NOOB Route or srcnat ro dst nat issue

Sir or Madame … Madame or Sir,

I’m brand new to Mikrotik and detailed router/firewall configuration. I recently received 5 static IPs from my Internet provider and I’d like to implement WAN port to service provider, a DMZ, a BitCoin mining subnet, an unassigned subnet and a subnet that services my wireless home infrastructure (An ASUS RT-N66U). To accomplish this task I’ve procured a RB750GL and am in the midst fo setting up the RouterOS to service my various networking / firewalling desires. However, I seem to be stuck in a place where things aren’t working. The IPs assigned to my interfaces are ether1 :: 75.<REAL_IP>.<REAL_IP>.[129-133] with DG of .128, ether2 :: 192.168.119.0/24, ether3 :: 192.168.120.0/24, ether4 :: 192.168.121.0/24 and , ether5 :: 192.168.122.0/24. I’ve verified DHCP is working as expected on ether[2-5] and that on each of those interfaces I can set an IP on an attached resource and see the router AS WELL AS let DHCP assign an IP and see the router. I have verified my staic IPs work and that the DG is truly / accurately For reference the logical layout of my infrastructure is ::

ComCast SMC cable router → RB750GL with 5 static IPs on ether1 and RFC1918 addys on ether[2-5] → RFC1918 assigned devices

The specifics of my RB750GL are RouterOS 5.20 Firmware 3.0 and my configuration backup export is →

