Hi everyone.
I have a problem not being able to forward some ports on a rb951.
I created a hotspot like any other time. I also created two wireless networks . One through hotspot with smaller speed and another wireless without hotspot having full speed.
Everything works great , except port forwarding. I want to forward port 8888 to ip 192.168.1.7 and i already added
add action=dst-nat chain=dstnat dst-port=8888 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.7 to-ports=8888
. I tried so many things , and my head is dizzy. I also have an angry customer near me. Anyone kind enough to help me please?
The dstnat rule is OK but remember that you must also have a forward rule that allows this traffic to go through.
I.e. you have to add an allow rule for dstnat traffic before the drop rule that drops all traffic from your internet connection.
You mean this in Firewall filter?
add chain=forward connection-state=new dst-port=8888 protocol=tcp
i have this rule also and yes it is first before everything else.
I 'm out of solutions…
This is my configuration, in case someone wants to help
# may/26/2016 14:15:19 by RouterOS 6.30.4
# software id = PMJ8-NBRD
#
/interface bridge
add name=bridge1
add name=vip+ether2
/interface ethernet
set [ find default-name=ether2 ] mac-address=4C:5E:0C:59:BF:70
set [ find default-name=ether3 ] mac-address=4C:5E:0C:59:BF:71
set [ find default-name=ether4 ] mac-address=4C:5E:0C:59:BF:72
set [ find default-name=ether5 ] mac-address=4C:5E:0C:59:BF:73
/interface pppoe-client
add add-default-route=yes default-route-distance=1 dial-on-demand=yes disabled=\
no interface=ether1 keepalive-timeout=1000 max-mru=1480 max-mtu=1480 mrru=\
1600 name=pppoe-out1 password=password use-peer-dns=yes user=\
username
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys wpa-pre-shared-key=pass2 wpa2-pre-shared-key=\
pass2
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed name=openaristo supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] disabled=no l2mtu=1600 mode=ap-bridge name=\
wlan3 security-profile=openaristo ssid=Txxxxxxx
add disabled=no l2mtu=1600 mac-address=E6:8D:8C:EA:BE:28 master-interface=wlan3 \
name=VIP ssid=VIP wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
add hotspot-address=192.168.1.1 name=hsprof1 rate-limit=512000/512000
/ip hotspot
add disabled=no interface=bridge1 name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] shared-users=150
/ip pool
add name=dhcp_pool1 ranges=192.168.1.101-192.168.1.252
add name=dhcp_pool2 ranges=192.168.1.70-192.168.1.99
add name=dhcp_pool3 ranges=192.168.1.50-192.168.1.99
add name=dhcp_pool4 ranges=192.168.2.100-192.168.2.254
add name=dhcp_pool5 ranges=192.168.2.100-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=1d name=\
dhcp1
add address-pool=dhcp_pool5 disabled=no interface=vip+ether2 name=dhcp2
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan3
add bridge=vip+ether2 interface=VIP
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.1.1/24 comment="hotspot network" interface=wlan3 network=\
192.168.1.0
add address=192.168.2.1/24 interface=VIP network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
/ip dns
set servers=192.168.1.1,8.8.8.8
/ip firewall filter
add chain=forward connection-state=new dst-port=8888 in-interface=pppoe-out1 \
protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add chain=forward connection-state=new dst-port=21 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8888 in-interface=pppoe-out1 protocol=\
tcp to-addresses=192.168.1.7 to-ports=8888
add action=dst-nat chain=dstnat dst-port=88 in-interface=bridge1 protocol=tcp \
to-addresses=192.168.1.7 to-ports=88
add action=dst-nat chain=dstnat dst-port=7777 in-interface=bridge1 protocol=tcp \
to-addresses=192.168.1.7 to-ports=7777
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface=bridge1 src-address=192.168.1.0/24
/ip hotspot ip-binding
add address=192.168.1.7 type=bypassed
add address=192.168.2.7 type=bypassed
add address=192.168.1.8 type=bypassed
add address=192.168.1.2 type=bypassed
add address=192.168.1.1 type=bypassed
add address=192.168.1.3 type=bypassed
add address=192.168.1.4 type=bypassed
add address=192.168.1.5 type=bypassed
add address=192.168.1.6 type=bypassed
add address=192.168.2.1 type=bypassed
/ip hotspot user
add name=xxx server=hotspot1
add name=yyyy
/system clock
set time-zone-autodetect=no
/system leds
set 0 interface=wlan3 leds=user-led type=interface-status
set 1 interface=ether3 leds=led3 type=interface-status
set 2 interface=ether4 leds=led4 type=interface-status
set 3 interface=ether5 type=interface-status
set 4 interface=ether1 leds=led1 type=interface-status
add interface=ether2 leds=led2 type=interface-status
192.168.1.7 appears to be in the hotspot network.
If so, then you need to create a bypass binding for 192.168.1.7 so that the hotspot doesn’t intercept the replies.