Port forwarding flopping?

atomicduck · February 13, 2024, 9:49am

I have a router with VLANned network. Internet access is masqueraded and internet access works.

The issues are the servers are on and off accessible from outside? I have port forwards and they should work / work - I see rules triggered, and when I try to telnet to server (3389 port) from the router itself it shows open port, but not connection is available.

I don’t know what can I do now to see what is at hand?

Thanks in advance!

EDIT: The issue is very weird. It works a bit, and then stops. Mostly not working though?

baragoon · February 13, 2024, 9:51am

is it so hard? http://forum.mikrotik.com/t/forum-rules/173010/1

atomicduck · February 13, 2024, 10:08am

I sincerely appologize.

Here is the info:
I am running 7.11.2 on CCR2004.

Here is the config, I removed DHCP, capsman (works fine) Wiregaurd.

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-MGMT
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-TRUNK-HA0-KOSS-OKO1
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no name=
sfp-sfpplus2-TRUNK-HA1-KO0-OKO1 sfp-rate-select=low
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no name=
sfp-sfpplus3-TRUNK-HA1-KO1-OKO1 sfp-rate-select=low
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no name=
sfp-sfpplus4-TRUNK-HA2-KO1-OKO1 sfp-rate-select=low
set [ find default-name=sfp-sfpplus5 ] auto-negotiation=no name=
sfp-sfpplus5-TRUNK-HA2-KO2-OKO1 sfp-rate-select=low
set [ find default-name=sfp-sfpplus6 ] name=sfp-sfpplus6-TRUNK-FREE
set [ find default-name=sfp-sfpplus7 ] name=sfp-sfpplus7-SKVIKI
set [ find default-name=sfp-sfpplus8 ] name=sfp-sfpplus8-HRCAK
set [ find default-name=sfp-sfpplus9 ] name=“sfp-sfpplus9-SERVERS - FREE”
set [ find default-name=sfp-sfpplus10 ] name=
“sfp-sfpplus10-SERVERS - FREE”
set [ find default-name=sfp-sfpplus11 ] comment=“NO USE” name=
sfp-sfpplus11-INFRASTRUCTURE-OLD
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus12-TECH
set [ find default-name=sfp28-1 ] name=sfp28-1-WAN
set [ find default-name=sfp28-2 ] name=sfp28-2-FREE
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1-ADMIN
add listen-port=13232 mtu=1420 name=wireguard2-MOBILE-USERS
add listen-port=13233 mtu=1420 name=wireguard3-HLAZB
add listen-port=13234 mtu=1420 name=wireguard4-SKLASPLT
add listen-port=13235 mtu=1420 name=wireguard5-TRAVELSVC
add listen-port=13236 mtu=1420 name=wireguard6-SUPP
/interface vlan
add interface=BR1 name=INFRASTRUCTURE_OLD_VLAN vlan-id=13
add interface=BR1 name=INFRASTRUCTURE_VLAN vlan-id=10
add interface=BR1 name=COMMERCIAL_VLAN vlan-id=50
add interface=BR1 name=WEBCO_WLAN_VLAN vlan-id=70
add interface=BR1 name=MV-LINK_VLAN vlan-id=90
add interface=BR1 name=APS_VLAN vlan-id=11
add interface=BR1 name=PRODUCTION_VLAN vlan-id=40
add interface=BR1 name=SERVERS_VLAN vlan-id=20
add interface=BR1 name=SKLA_VLAN vlan-id=60
add interface=BR1 name=TECH_VLAN vlan-id=999
add interface=BR1 name=TERMINALS_VLAN vlan-id=80
add interface=BR1 name=OFFICES_VLAN vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=INFRASTRUCTURE
add name=APS
add name=WINBOX
add name=“WEBCO LAN”
add name=“REMOTE OFFICES”
add name=CADMINMAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=INFRASTRUCTURE-OLD_POOL ranges=192.168.10.40-192.168.10.240
add name=SERVERS_POOL ranges=10.0.20.151-10.0.20.254
add name=OFFICES_POOL ranges=10.0.30.2-10.0.30.254
add name=PRODUCTION_POOL ranges=10.0.40.151-10.0.40.254
add name=COMMERICIAL_POOL ranges=10.0.50.2-10.0.50.254
add name=SKLA_POOL ranges=10.0.60.2-10.0.60.254
add name=MV-LINK_POOL ranges=10.0.90.50-10.0.90.254
add name=TERMINALS_POOL ranges=10.0.80.2-10.0.80.254