# jan/02/1970 01:58:49 by RouterOS 5.20
# software id = EZEF-GBRZ
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "WAN / internet Interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9A master-port=none mtu=1500 name=ether1 \
    speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Web services interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9B master-port=none mtu=1500 name=ether2 \
    speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "BTC mining activity interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9C master-port=none mtu=1500 name=ether3 \
    speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Unassigned activities interface." disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9D master-port=none mtu=1500 name=ether4 \
    speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Home network interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9E master-port=none mtu=1500 name=ether5 \
    speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=dhcp_pool1 ranges=192.168.119.50-192.168.119.254
add name=dhcp_pool2 ranges=192.168.120.50-192.168.120.254
add name=dhcp_pool3 ranges=192.168.121.50-192.168.121.254
add name=dhcp_pool4 ranges=192.168.122.50-192.168.122.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether2 lease-time=7w1d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether3 lease-time=7w1d name=dhcp2
add address-pool=dhcp_pool3 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether4 lease-time=7w1d name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether5 lease-time=7w1d name=dhcp4
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=\
    default
set 1 change-tcp-mss=yes name=default-encryption only-one=default \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no \
    ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
    no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=\
    ospf-in metric-bgp=auto metric-connected=20 metric-default=1 \
    metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \
    out-filter=ospf-out redistribute-bgp=no redistribute-connected=no \
    redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=\
    DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \
    syslog-facility=daemon syslog-severity=auto target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api" skin=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
    default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:20:F6:14:31:F9 \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=75.<REAL_IP>.<REAL_IP>.129/29 comment=\
    "First usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.130/29 comment=\
    "Second usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.131/29 comment=\
    "Third usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.132/29 comment=\
    "Fourth usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.133/29 comment=\
    "Fifth usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=192.168.119.1/24 comment="Web services subnet" disabled=no \
    interface=ether2 network=192.168.119.0
add address=192.168.120.1/24 comment="BTC mining subnet" disabled=no \
    interface=ether3 network=192.168.120.0
add address=192.168.121.1/24 comment="Unassigned subnet" disabled=no \
    interface=ether4 network=192.168.121.0
add address=192.168.122.1/24 comment="Home network subnet" disabled=no \
    interface=ether5 network=192.168.122.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.119.0/24 dhcp-option="" dns-server=4.2.2.2 gateway=\
    192.168.119.1 ntp-server="" wins-server=""
add address=192.168.120.0/24 dhcp-option="" dns-server=4.2.2.2 gateway=\
    192.168.120.1 ntp-server="" wins-server=""
add address=192.168.121.0/24 dhcp-option="" dns-server=4.2.2.2 gateway=\
    192.168.121.1 ntp-server="" wins-server=""
add address=192.168.122.0/24 dhcp-option="" dns-server=4.2.2.2 gateway=\
    192.168.122.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=68.87.68.162
/ip firewall address-list
add address=192.168.119.0/24 disabled=no list="Web services subnet"
add address=192.168.120.0/24 disabled=no list="BTC mining subnet"
add address=192.168.121.0/24 disabled=no list="Unassigned subnet"
add address=192.168.122.0/24 disabled=no list="Home network subnet"
add address=192.168.123.0/24 disabled=no list="Asus BlackKnight subnet"
add address=75.<REAL_IP>.<REAL_IP>.128/29 disabled=no list="ComCast allocated static IPs"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment=\
    "Drop invlaid connections in the forward chain" connection-state=invalid \
    disabled=no
add action=drop chain=input comment=\
    "Drop invlaid connections in the input chain" connection-state=invalid \
    disabled=no
add action=accept chain=input comment=\
    "Accept traffic to RB from home network subnet" disabled=no \
    src-address-list="Home network subnet"
add action=accept chain=input comment=\
    "Accept traffic to RB from wireless subnet" disabled=no src-address-list=\
    "Asus BlackKnight subnet"
add action=accept chain=input comment="Accept traffic returned to the RB that \
    was established FROM the RB (i.e. a ping or DNS lookup)" \
    connection-state=established disabled=no
add action=accept chain=input comment="Accept traffic related to the RB connec\
    tins that were established FROM the RB (i.e. a ping or DNS lookup)" \
    connection-state=related disabled=no
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our web services network to the world" \
    connection-state=new disabled=no src-address-list="Web services subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our web services network to the world" \
    connection-state=related disabled=no src-address-list=\
    "Web services subnet"
add action=accept chain=forward comment="Allow established connections FROM ou\
    r web services network to the world" connection-state=established \
    disabled=no src-address-list="Web services subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our BTC mining network to the world" \
    connection-state=new disabled=no src-address-list="BTC mining subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our BTC mining network to the world" \
    connection-state=related disabled=no src-address-list="BTC mining subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our BTC mining network to the world" \
    connection-state=established disabled=no src-address-list=\
    "BTC mining subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our unallocated network to the world" \
    connection-state=new disabled=no src-address-list="Unassigned subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our unallocated network to the world" \
    connection-state=related disabled=no src-address-list="Unassigned subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our unallocated network to the world" \
    connection-state=established disabled=no src-address-list=\
    "Unassigned subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our Home network to the world" \
    connection-state=new disabled=no src-address-list="Home network subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our Home network to the world" \
    connection-state=related disabled=no src-address-list=\
    "Home network subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our Home network to the world" \
    connection-state=established disabled=no src-address-list=\
    "Home network subnet"
add action=accept chain=input comment="Allow new connections FROM the world TO\
    \_the IPs and ports used for the DstNat rules to forward web services to t\
    he web services subnet" connection-state=new disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=accept chain=forward comment="Allow established connections FROM th\
    e world TO the IPs and ports used for the DstNat rules to forward web serv\
    ices to the web services subnet" connection-state=established disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=accept chain=forward comment="Allow related connections FROM the wo\
    rld TO the IPs and ports used for the DstNat rules to forward web services\
    \_to the web services subnet" connection-state=related disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=drop chain=input comment=\
    "Haven't matched any accept rule so drop what remains on the input chain" \
    disabled=no
add action=drop chain=forward comment="Haven't matched any accept rule so drop\
    \_what remains on the forward chain" disabled=no
/ip firewall nat
add action=src-nat chain=srcnat comment="All internet traffic from the Home ne\
    twork subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.133" disabled=no \
    src-address-list="Home network subnet" to-addresses=75.<REAL_IP>.<REAL_IP>.133
add action=src-nat chain=srcnat comment="All internet traffic from the unalloc\
    ated network subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.132" \
    disabled=no src-address-list="Unassigned subnet" to-addresses=\
    75.<REAL_IP>.<REAL_IP>.132
add action=src-nat chain=srcnat comment="All internet traffic from the BitCoin\
    \_mining network subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.131" \
    disabled=no src-address-list="BTC mining subnet" to-addresses=\
    75.<REAL_IP>.<REAL_IP>.131
add action=src-nat chain=srcnat comment="All internet traffic from the web ser\
    vices IP 192.168.119.2 will look like it heads out over 75.<REAL_IP>.<REAL_IP>.129.  T\
    his is so the return traffic heads out the same IP on which it came in." \
    disabled=no src-address=192.168.119.2 to-addresses=75.<REAL_IP>.<REAL_IP>.129
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    80 web traffic to web server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=80 to-addresses=\
    192.168.119.2 to-ports=80
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    443 SSL web traffic to web server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=443 to-addresses=\
    192.168.119.2 to-ports=443
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    53 DNS traffic to DNS server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=53 to-addresses=\
    192.168.119.2 to-ports=53
add action=dst-nat chain=dstnat comment="DstNat external and inbound UDP port \
    53 DNS traffic to DNS server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=udp src-port=53 to-addresses=\
    192.168.119.2 to-ports=53
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    25 SMTP traffic to PostFix mail server on web services subnet" disabled=\
    no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=25 to-addresses=\
    192.168.119.2 to-ports=25
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    465 SMTPS traffic to PostFix mail server on web services subnet" \
    disabled=no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=465 \
    to-addresses=192.168.119.2 to-ports=465
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    993 IMAPS traffic to imaps server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=993 to-addresses=\
    192.168.119.2 to-ports=993
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    143 IMAP traffic to imap server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=143 to-addresses=\
    192.168.119.2 to-ports=143
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    587 SMTP submission traffic to PostFix mail server on web services subnet" \
    disabled=no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=587 \
    to-addresses=192.168.119.2 to-ports=587
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    110 POP3 traffic to POP3 mail server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=110 to-addresses=\
    192.168.119.2 to-ports=110
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    995 POP3S traffic to POP3S mail server on web services subnet" disabled=\
    no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=995 to-addresses=\
    192.168.119.2 to-ports=995
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
    600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
    0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=75.<REAL_IP>.<REAL_IP>.128 \
    scope=30 target-scope=10
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
    max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
    multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
    trap-target="" trap-version=1
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=HomeBorder
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=50.19.122.125 secondary-ntp=0.0.0.0
/system resource irq
set 0 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
    400MHz force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
    none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=\
    "" filter-mac-address="" filter-mac-protocol="" filter-port="" \
    filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes \
    only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no

