i have recently bridged my isp router to my mikrotik hap ax3 and everyting works great except for the port forwarding, when i forward a port the port checker show its open and mikrotik passes the packet but if i browse the website that i forward it doesnt open.
helpme.rsc (1.66 KB)
If you are trying to view your webserver via the WANIP of your router instead of the LANIP of the server, then likely its your confiig that is not valid for that access and needs to be fixed.
In some routers this is called nat loopback.
-
Whats with the three POOLS, one is a duplicate, remove it! and the other seems to have no purpose??
add name=dhcp_pool1 ranges=192.168.100.15-192.168.100.240 ??? -
Dont name your bridge LAN, the LAN is already used by the router as the common interface describing all Subnets.
USE
name=Bridge-LAN -
Remove this, its only for advanced users with very niche requirements. The standard firewall rules suffice for your needs.
/interface bridge settings
set use-ip-firewall=yes -
Set this to NONE as no one has found a use for iit and it is known to cause issues.
/interface detect-internet
set detect-interface-list=all -
Why no firewall rules??? or better why did you get rid of the default ones?/
-
Need hairpin nat or nat loopback rule in sourcenat.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=WAN
- DSTNAT RULE ( missing the wan ip , to ports not required if same as dst-port )
If your wanip is a static public IP then you need to do this
add action=dst-nat chain=dstnat dst-address=staticPublicIP dst-port=3000 protocol=tcp to-addresses=
192.168.88.229
If your WANIP getting from bridged router is dynamic you need to set your public IP as dyndns URL type address. Easiest is to use existing IP cloud name
/ip firewall address-list
add address=mynetname.net list=MyWAN
add action=dst-nat chain=dstnat dst-address-list=MyWAN dst-port=3000 protocol=tcp to-addresses=
192.168.88.229
Thanks i will try to add those changes, the mistakes u pointed out are from a previous config that i had setup for the mikrotik to act as a switch, im preatty new to networking stuff so i tend to make a lot of mistakes.
Everything works great with your help. Thanks!!!
Not really, your router will get hacked eventually without any firewall rules to speak of.
You should unplug the router from the internet until you fix the rules. Default rules are a good start.
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet” in-interface=LAN out-interface=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”