add name=INFRASTRUCTURE_POOL ranges=10.0.10.151-10.0.10.254
add name=TECH_POOL ranges=192.168.1.8-192.168.1.254
add name=WEBCO_WLAN_POOL ranges=10.0.70.2-10.0.70.254
add name=APS_POOL ranges=10.0.11.51-10.0.11.254
/ip dhcp-server
add address-pool=INFRASTRUCTURE-OLD_POOL disabled=yes interface=
INFRASTRUCTURE_OLD_VLAN name=INFRASTRUCTURE-OLD_DHCP
add address-pool=SERVERS_POOL interface=SERVERS_VLAN lease-time=8h name=
SERVERS_DHCP
add address-pool=OFFICES_POOL interface=OFFICES_VLAN lease-time=8h name=
OFFICES_DHCP
add address-pool=PRODUCTION_POOL interface=PRODUCTION_VLAN lease-time=8h
name=PRODUCTION_DHCP
add address-pool=COMMERICIAL_POOL interface=COMMERCIAL_VLAN lease-time=8h
name=COMMERICIAL_DHCP
add address-pool=SKLA_POOL interface=SKLA_VLAN lease-time=8h name=
SKLA_DHCP
add address-pool=WEBCO_WLAN_POOL interface=WEBCO_WLAN_VLAN
lease-time=8h name=WEBCO_WLAN_DHCP
add address-pool=TERMINALS_POOL interface=TERMINALS_VLAN lease-time=8h name=
TERMINALS_DHCP
add address-pool=MV-LINK_POOL interface=MV-LINK_VLAN lease-time=8h name=
MV-LINK_DHCP
add address-pool=INFRASTRUCTURE_POOL interface=INFRASTRUCTURE_VLAN
lease-time=8h name=INFRASTRUCTURE_DHCP
add address-pool=TECH_POOL interface=TECH_VLAN lease-time=10m name=
TECH_DHCP
add address-pool=APS_POOL interface=APS_VLAN lease-time=8h
name=APS_DHCP
/port
set 0 name=serial0
set 1 name=serial1export
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
ether1-MGMT pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=
sfp-sfpplus1-TRUNK-HA0-KOSS-OKO1
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=
sfp-sfpplus2-TRUNK-HA1-KO0-OKO1
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=
sfp-sfpplus3-TRUNK-HA1-KO1-OKO1
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=
sfp-sfpplus4-TRUNK-HA2-KO1-OKO1
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=
sfp-sfpplus5-TRUNK-HA2-KO2-OKO1
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=
sfp-sfpplus6-TRUNK-FREE
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
sfp-sfpplus7-SKVIKI pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
sfp-sfpplus8-HRCAK pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
“sfp-sfpplus9-SERVERS - FREE” pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
“sfp-sfpplus10-SERVERS - FREE” pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
sfp-sfpplus11-INFRASTRUCTURE-OLD pvid=13
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
sfp-sfpplus12-TECH pvid=999
/ip neighbor discovery-settings
set discover-interface-list=WINBOX
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR1 comment=INFRASTRUCTURE tagged=“BR1,sfp-sfpplus1-TRUNK-HA0-KOSS-
OKO1,sfp-sfpplus2-TRUNK-HA1-KO0-OKO1,sfp-sfpplus3-TRUNK-HA1-KO1-OKO1,sfp-s
fpplus4-TRUNK-HA2-KO1-OKO1,sfp-sfpplus5-TRUNK-HA2-KO2-OKO1,sfp-sfpplus6-TR
UNK-FREE” vlan-ids=10
add bridge=BR1 comment=TRUNK tagged=“BR1,sfp-sfpplus1-TRUNK-HA0-KOSS-OKO1,sfp-
sfpplus2-TRUNK-HA1-KO0-OKO1,sfp-sfpplus3-TRUNK-HA1-KO1-OKO1,sfp-sfpplus4-T
RUNK-HA2-KO1-OKO1,sfp-sfpplus5-TRUNK-HA2-KO2-OKO1,sfp-sfpplus6-TRUNK-SLOBO
DAN” vlan-ids=20
add bridge=BR1 comment=TRUNK tagged=“BR1,sfp-sfpplus1-TRUNK-HA0-KOSS-OKO1,sfp-
sfpplus2-TRUNK-HA1-KO0-OKO1,sfp-sfpplus3-TRUNK-HA1-KO1-OKO1,sfp-sfpplus4-T
RUNK-HA2-KO1-OKO1,sfp-sfpplus5-TRUNK-HA2-KO2-OKO1,sfp-sfpplus6-TRUNK-SLOBO
DAN” vlan-ids=30
add bridge=BR1 comment=TRUNK tagged=“BR1,sfp-sfpplus1-TRUNK-HA0-KOSS-OKO1,sfp-
sfpplus2-TRUNK-HA1-KO0-OKO1,sfp-sfpplus3-TRUNK-HA1-KO1-OKO1,sfp-sfpplus4-T
RUNK-HA2-KO1-OKO1,sfp-sfpplus5-TRUNK-HA2-KO2-OKO1,sfp-sfpplus6-TRUNK-SLOBO
DAN” vlan-ids=40
add bridge=BR1 comment=TRUNK tagged=“BR1,sfp-sfpplus1-TRUNK-HA0-KOSS-OKO1,sfp-