I believe I must be missing a route or I’ve got a nat that is borked but I can’t seem to find it. Any help is GREATLY appreciated. Just to be clear, the problem is that when I startup my laptop and connect to my wireless network I can get to the RB750 and use Winbox but I cannot get to the internet. As well, a linux box I have placed on ehter2 on my web services network also cannot get out to the internet.

Thanks in advance,

James

Did your ISP tell you to use .128 as the gateway? Typically that would be the network address in this type of config and .135 would be the broadcast address. That leaves .134 on that subnet (which they didn’t say you could use) so maybe that is the real gateway.

CelticComms,

Currently those 5 static IPs are attached to a NIC on a Linux box hung off the SMC cable router. I’m pretty sure that .128 is the DG that is working now and I think that’s the DG I set on my laptop last night to verify functionality of the static IPs (me thinks :-). Since I’m at the office right now I’ll have to check that tonight. I used route –n to get that info from my Ubuntu box. Thanks so much for your reply and I’ll get this info for you this evening or tomorrow at the latest.

James

Whatever the gateway is meant to be try pinging it (/Tools/Ping) from the routerboard and see if you get an ARP entry for the IP (/IP Arp).

CelticComms,

You were correct, .134 IS the gateway. Nonetheless I still cannot get out to the world from any of the RFC918 networks I have assigned to ether[2-5]. Do my NATs look correct?

James

They are close although I would specify the out-interface on each one since only that traffic should be SRC NATed.

Can you:

1. Check that you can ping the gateway from the router.
2. Ping 8.8.8.8 from a LAN device and use Torch to look at both the ingress (LAN) and egress (WAN) interfaces to see how far the traffic is getting and whether it is being SRC NATed outbound.

CelticComms,

I can successfully ping the .134 gateway using the winbox ping tool. Wifey told me to cease and desist for the night so I’ll have to the torch thing tomorrow. Thanks for all you help.

James

CelticComms,

From the ping tool on the RB750 I can successfully ping 4.2.2.2 as well ast my .134 gateway. From this I believe my router is talking to the world successfully. Since wifey is not home yet I am able to connect up my wireless router to my 192.168.122.0/24 network and then my laptop wirelessly to my wireless network and attempt a pint to 4.2.2.2 . When I did this I ran the Torch tool for ether5 and I could see it sending traffic to 4.2.2.2 but never receiving anything back. I then ran Torch on ether1 and I could see 4.2.2.2 replying to my 75.<REAL_IP>.<REAL_IP>.133 address but on my laptop the ping did not reply and there was no indication that the traffic ever got handed off to my 192.168.122.0/24 network. I though I might have missed a dstnat so I put a new one in to forward anything from 75.<REAL_IP>.<REAL_IP>.133 to 192.168.122.2 (My wireless router WAN interface but still it did not work. For your reference here’s my router’s current config →

