Port forward for specify Public IP adress

RouterOS Beginner Basics
1

I can open port to my subnet PC for all, but if i need allow connect to this port server a from specific Public IP , i cannot manage . I make allow list with included Public IP and when I put this list it in scr adress list dstnat, the port is closed .

My example

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=input src-address=192.168.8.0/21
add action=drop chain=forward dst-address=192.168.8.0/21 src-address=
192.168.1.0/24

/ip firewall nat
add action=netmap chain=dstnat comment=“open port 3377” dst-port=3377
in-interface=ether10 protocol=tcp src-address-list=AllowList
to-addresses=192.168.1.11 to-ports=3377

Example
Local server adress - 192.168.1.11
in Allow List - i put public adress - 100.100.100.100
My router WAN (ether10) IP adress - 200.200.200.200
Server port - 3377

What i do wrong there ?
Sorry for bad english

2

Are you sure this is working without the source IP address list as the rules don’t seem to imply you have anything to allow a dst-nat conneciton or more specific one through?

I would do exactly as you have done by using a source IP to narrow down the “caller” and it should work fine if your rules are in place.

3

I put in rules also src list - allow list (with public IP) but no luck .

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat connection-state=
new in-interface=ether10 src-address-list=AllowList

4

This is a NAT rule though - not a firewall filter rule. MT does not do this automatically for you. It did used to be a part of the default config though (that may be a while ago though) Here is what I use, it’s relatively near the top.

add action=accept chain=forward comment="accept dst-nat" connection-nat-state=dstnat in-interface-list=WANs
5

Still no luck :frowning:

6

Oh My God
Everything is wok now
Thanks
The friend who is scanning my port from outside , hi scan not from pc scan(lie nmap or etc..) , but hi use a some web online scanner service and ofcourse there is diferent public IP . :slight_smile:))