sfpplus2-TRUNK-HA1-KO0-OKO1,sfp-sfpplus3-TRUNK-HA1-KO1-OKO1,sfp-sfpplus4-T
RUNK-HA2-KO1-OKO1,sfp-sfpplus5-TRUNK-HA2-KO2-OKO1,sfp-sfpplus6-TRUNK-SLOBO
DAN” vlan-ids=50
add bridge=BR1 comment=TRUNK tagged=“BR1,sfp-sfpplus1-TRUNK-HA0-KOSS-OKO1,sfp-
sfpplus2-TRUNK-HA1-KO0-OKO1,sfp-sfpplus3-TRUNK-HA1-KO1-OKO1,sfp-sfpplus4-T
RUNK-HA2-KO1-OKO1,sfp-sfpplus5-TRUNK-HA2-KO2-OKO1,sfp-sfpplus6-TRUNK-SLOBO
DAN” vlan-ids=60
add bridge=BR1 comment=“INFRASTRUCTURE OLD” tagged=BR1 vlan-ids=13
add bridge=BR1 comment=TECH tagged=BR1 vlan-ids=999
add bridge=BR1 comment=MV-LINK tagged=BR1 vlan-ids=70
add bridge=BR1 comment=TERMINALS tagged=BR1 vlan-ids=80
add bridge=BR1 comment=“WEBCO WLAN” tagged=BR1 vlan-ids=90
add bridge=BR1 comment=“VPN WEBCO” tagged=BR1 vlan-ids=100
add bridge=BR1 comment=“VPN VANJSKI” tagged=BR1 vlan-ids=110
add bridge=BR1 comment=APS tagged=“BR1,sfp-sfpplus1-TRUNK-HA0-KOSS-OKO
1,sfp-sfpplus2-TRUNK-HA1-KO0-OKO1,sfp-sfpplus3-TRUNK-HA1-KO1-OKO1,sfp-sfpp
lus4-TRUNK-HA2-KO1-OKO1,sfp-sfpplus5-TRUNK-HA2-KO2-OKO1,sfp-sfpplus6-TRUNK
-FREE” vlan-ids=11
/interface list member
add interface=sfp28-1-WAN list=WAN
add interface=INFRASTRUCTURE_VLAN list=INFRASTRUCTURE
add interface=INFRASTRUCTURE_OLD_VLAN list=VLAN
add interface=COMMERCIAL_VLAN list=VLAN
add interface=WEBCO_WLAN_VLAN list=VLAN
add interface=MV-LINK_VLAN list=VLAN
add interface=PRODUCTION_VLAN list=VLAN
add interface=SERVERS_VLAN list=VLAN
add interface=SKLA_VLAN list=VLAN
add interface=TECH_VLAN list=VLAN
add interface=TERMINALS_VLAN list=VLAN
add interface=OFFICES_VLAN list=VLAN
add interface=INFRASTRUCTURE_VLAN list=VLAN
add interface=APS_VLAN list=APS
add interface=APS_VLAN list=VLAN
add interface=INFRASTRUCTURE_VLAN list=WINBOX
add interface=sfp28-2-FREE list=WINBOX
add interface=APS_VLAN list=WINBOX
add interface=COMMERCIAL_VLAN list=“WEBCO LAN”
add interface=MV-LINK_VLAN list=“WEBCO LAN”
add interface=PRODUCTION_VLAN list=“WEBCO LAN”
add interface=SKLA_VLAN list=“WEBCO LAN”
add interface=OFFICES_VLAN list=“WEBCO LAN”
add interface=PRODUCTION_VLAN list=APS
add interface=COMMERCIAL_VLAN list=APS
add interface=SKLA_VLAN list=APS
/ip address
add address=10.0.10.1/24 interface=INFRASTRUCTURE_VLAN network=10.0.10.0
add address=192.168.10.1/24 disabled=yes interface=INFRASTRUCTURE_OLD_VLAN
network=192.168.10.0
add address=10.0.20.1/24 interface=SERVERS_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=OFFICES_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=PRODUCTION_VLAN network=10.0.40.0
add address=10.0.50.1/24 interface=COMMERCIAL_VLAN network=10.0.50.0
add address=10.0.60.1/24 interface=SKLA_VLAN network=10.0.60.0
add address=192.168.1.1/24 interface=TECH_VLAN network=192.168.1.0
add address=10.0.70.1/24 interface=WEBCO_WLAN_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=TERMINALS_VLAN network=10.0.80.0
add address=10.0.90.1/24 interface=MV-LINK_VLAN network=10.0.90.0
add address=10.0.11.1/24 interface=APS_VLAN network=10.0.11.0
add address=172.24.100.1/24 interface=wireguard1-ADMIN network=
172.24.100.0
add address=172.24.110.1/24 interface=wireguard2-MOBILE-USERS network=
172.24.110.0
add address=172.24.120.1/24 interface=wireguard3-HLAZB network=
172.24.120.0
add address=172.24.130.1/24 interface=wireguard4-SKLASPLT network=
172.24.130.0
add address=172.24.140.1/24 interface=wireguard5-TRAVELSVC network=
172.24.140.0
add address=172.24.150.1/24 interface=wireguard6-SUPP network=172.24.150.0
add address=192.168.0.2/24 interface=sfp28-1-WAN network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=yes interface=sfp28-1-WAN
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip dns static
add address=10.0.20.15 name=sspp.marjanvoce.local