# jan/02/1970 01:14:21 by RouterOS 5.20
# software id = EZEF-GBRZ
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "WAN / internet Interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9A master-port=none mtu=1500 name=ether1 \
    speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Web services interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9B master-port=none mtu=1500 name=ether2 \
    speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "BTC mining activity interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9C master-port=none mtu=1500 name=ether3 \
    speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Unassigned activities interface." disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9D master-port=none mtu=1500 name=ether4 \
    speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Home network interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9E master-port=none mtu=1500 name=ether5 \
    speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=dhcp_pool1 ranges=192.168.119.50-192.168.119.254
add name=dhcp_pool2 ranges=192.168.120.50-192.168.120.254
add name=dhcp_pool3 ranges=192.168.121.50-192.168.121.254
add name=dhcp_pool4 ranges=192.168.122.50-192.168.122.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether2 lease-time=7w1d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether3 lease-time=7w1d name=dhcp2
add address-pool=dhcp_pool3 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether4 lease-time=7w1d name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether5 lease-time=7w1d name=dhcp4
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=\
    default
set 1 change-tcp-mss=yes name=default-encryption only-one=default \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no \
    ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
    no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=\
    ospf-in metric-bgp=auto metric-connected=20 metric-default=1 \
    metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \
    out-filter=ospf-out redistribute-bgp=no redistribute-connected=no \
    redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=\
    DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \
    syslog-facility=daemon syslog-severity=auto target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api" skin=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
    default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:98:A5:5B:B7:68 \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=75.<REAL_IP>.<REAL_IP>.129/29 comment=\
    "First usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.130/29 comment=\
    "Second usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.131/29 comment=\
    "Third usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.132/29 comment=\
    "Fourth usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.133/29 comment=\
    "Fifth usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=192.168.119.1/24 comment="Web services subnet" disabled=no \
    interface=ether2 network=192.168.119.0
add address=192.168.120.1/24 comment="BTC mining subnet" disabled=no \
    interface=ether3 network=192.168.120.0
add address=192.168.121.1/24 comment="Unassigned subnet" disabled=no \
    interface=ether4 network=192.168.121.0
add address=192.168.122.1/24 comment="Home network subnet" disabled=no \
    interface=ether5 network=192.168.122.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.119.0/24 dhcp-option="" dns-server=192.168.119.1 gateway=\
    192.168.119.1 ntp-server="" wins-server=""
add address=192.168.120.0/24 dhcp-option="" dns-server=192.168.120.1 gateway=\
    192.168.120.1 ntp-server="" wins-server=""
add address=192.168.121.0/24 dhcp-option="" dns-server=192.168.121.1 gateway=\
    192.168.121.1 ntp-server="" wins-server=""
add address=192.168.122.0/24 dhcp-option="" dns-server=192.168.122.1 gateway=\
    192.168.122.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=68.87.74.162
/ip firewall address-list
add address=192.168.119.0/24 disabled=no list="Web services subnet"
add address=192.168.120.0/24 disabled=no list="BTC mining subnet"
add address=192.168.121.0/24 disabled=no list="Unassigned subnet"
add address=192.168.122.0/24 disabled=no list="Home network subnet"
add address=192.168.123.0/24 disabled=no list="Asus BlackKnight subnet"
add address=75.<REAL_IP>.<REAL_IP>.128/29 disabled=no list="ComCast allocated static IPs"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment=\
    "Drop invlaid connections in the forward chain" connection-state=invalid \
    disabled=no
add action=drop chain=input comment=\
    "Drop invlaid connections in the input chain" connection-state=invalid \
    disabled=no
add action=accept chain=input comment=\
    "Accept traffic to RB from home network subnet" disabled=no \
    src-address-list="Home network subnet"
add action=accept chain=input comment=\
    "Accept traffic to RB from wireless subnet" disabled=no src-address-list=\
    "Asus BlackKnight subnet"
add action=accept chain=input comment="Accept traffic returned to the RB that \
    was established FROM the RB (i.e. a ping or DNS lookup)" \
    connection-state=established disabled=no
add action=accept chain=input comment="Accept traffic related to the RB connec\
    tins that were established FROM the RB (i.e. a ping or DNS lookup)" \
    connection-state=related disabled=no
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our web services network to the world" \
    connection-state=new disabled=no src-address-list="Web services subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our web services network to the world" \
    connection-state=related disabled=no src-address-list=\
    "Web services subnet"
add action=accept chain=forward comment="Allow established connections FROM ou\
    r web services network to the world" connection-state=established \
    disabled=no src-address-list="Web services subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our BTC mining network to the world" \
    connection-state=new disabled=no src-address-list="BTC mining subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our BTC mining network to the world" \
    connection-state=related disabled=no src-address-list="BTC mining subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our BTC mining network to the world" \
    connection-state=established disabled=no src-address-list=\
    "BTC mining subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our unallocated network to the world" \
    connection-state=new disabled=no src-address-list="Unassigned subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our unallocated network to the world" \
    connection-state=related disabled=no src-address-list="Unassigned subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our unallocated network to the world" \
    connection-state=established disabled=no src-address-list=\
    "Unassigned subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our Home network to the world" \
    connection-state=new disabled=no src-address-list="Home network subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our Home network to the world" \
    connection-state=related disabled=no src-address-list=\
    "Home network subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our Home network to the world" \
    connection-state=established disabled=no src-address-list=\
    "Home network subnet"
add action=accept chain=input comment="Allow new connections FROM the world TO\
    \_the IPs and ports used for the DstNat rules to forward web services to t\
    he web services subnet" connection-state=new disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=accept chain=forward comment="Allow established connections FROM th\
    e world TO the IPs and ports used for the DstNat rules to forward web serv\
    ices to the web services subnet" connection-state=established disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=accept chain=forward comment="Allow related connections FROM the wo\
    rld TO the IPs and ports used for the DstNat rules to forward web services\
    \_to the web services subnet" connection-state=related disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=drop chain=input comment=\
    "Haven't matched any accept rule so drop what remains on the input chain" \
    disabled=no
add action=drop chain=forward comment="Haven't matched any accept rule so drop\
    \_what remains on the forward chain" disabled=no
/ip firewall nat
add action=src-nat chain=srcnat comment="All internet traffic from the Home ne\
    twork subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.133" disabled=no \
    src-address-list="Home network subnet" to-addresses=75.<REAL_IP>.<REAL_IP>.133
add action=dst-nat chain=dstnat comment="All traffic coming inbound on 75.149.\
    123.133 gets dst natted to 192.168.122.2" disabled=no src-address=\
    75.<REAL_IP>.<REAL_IP>.133 to-addresses=192.168.122.2
add action=src-nat chain=srcnat comment="All internet traffic from the unalloc\
    ated network subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.132" \
    disabled=no src-address-list="Unassigned subnet" to-addresses=\
    75.<REAL_IP>.<REAL_IP>.132
add action=src-nat chain=srcnat comment="All internet traffic from the BitCoin\
    \_mining network subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.131" \
    disabled=no src-address-list="BTC mining subnet" to-addresses=\
    75.<REAL_IP>.<REAL_IP>.131
add action=src-nat chain=srcnat comment="All internet traffic from the web ser\
    vices IP 192.168.119.2 will look like it heads out over 75.<REAL_IP>.<REAL_IP>.129.  T\
    his is so the return traffic heads out the same IP on which it came in." \
    disabled=no src-address=192.168.119.2 to-addresses=75.<REAL_IP>.<REAL_IP>.129
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    80 web traffic to web server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=80 to-addresses=\
    192.168.119.2 to-ports=80
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    443 SSL web traffic to web server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=443 to-addresses=\
    192.168.119.2 to-ports=443
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    53 DNS traffic to DNS server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=53 to-addresses=\
    192.168.119.2 to-ports=53
add action=dst-nat chain=dstnat comment="DstNat external and inbound UDP port \
    53 DNS traffic to DNS server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=udp src-port=53 to-addresses=\
    192.168.119.2 to-ports=53
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    25 SMTP traffic to PostFix mail server on web services subnet" disabled=\
    no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=25 to-addresses=\
    192.168.119.2 to-ports=25
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    465 SMTPS traffic to PostFix mail server on web services subnet" \
    disabled=no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=465 \
    to-addresses=192.168.119.2 to-ports=465
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    993 IMAPS traffic to imaps server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=993 to-addresses=\
    192.168.119.2 to-ports=993
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    143 IMAP traffic to imap server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=143 to-addresses=\
    192.168.119.2 to-ports=143
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    587 SMTP submission traffic to PostFix mail server on web services subnet" \
    disabled=no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=587 \
    to-addresses=192.168.119.2 to-ports=587
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    110 POP3 traffic to POP3 mail server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=110 to-addresses=\
    192.168.119.2 to-ports=110
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    995 POP3S traffic to POP3S mail server on web services subnet" disabled=\
    no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=995 to-addresses=\
    192.168.119.2 to-ports=995
add action=redirect chain=dstnat comment="Capture all outbound TCP port 53 DNS\
    \_requests from LANs and process them on RB750 caching DNS server if possi\
    ble." disabled=no dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Capture all outbound UDP port 53 DNS\
    \_requests from LANs and process them on RB750 caching DNS server if possi\
    ble." disabled=no dst-port=53 protocol=udp
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
    600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
    0.0.0.0
/ip route
add check-gateway=ping comment=\
    "Default Gateway / SMC cable router to ComCast" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=75.<REAL_IP>.<REAL_IP>.134 scope=30 target-scope=10
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
    max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
    multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
    trap-target="" trap-version=1
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=HomeBorder
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=50.19.122.125 secondary-ntp=0.0.0.0
/system resource irq
set 0 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
    400MHz force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
    none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=\
    "" filter-mac-address="" filter-mac-protocol="" filter-port="" \
    filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes \
    only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no

Thanks so much for your help.

James

You need to allow ESTABLISHED and RELATED connections from the ISP back to your LAN subnet(s). It looks as if at the moment only the traffic involved in the destination NAT has such rules.

CelticComms,

Ahh … so I’ve borked myself via the Firewall. Let me put rules for that in and I’ll get it tested tonight. Is there a log I can tail -f to see when firewall rules get hit and traffic splatters? Thanks in advance.

James

You will see the counters rise on the ACCEPT rules once you add them and the pings should start making the round trip. Full disclosure - I have not read all those rules - I just used your description to focus on the forward chain and did not see a way for normal LAN initiated to have its ESTABLISHED and RELATED return traffic make it all the way to the LAN. I think you did add such rules for the DST NAT related traffic but not for general traffic.

CelticComs,

I just read through my rules to make sure I didn’t duplicate anything and it looks like I already have the rules of which you speak. In the backup file I posted above I believe they are →

add action=accept chain=forward comment=
“Allow connections initiated FROM our Home network to the world”
connection-state=new disabled=no src-address-list=“Home network subnet”
add action=accept chain=forward comment=“Allow related connections spawned by
initiated connections FROM our Home network to the world”
connection-state=related disabled=no src-address-list=
“Home network subnet”
add action=accept chain=forward comment=
“Allow established connections FROM our Home network to the world”
connection-state=established disabled=no src-address-list=
“Home network subnet”

Are these the rules you wanted me to put in or are you referring to something different? Thanks for your help.

James

These rules all refer to outbound traffic. You need to allow inbound ESTABLISHED and RELATED connection from the outside world to your LAN interfaces or addresses.

CelticComms,

DOH! Sorry about that. I’ll get to making some rules.

James

I suspect that you will see those pings make a round trip. If not please update with new symptoms.

CelticComs,
I have added the rules you mentioned and my traffic still did not flow as expected. I used Torch and I could see the ping originating from my ASUS router (thus having been handed off from my wirelessly connected laptop) headed to 4.2.2.2 on ether5. I could then see traffic headed back in on my WAN interface, which is ether1 and hitting one of my public IPs which is 75.<REAL_IP>.<REAL_IP>.133 but the traffic never gets back to my laptop. I have disabled all of my firewall’s drop rules so I do not believe the ping is splattering on a firewall rule. What might I do now? For your reference I am attaching my router config export file with the new firewall rules I created per you last reply.

# jan/02/1970 00:19:20 by RouterOS 5.20
# software id = EZEF-GBRZ
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "WAN / internet Interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9A master-port=none mtu=1500 name=ether1 \
    speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Web services interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9B master-port=none mtu=1500 name=ether2 \
    speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "BTC mining activity interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9C master-port=none mtu=1500 name=ether3 \
    speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Unassigned activities interface." disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9D master-port=none mtu=1500 name=ether4 \
    speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Home network interface" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:75:BA:9E master-port=none mtu=1500 name=ether5 \
    speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=dhcp_pool1 ranges=192.168.119.50-192.168.119.254
add name=dhcp_pool2 ranges=192.168.120.50-192.168.120.254
add name=dhcp_pool3 ranges=192.168.121.50-192.168.121.254
add name=dhcp_pool4 ranges=192.168.122.50-192.168.122.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether2 lease-time=7w1d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether3 lease-time=7w1d name=dhcp2
add address-pool=dhcp_pool3 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether4 lease-time=7w1d name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether5 lease-time=7w1d name=dhcp4
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=\
    default
set 1 change-tcp-mss=yes name=default-encryption only-one=default \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no \
    ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
    no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=\
    ospf-in metric-bgp=auto metric-connected=20 metric-default=1 \
    metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \
    out-filter=ospf-out redistribute-bgp=no redistribute-connected=no \
    redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=\
    DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \
    syslog-facility=daemon syslog-severity=auto target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api" skin=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
    default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:11:B4:D6:25:60 \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=75.<REAL_IP>.<REAL_IP>.129/29 comment=\
    "First usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.130/29 comment=\
    "Second usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.131/29 comment=\
    "Third usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.132/29 comment=\
    "Fourth usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=75.<REAL_IP>.<REAL_IP>.133/29 comment=\
    "Fifth usable public IP assigend from ComCast" disabled=no interface=\
    ether1 network=75.<REAL_IP>.<REAL_IP>.128
add address=192.168.119.1/24 comment="Web services subnet" disabled=no \
    interface=ether2 network=192.168.119.0
add address=192.168.120.1/24 comment="BTC mining subnet" disabled=no \
    interface=ether3 network=192.168.120.0
add address=192.168.121.1/24 comment="Unassigned subnet" disabled=no \
    interface=ether4 network=192.168.121.0
add address=192.168.122.1/24 comment="Home network subnet" disabled=no \
    interface=ether5 network=192.168.122.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.119.0/24 dhcp-option="" dns-server=192.168.119.1 gateway=\
    192.168.119.1 ntp-server="" wins-server=""
add address=192.168.120.0/24 dhcp-option="" dns-server=192.168.120.1 gateway=\
    192.168.120.1 ntp-server="" wins-server=""
add address=192.168.121.0/24 dhcp-option="" dns-server=192.168.121.1 gateway=\
    192.168.121.1 ntp-server="" wins-server=""
add address=192.168.122.0/24 dhcp-option="" dns-server=192.168.122.1 gateway=\
    192.168.122.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=68.87.74.162
/ip firewall address-list
add address=192.168.119.0/24 disabled=no list="Web services subnet"
add address=192.168.120.0/24 disabled=no list="BTC mining subnet"
add address=192.168.121.0/24 disabled=no list="Unassigned subnet"
add address=192.168.122.0/24 disabled=no list="Home network subnet"
add address=192.168.123.0/24 disabled=no list="Asus BlackKnight subnet"
add address=75.<REAL_IP>.<REAL_IP>.128/29 disabled=no list="ComCast allocated static IPs"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment=\
    "Drop invlaid connections in the forward chain" connection-state=invalid \
    disabled=yes
add action=drop chain=input comment=\
    "Drop invlaid connections in the input chain" connection-state=invalid \
    disabled=yes
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our unallocated network to the world" \
    connection-state=related disabled=no src-address-list="Unassigned subnet"
add action=accept chain=input comment=\
    "Accept traffic to RB from home network subnet" disabled=no \
    src-address-list="Home network subnet"
add action=accept chain=input comment=\
    "Accept traffic to RB from wireless subnet" disabled=no src-address-list=\
    "Asus BlackKnight subnet"
add action=accept chain=input comment="Accept traffic returned to the RB that \
    was established FROM the RB (i.e. a ping or DNS lookup)" \
    connection-state=established disabled=no
add action=accept chain=input comment="Accept traffic related to the RB connec\
    tins that were established FROM the RB (i.e. a ping or DNS lookup)" \
    connection-state=related disabled=no
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our web services network to the world" \
    connection-state=new disabled=no src-address-list="Web services subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our web services network to the world" \
    connection-state=related disabled=no src-address-list=\
    "Web services subnet"
add action=accept chain=forward comment="Allow established connections FROM ou\
    r web services network to the world" connection-state=established \
    disabled=no src-address-list="Web services subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our BTC mining network to the world" \
    connection-state=new disabled=no src-address-list="BTC mining subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our BTC mining network to the world" \
    connection-state=related disabled=no src-address-list="BTC mining subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our BTC mining network to the world" \
    connection-state=established disabled=no src-address-list=\
    "BTC mining subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our unallocated network to the world" \
    connection-state=new disabled=no src-address-list="Unassigned subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our unallocated network to the world" \
    connection-state=established disabled=no src-address-list=\
    "Unassigned subnet"
add action=accept chain=forward comment=\
    "Allow connections initiated FROM our Home network to the world" \
    connection-state=new disabled=no src-address-list="Home network subnet"
add action=accept chain=forward comment="Allow related connections spawned by \
    initiated connections FROM our Home network to the world" \
    connection-state=related disabled=no src-address-list=\
    "Home network subnet"
add action=accept chain=forward comment=\
    "Allow established connections FROM our Home network to the world" \
    connection-state=established disabled=no src-address-list=\
    "Home network subnet"
add action=accept chain=input comment="Allow new connections FROM the world TO\
    \_the IPs and ports used for the DstNat rules to forward web services to t\
    he web services subnet" connection-state=new disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=accept chain=forward comment="Allow established connections FROM th\
    e world TO the IPs and ports used for the DstNat rules to forward web serv\
    ices to the web services subnet" connection-state=established disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=accept chain=forward comment="Allow related connections FROM the wo\
    rld TO the IPs and ports used for the DstNat rules to forward web services\
    \_to the web services subnet" connection-state=related disabled=no \
    dst-address-list="ComCast allocated static IPs" protocol=tcp \
    src-address-list=0.0.0.0/0 src-port=80,443,25,465,587,143,993,110,995
add action=accept chain=forward comment=\
    "Allow related connections heading back to our home hetwork" \
    connection-state=related disabled=no dst-address-list=\
    "Home network subnet" src-address-list=0.0.0.0/0
add action=accept chain=forward comment=\
    "Allow established connections FROM the world back to our hom enetwork" \
    connection-state=established disabled=no dst-address-list=\
    "Home network subnet" src-address-list=0.0.0.0/0
add action=drop chain=input comment=\
    "Haven't matched any accept rule so drop what remains on the input chain" \
    disabled=yes
add action=drop chain=forward comment="Haven't matched any accept rule so drop\
    \_what remains on the forward chain" disabled=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="All internet traffic from the Home ne\
    twork subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.133" disabled=no \
    src-address-list="Home network subnet" to-addresses=75.<REAL_IP>.<REAL_IP>.133
add action=dst-nat chain=dstnat comment="All traffic coming inbound on 75.149.\
    123.133 gets dst natted to 192.168.122.2" disabled=no src-address=\
    75.<REAL_IP>.<REAL_IP>.133 to-addresses=192.168.122.2
add action=src-nat chain=srcnat comment="All internet traffic from the unalloc\
    ated network subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.132" \
    disabled=no src-address-list="Unassigned subnet" to-addresses=\
    75.<REAL_IP>.<REAL_IP>.132
add action=src-nat chain=srcnat comment="All internet traffic from the BitCoin\
    \_mining network subnet will look like it heads out over 75.<REAL_IP>.<REAL_IP>.131" \
    disabled=no src-address-list="BTC mining subnet" to-addresses=\
    75.<REAL_IP>.<REAL_IP>.131
add action=src-nat chain=srcnat comment="All internet traffic from the web ser\
    vices IP 192.168.119.2 will look like it heads out over 75.<REAL_IP>.<REAL_IP>.129.  T\
    his is so the return traffic heads out the same IP on which it came in." \
    disabled=no src-address=192.168.119.2 to-addresses=75.<REAL_IP>.<REAL_IP>.129
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    80 web traffic to web server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=80 to-addresses=\
    192.168.119.2 to-ports=80
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    443 SSL web traffic to web server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=443 to-addresses=\
    192.168.119.2 to-ports=443
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    53 DNS traffic to DNS server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=53 to-addresses=\
    192.168.119.2 to-ports=53
add action=dst-nat chain=dstnat comment="DstNat external and inbound UDP port \
    53 DNS traffic to DNS server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=udp src-port=53 to-addresses=\
    192.168.119.2 to-ports=53
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    25 SMTP traffic to PostFix mail server on web services subnet" disabled=\
    no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=25 to-addresses=\
    192.168.119.2 to-ports=25
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    465 SMTPS traffic to PostFix mail server on web services subnet" \
    disabled=no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=465 \
    to-addresses=192.168.119.2 to-ports=465
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    993 IMAPS traffic to imaps server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=993 to-addresses=\
    192.168.119.2 to-ports=993
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    143 IMAP traffic to imap server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=143 to-addresses=\
    192.168.119.2 to-ports=143
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    587 SMTP submission traffic to PostFix mail server on web services subnet" \
    disabled=no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=587 \
    to-addresses=192.168.119.2 to-ports=587
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    110 POP3 traffic to POP3 mail server on web services subnet" disabled=no \
    dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=110 to-addresses=\
    192.168.119.2 to-ports=110
add action=dst-nat chain=dstnat comment="DstNat external and inbound TCP port \
    995 POP3S traffic to POP3S mail server on web services subnet" disabled=\
    no dst-address=75.<REAL_IP>.<REAL_IP>.129 protocol=tcp src-port=995 to-addresses=\
    192.168.119.2 to-ports=995
add action=redirect chain=dstnat comment="Capture all outbound TCP port 53 DNS\
    \_requests from LANs and process them on RB750 caching DNS server if possi\
    ble." disabled=no dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Capture all outbound UDP port 53 DNS\
    \_requests from LANs and process them on RB750 caching DNS server if possi\
    ble." disabled=no dst-port=53 protocol=udp
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
    600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
    0.0.0.0
/ip route
add check-gateway=ping comment=\
    "Default Gateway / SMC cable router to ComCast" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=75.<REAL_IP>.<REAL_IP>.134 scope=30 target-scope=10
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
    max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
    multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
    trap-target="" trap-version=1
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=HomeBorder
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=50.19.122.125 secondary-ntp=0.0.0.0
/system resource irq
set 0 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
    400MHz force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
    none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=\
    "" filter-mac-address="" filter-mac-protocol="" filter-port="" \
    filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes \
    only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no

