I search over the forums but oddly, I did not come up with an answer to my question. Seems pretty basic.
I need to forward some ports on the router to some servers in the LAN.
I followed this rule:
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \
action=dst-nat to-addresses=192.168.1.101 to-ports=5900
Which seems to work great expect that it hard codes the dot-address in the rule. I am using DHCP on the WAN side so if my WAN IP changes, does this break the firewall rule? I would assume yes. In other firewalls like Watchguard and Sonicwall, you can specify an alias like “WAN IP” or “ANY-WAN”. This is what I would like to do, use an Alias to the WAN IP.
I have tried to use the ether2 (this is the ethernet port to my ISP) with little luck.
Sometimes the rule seems to work but other times it seems to block and try to forward local LAN traffic to my LAN IP.
Here is the output of my rules as of now. Any help is greatly appreciated.
Here is firewall:
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=input action=accept protocol=tcp dst-port=25
1 ;;; Drop anything from Blacklist
chain=input action=drop src-address-list=blacklist
2 chain=input action=drop protocol=tcp src-address-list=ssh_blacklist in-interface=ether2 dst-port=22
3 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_b
address-list-timeout=52w1d dst-port=22
5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_s
address-list-timeout=1m dst-port=22
6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_s
address-list-timeout=1m dst-port=22
7 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1
8 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21
9 chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m
10 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Log
11 chain=input action=accept protocol=udp dst-port=500,1701,4500
12 chain=input action=accept protocol=gre
And here is NAT:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether2
1 chain=dstnat action=dst-nat to-addresses=10.80.0.5 to-ports=443 protocol=tcp in-interface=ether2 dst-port=443
2 chain=dstnat action=dst-nat to-addresses=10.80.0.18 protocol=tcp in-interface=ether2 dst-port=5060
3 chain=dstnat action=dst-nat to-addresses=10.80.0.18 protocol=udp in-interface=ether2 dst-port=4569
4 chain=dstnat action=dst-nat to-addresses=10.80.0.5 protocol=tcp in-interface=ether2 dst-port=143
5 chain=dstnat action=dst-nat to-addresses=10.80.0.5 protocol=tcp in-interface=ether2 dst-port=993
6 chain=srcnat action=accept protocol=udp dst-port=1701,4500
7 ;;; Forward SMTP to mail server
chain=dstnat action=dst-nat to-addresses=10.80.0.5 protocol=tcp in-interface=ether2 dst-port=25,465,587
8 chain=dstnat action=dst-nat to-addresses=10.80.0.250 protocol=tcp in-interface=ether2 dst-port=21