Hello Mikrotik User 
just got a Mikrotik hex and iam really impressed with the capabilities of this small thing.
But i cant seem to figure out how to configure this for my use.
What i want is the following:
Ethernet1/Wan is connected to my firewall
Ethernet 1-4 should work like a switch
Ethernet5 should be connected to my webserver which runs on a diffrent network i want to reach this one from port 4088.
I hope what i wrote is somewhat understandable.
Thanks for any advice.
Yes,
please post your config to see what is currently attempted.
/export hide-sensitive file=anynameyouwish
Think the Portforwarding should work like this i can test it next week.
I disabled the ports which should act like a switch.
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.214.10-192.168.214.254
add name=dhcp_pool1 ranges=192.168.214.2-192.168.214.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether5 name=dhcp1
/interface bridge port
add comment=defconf interface=ether2
add comment=defconf interface=ether3
add comment=defconf interface=ether4
add comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.214.1/24 comment=defconf interface=ether5 network=\
192.168.214.0
add address=10.38.25.31/16 interface=ether1 network=10.38.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.214.0/24 comment=defconf gateway=192.168.214.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.38.4.2
/ip dns static
add address=192.168.214.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface-list=WAN out-interface-list=LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.38.25.31 dst-port=4880 log=yes \
protocol=tcp to-addresses=192.168.214.160 to-ports=4880
add action=masquerade chain=srcnat dst-address=192.168.214.160 dst-port=4880 \
out-interface=ether5 protocol=tcp src-address=10.38.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=10.38.25.31 dst-port=4899 \
protocol=tcp to-addresses=192.168.214.160 to-ports=0-65535
/ip route
add distance=1 gateway=10.38.10.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=all memory-scroll=no only-headers=yes
Thanks for your help.
I’m no expert but, I thought disabling those ports would turn them off completely.
Also, you have set disable=yes to several important firewall rules.
Firewall is cripled beyond any usable protection simply because of first (top-most) rule allowing just any connection from WAN towards LAN.
Not impressed that you made changes not knowing what you are doing.
Reset back to defaults on the firewall and ask from help from there.
Okay i restored the default settings.
thats not really a problem because the WAN port is conected to a lokal network.
The lokal network is already protected by a sophos firewall.
I only need the hex for portforwarding and access to the lokal network.
That was my intention because i could not get these port to work like a switch i thought it would be best to disable them.
Well, I missed the fact you’re using the device inside LAN.
To achieve what you want it would best to configure device from scratch like this:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=4088 in-interface=<bridge> to-addresses=<WEB server address>
/ip firewall nat
add action=src-nat chain=srcnat in-interface=<bridge> dst-address=<WEB server address> to-addresses=<address of router in server's subnet>
There are additional tasks to be done if you want to restrict management access to router or if you want to restrict connections between both subnets.
Thanks alot this works.
Why NAT to the web server from Inside? You should be able to simply route to it.
That came to my mind also so for exercise iam trying this approach too.
I still neet to get used to Mikrotik.
I configured a static route on my Sophos to route all requests for 192.168.214.xxx/24 to the Mikrotik hex on 10.38.25.31/16.
A tracert from 10.38.x.x/16 to 192.168.214.x shows the redirection to the Mikrotik hex works.
I can ping everything from the Mikrotik subnet but can’t ping the Computer from my Sophos network.
Do i need some kind of Masquarade on the Mikrotik?
Check firewall on the Computer … some OSes (Windows most notably) consider anything but it’s own subnet to be evil internet and block pings originating from other networks.
I turned the Firewall on the Computer off completly still no response.
There are no acive FW rules only a Masquarade on th WAN port
What is server’s default gateway IP address? You can only route traffic from Sophos network via MT is either server or its default gateway know to use RB as gateway towards Sophos network.
I want to route from Sophos network to Mk network.
Mikrotik bridge IP: 10.38.25.31
MIkrotik bridge GW: 10.38.10.1/16
Mikrotik ethernet 5 DHCP server: 192.168.214.1
Server IP: 192.168.214.20
GW:192.168.214.1
I found this. https://wiki.mikrotik.com/wiki/Manual:Simple_Static_Routing
this is basically what iam trying to do.
Router 1 is my Sophos Network.
Router 2 is MT Network.
I can ping Client LAN1 from Client1 Lan2
but can the other way around
In the linked page, note the “routing subnet” between router1 and router2 … it is important and makes life of both routers easier. The thing is that in usual SOHO networks router1 runs a stateful firewall as well … and this firewall can trip if it doesn’t see traffic in both directions. Which happens if router2 “WAN” address is directly part of router1 “LAN” subnet.
The other thing is (potential) firewall running on router2 … so please post actual running config of mikrotik again (run /export file=anynameyouwish and copy-paste contents of that file).
# jan/01/2002 02:28:45 by RouterOS 6.47.9
# software id = LVL6-6NB9
#
# model = RB750Gr3
# serial number = CC210CD3A5AF
/interface list
add comment=192.168.214.x name=LAN2
add comment=10.38.x.x name=LAN1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip settings
set accept-redirects=yes accept-source-route=yes
/interface list member
add interface=ether1 list=LAN1
add interface=ether5 list=LAN2
/ip address
add address=10.38.25.31/16 interface=ether1 network=10.38.0.0
add address=192.168.214.1/24 interface=ether5 network=192.168.214.0
add address=10.38.25.31 interface=ether1 network=10.38.25.31
add address=192.168.214.1/24 interface=ether2 network=192.168.214.0
/ip dns
set servers=10.38.4.2
/ip route
add check-gateway=ping distance=1 dst-address=10.38.0.0/16 gateway=ether1
add distance=1 dst-address=10.38.10.1/32 gateway=ether1
/tool user-manager database
set db-path=flash/user-manager
After this i created a masquarading srcnat rule on ether 1.
Now i can ping the 10.38.x.x network from the 192.168.214.x
but not the other way around
There are a few errors in your configuration:
The last error (routing) was probably not a show stopper for your particular problem.
Regarding your last change (adding NAT): it may or may not be necessary, but that entirely depends on settings of sophos router/firewall: