5222 log=no log-prefix="" 

28    ;;; XMPP (server) za Monolith
      chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp dst-address=192.168.88.112 dst-port=5269 log=no log-prefix="" 

29    ;;; XMPP (server) za Monolith
      chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=5269 protocol=tcp dst-address=93.103.13.254 dst-port=5269 log=no log-prefix=""

tangent · December 12, 2023, 11:42pm

Puissance is always fearful. What is more to be feared is lack of mastery of the power one has at hand.

add action=dst-nat chain=dstnat comment=“HTTP za Monolith” disabled=yes dst-address=93.103.13.254 dst-port=80 protocol=tcp to-addresses=192.168.88.112 to-ports=80
add action=src-nat chain=srcnat comment=“HTTP za Monolith” disabled=yes dst-address=192.168.88.112 dst-port=80 protocol=tcp to-addresses=192.168.88.1

>

I stopped reading when I got to all of these pairs. One does **not** set up srcnat/dstnat pairs for port forwarding. The regular srcnat rule (line 119 in your config) works fine for everything. Only the dstnat is required.

As to your problems with some things working until a later time when they mysteriously fail, the usual cause of that is having active connections at the time of a change, which causes them to keep using the old rules until they're dropped and restarted. The simple fix for this is to reboot between significant changes to ensure that everything makes use of the new rules. There are more complicated alternatives that let you keep the router running, but I can tell that's more complexity than you were wanting to get into just now.

vingjfg · December 13, 2023, 6:55am

You are doing hairpin NAT, that’s often an issue but a casual review shows this is fine.

I see that the HTTPS rule for Monolith is disabled. DId you enable it when you had disabled the other rules?

The test you mention, does it run from the inside or from the outside?

I will read the config in details later.

vingjfg · December 13, 2023, 7:21am

Some rules that I find strange -

add action=src-nat chain=srcnat comment="SMTP za Monolith" dst-address=192.168.88.112 dst-port=25 protocol=tcp to-addresses=192.168.88.1 to-ports=0-65535

to-ports is not needed

Trying from the Internet, I see the following. Can you check on the server that all the services are running and ports are open?

Connection to TCP/5222 - connection refused
Connection to TCP/5223 - no reply (expected, not in your NAT)
Connection to TCP/5269 - connection refused

hook · December 13, 2023, 5:00pm

Thank you all for your feedback. I’m currently away from my router, but will update you during the weekend, when I will have had time to try it out.

tangent · December 13, 2023, 10:58pm

If those paired srcnat/dstnat rules are meant to implement hairpinning as @vingjfg suggests, you should redo it as the docs show. I would add comments to each rule, too, explaining why you need two rules to get port forwarding to work when one suffices in many normal cases. Hairpin NAT isn’t always required.

hook · December 14, 2023, 8:51am

Now that I (re-)read about hairpin NAT that does sound like what I was trying to do those years ago. I just didn’t know this is what it’s called. When I was setting it up originally I spent a long time reading MikroTik Wiki and other resources to get it to work … but as network engineering is far far away from my day-to-day work and expertise, I since forgot most of it.

If there is an easier solution I’m fine with that too. It’s not paramount, but e.g. for sharing larger files over Nextcloud, it does not make sense to me that since most clients/PCs are very often on the same LAN as the server, that the traffic would have to make a long and slower trip.

anav · December 14, 2023, 2:00pm

https://forum.mikrotik.com/viewtopic.php?t=179343

hook · December 22, 2023, 1:11am

I think I managed to get it to run how I would like it to. But would really appreciate if anyone would point it out, if there’s anything stupid below:

# dec/22/2023 01:57:12 by RouterOS 6.49.10
# software id = **ELIDED**
#
# model = 2011UiAS-2HnD
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] amsdu-limit=2048 band=2ghz-g/n channel-width=20/40mhz-Ce country=slovenia disabled=no distance=indoors frequency=2432 installation=\
    indoor mode=ap-bridge ssid=**ELIDED** station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=**ELIDED** wpa2-pre-shared-key=**ELIDED**
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=93.103.13.254/16 interface=ether1 network=93.103.0.0
/ip arp
add address=192.168.88.101 comment="Printer: EPSON L3050" interface=bridge mac-address=38:9D:92:EB:FA:0A
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.80 comment="Merlin (laptop, ThinkPad X230)" mac-address=6C:88:14:BC:60:A0 server=defconf
add address=192.168.88.110 comment="Juno (web server, v odhodu)" mac-address=02:51:07:41:52:61 server=defconf
add address=192.168.88.71 client-id=1:0:28:f8:aa:62:b6 comment="Nuit (desktop v kabinetu)" mac-address=00:28:F8:AA:62:B6
add address=192.168.88.111 comment="Kalipso (backup & IRC server, v odhodu)" mac-address=02:CC:06:41:F3:07 server=defconf
add address=192.168.88.70 comment="Kibla (laptop, Toshiba)" mac-address=00:21:6A:5B:9C:46 server=defconf
add address=192.168.88.81 comment="Gerfault (laptop, Dell Latitude)" mac-address=F4:8C:50:79:58:EC server=defconf
add address=192.168.88.101 client-id=1:38:9d:92:eb:fa:a comment="Epson L3050 (printer)" mac-address=38:9D:92:EB:FA:0A server=defconf
add address=192.168.88.100 comment="Roberts (radio v kuhinji)" mac-address=00:22:61:3D:C1:E4 server=defconf
add address=192.168.88.61 client-id=1:44:55:c4:7d:55:73 comment="telefon (Huawei, Jost)" mac-address=44:55:C4:7D:55:73 server=defconf
add address=192.168.88.112 client-id=ff:0:1a:79:ae:0:1:0:1:2c:f4:fc:8c:9c:6b:0:1a:79:ae comment="Monolith (glavni server)" mac-address=9C:6B:00:1A:79:AE server=\
    defconf
add address=192.168.88.62 client-id=1:84:cf:bf:92:55:bc comment="telefon (Fairphone 3, mami)" mac-address=84:CF:BF:92:55:BC server=defconf
add address=192.168.88.63 client-id=1:84:cf:bf:92:81:77 comment="telefon (Fairphone 3+, Matija)" mac-address=84:CF:BF:92:81:77 server=defconf
add address=192.168.88.82 client-id=1:c4:23:60:ff:12:2a comment="Leza (laptop, Slimbook)" mac-address=C4:23:60:FF:12:2A server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=84.255.209.79,84.255.210.79
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.1 name=router
add address=192.168.88.1 name=io
add address=192.168.88.110 name=juno
add address=192.168.88.111 name=kalipso
add address=192.168.88.80 name=hermes
add address=192.168.88.71 name=nuit
add address=192.168.88.81 name=gerfault
add address=192.168.88.70 name=kibla
add address=192.168.88.112 name=monolith
add address=192.168.88.111 comment="tmp na Kalipso" disabled=yes name=xmarksthespot.wheremymonkeyis.at
add address=192.168.88.110 comment="tmp na Juno" name=thatfunkyplace.wheremymonkeyis.at
add address=192.168.88.112 name=monolith.wheremymonkeyis.at
add address=192.168.88.110 comment="tmp na Juno" name=matija.suklje.name
add address=192.168.88.111 comment="tmp na Kalipso" name=thereisalwaysaparty.wheremymonkeyis.at
add address=192.168.88.110 comment="tmp na Juno" name=matija.xn--uklje-udb.name
add address=192.168.88.112 name=bigwhoop.wheremymonkeyis.at
add address=192.168.88.112 name=getbananas.wheremymonkeyis.at
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat comment="0 A.D. za Nuit" dst-port=20595 protocol=udp to-addresses=192.168.88.71 to-ports=20595
add action=dst-nat chain=dstnat comment="HTTP za Juno" disabled=yes dst-address=93.103.13.254 dst-port=80 protocol=tcp to-addresses=192.168.88.110 to-ports=80
add action=src-nat chain=srcnat comment="HTTP za Juno" disabled=yes dst-address=192.168.88.110 dst-port=80 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="HTTPS za Juno" disabled=yes dst-address=93.103.13.254 dst-port=443 protocol=tcp to-addresses=192.168.88.110 to-ports=443
add action=src-nat chain=srcnat comment="HTTPS za Juno" disabled=yes dst-address=192.168.88.110 dst-port=443 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="ZNC za Kalipso" dst-address=93.103.13.254 dst-port=6767 protocol=tcp to-addresses=192.168.88.111 to-ports=6767
add action=src-nat chain=srcnat comment="ZNC za Kalipso" disabled=yes dst-address=192.168.88.111 dst-port=6767 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SSH za Kalipso" dst-address=93.103.13.254 dst-port=22111 protocol=tcp to-addresses=192.168.88.111 to-ports=22
add action=src-nat chain=srcnat comment="SSH za Kalipso" dst-address=192.168.88.111 dst-port=22 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SSH za Juno" dst-address=93.103.13.254 dst-port=22110 protocol=tcp to-addresses=192.168.88.110 to-ports=22
add action=src-nat chain=srcnat comment="SSH za Juno" disabled=yes dst-address=192.168.88.110 dst-port=22 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat dst-port=16000 protocol=udp to-addresses=192.168.88.71 to-ports=16000
add action=dst-nat chain=dstnat comment="HTTP za Monolith" dst-address=93.103.13.254 dst-port=80 protocol=tcp to-addresses=192.168.88.112 to-ports=80
add action=src-nat chain=srcnat comment="HTTP za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=80 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="HTTPS za Monolith" dst-address=93.103.13.254 dst-port=443 protocol=tcp to-addresses=192.168.88.112 to-ports=443
add action=src-nat chain=srcnat comment="HTTPS za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=443 protocol=tcp to-addresses=192.168.88.1
add action=src-nat chain=srcnat comment="SSH za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=22 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SSH za Monolith" dst-address=93.103.13.254 dst-port=22 protocol=tcp to-addresses=192.168.88.112 to-ports=22
add action=src-nat chain=srcnat comment="SMTP za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=25 protocol=tcp to-addresses=192.168.88.1 to-ports=0-65535
add action=dst-nat chain=dstnat comment="SMTP za Monolith" dst-address=93.103.13.254 dst-port=25 protocol=tcp to-addresses=192.168.88.112 to-ports=25
add action=src-nat chain=srcnat comment="SMTP (varen) za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=587 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="SMTP (varen) za Monolith" dst-address=93.103.13.254 dst-port=587 protocol=tcp to-addresses=192.168.88.112 to-ports=587
add action=src-nat chain=srcnat comment="IMAP za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=993 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="IMAP za Monolith" dst-address=93.103.13.254 dst-port=993 protocol=tcp to-addresses=192.168.88.112 to-ports=993
add action=src-nat chain=srcnat comment="XMPP (client) za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=5222 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="XMPP (client) za Monolith" dst-address=93.103.13.254 dst-port=5222 protocol=tcp to-addresses=192.168.88.112 to-ports=5222
add action=src-nat chain=srcnat comment="XMPP (server) za Monolith" disabled=yes dst-address=192.168.88.112 dst-port=5269 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="XMPP (server) za Monolith" dst-address=93.103.13.254 dst-port=5269 protocol=tcp to-addresses=192.168.88.112 to-ports=5269
/ip route
add distance=1 gateway=93.103.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=**ELIDED** disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl certificate=**ELIDED**
/ip ssh
set forwarding-enabled=remote host-key-size=4096 strong-crypto=yes
/lcd
set flip-screen=yes
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=io
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The only pain so far is that whenever I add a new subdomain to YunoHost, I need to add a static DNS entry into the router too. But I guess once I’ve migrated from Juno and Kalipso, I can turn all those subdomain entries into a single wildcard entry.

Also, YunoHost complains about not having a reverse DNS and I cannot figure out how to set that up.

hook · December 25, 2023, 8:37pm

I am very thankful for reply, @wfburton, but I am having a hard time understanding it properly. I blame my inexperience with networking …

nslookup  monolith.wheremymonkeyis.at 192.168.88.1

produces the following, when ran from within the same ((W)LAN) network as the server:

Server:         192.168.88.1
Address:        192.168.88.1#53

Non-authoritative answer:
Name:   monolith.wheremymonkeyis.at
Address: 192.168.88.112

and

nslookup -q=SOA monolith.wheremymonkeyis.at 192.168.88.1

gives the following:

Server:         192.168.88.1
Address:        192.168.88.1#53

Non-authoritative answer:
*** Can't find monolith.wheremymonkeyis.at: No answer

Authoritative answers can be found from:

And finally,

 ping monolith.wheremymonkeyis.at

from the server itself (= monolith), oddly enough gives me:

PING monolith.wheremymonkeyis.at(monolith.wheremymonkeyis.at (fe80::9e6b:ff:fe1a:79ae%enp3s0)) 56 data bytes
64 bytes from monolith.wheremymonkeyis.at (fe80::9e6b:ff:fe1a:79ae%enp3s0): icmp_seq=1 ttl=64 time=0.055 ms
64 bytes from monolith.wheremymonkeyis.at (fe80::9e6b:ff:fe1a:79ae%enp3s0): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from monolith.wheremymonkeyis.at (fe80::9e6b:ff:fe1a:79ae%enp3s0): icmp_seq=3 ttl=64 time=0.028 ms
64 bytes from monolith.wheremymonkeyis.at (fe80::9e6b:ff:fe1a:79ae%enp3s0): icmp_seq=4 ttl=64 time=0.031 ms

From then on, I admit, I am lost as to what you tried to have me do :]

hook · December 29, 2023, 7:09pm

Regarding Reverse DNS, it seems what I need to do is to contact my ISP and have them change that entry on their side. It’ll cost me some change, but it should be a one-and-done affair.

Thanks everyone for helping me here