Thanks for your help.

James

CelticComs,

I just noticed something that might be my culprit (and I can’t believe I didn’t notice this earlier). Way back when, in a previous life, in a land far, far away I was covered up in CheckPoint stuff. In that land I remember that even though there were firewall rules, NAT-ing and packet mangling going on I still had to apply specific network routes to the networks that were associated to the interfaces on the Nokia devices we were using. As I review my configuration for this RB750 I see that I ONLY have a single route defined for my DG but NOT for any of the other networks assigned on any of the interfaces. Do you suppose this could be causing my problem? Thanks for the reply.

James

CelticComs,

Ok, forget my thoughts on the routes as I see they ARE there in Winbox. I just noticed I have a dst-nat that looks like →

add action=dst-nat chain=dstnat comment="All traffic coming inbound on 75.149.\
    123.133 gets dst natted to 192.168.122.2" disabled=no src-address=\
    75.149.123.133 to-addresses=192.168.122.2

This is all cool BUT I have my Asus wireless router to request its IP via DHCP. It turns out it can never get the IP address 192.168.122.2. This is because my DHPC servers on interfaces ether[2-5] start at .50. This causes me to wonder, should I set my Wireless WAN interface to that .2 address and let anything else that lives on that network get a DHCP address OR should I alter this dst-nat to look like →

add action=dst-nat chain=dstnat comment="All traffic coming inbound on 75.149.\
    123.133 gets dst natted to 192.168.122.0/24" disabled=no src-address=\
    75.149.123.133 to-addresses=192.168.122.0/24

Thanks for the reply.

James

CelticComms,

Does my logic in my last reply sound correct to you?

James

If this rule is to apply to traffic “coming inbound on 75.149.123.133” then the selector should be the destination address not the source address.