add address=10.0.20.14 name=hrcak.marjanvoce.local
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=
not_in_internet
add address=195.190.136.1 comment=“GOSOFT Allowed IP 1” list=GOSOFT
add address=195.190.136.71 comment=“GOSOFT Allowed IP 2” list=GOSOFT
add address=195.190.136.75 comment=“GOSOFT Allowed IP 3” list=GOSOFT
add address=104.238.136.194 comment=“GOSOFT API management IP 1” list=
GOSOFT
add address=104.238.159.87 comment=“GOSOFT API management IP 2” list=GOSOFT
add address=185.98.13.98 comment=“SONO IT Allowed IP 1” list=SUPP
/ip firewall filter
add action=accept chain=input comment=“Allow ICMP” protocol=icmp
add action=accept chain=input comment=“Allow Established & Related”
connection-state=established,related
add action=accept chain=input comment=“Allow WireGuard input” dst-port=
13231,13232,13233,13234,13235,13236 protocol=udp
add action=accept chain=input comment=“Allow DNS UDP from VLAN” dst-port=53
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=“Allow DNS TCP from VLAN” dst-port=53
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment=“Allow NTP from VLAN” dst-port=123
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=“Allow DHCP Requests from VLAN”
dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=
“Allow CAPsMAN UDP data path from APS” dst-port=5246
in-interface-list=APS protocol=udp
add action=accept chain=input comment=
“Allow CAPsMAN UDP control path from APS” dst-port=5247
in-interface-list=APS protocol=udp
add action=accept chain=input comment=“Allow BTest TCP from APS”
dst-port=2000 in-interface-list=APS protocol=tcp
add action=accept chain=input comment=“Allow BTest UDP from APS”
dst-port=2000 in-interface-list=APS protocol=udp
add action=accept chain=input comment=“Allow RADIUS Authentication” dst-port=
1812 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment=“Allow RADIUS Incoming” dst-port=1813
protocol=udp src-address=127.0.0.1
add action=accept chain=input comment=“Allow INFRASTRUCTURE_VLAN Full Access”
in-interface=INFRASTRUCTURE_VLAN
add action=accept chain=input comment=“Allow SERVERS_VLAN Full Access”
in-interface=SERVERS_VLAN
add action=accept chain=input comment=“Allow MV-LINK_VLAN Full Access”
in-interface=MV-LINK_VLAN
add action=accept chain=input comment=“Allow WireGuard ADMIN input”
in-interface=wireguard1-ADMIN
add action=drop chain=input comment=“Drop everythign else” log-prefix=
“LAST INPUT RULE - DROP”
add action=accept chain=forward comment=“Allow Established & Related”
connection-state=established,related
add action=accept chain=forward comment=“VLAN Internet Access only”
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“Allov ICMP on WEBCO VLANs”
in-interface-list=“WEBCO LAN” out-interface-list=“WEBCO LAN”
protocol=icmp
add action=accept chain=forward comment=
“Allov ICMP on WEBCO VLANs → SERVERS_VLAN” in-interface-list=
“WEBCO LAN” out-interface=SERVERS_VLAN protocol=icmp
add action=accept chain=forward comment=“Allow INFRASTRUCTURE forward”
connection-state=new in-interface-list=INFRASTRUCTURE
add action=accept chain=forward comment=“Allow SERVERS_VLAN forward”
connection-state=new in-interface=SERVERS_VLAN
add action=accept chain=forward comment=
“Allow WireGuard INFRASTRUCTURE forward” in-interface=
wireguard1-ADMIN
add action=accept chain=forward comment=
“Allow from SERVERS_VLAN to WEBCO LAN” in-interface=SERVERS_VLAN
out-interface-list=“WEBCO LAN”
add action=accept chain=forward comment=
“Allow from SERVERS_VLAN to INFRASTRUCTURE_VLAN” in-interface=
SERVERS_VLAN out-interface=INFRASTRUCTURE_VLAN
add action=accept chain=forward comment=
“Allow from OFFICES_VLAN to TECH_VLAN” in-interface=OFFICES_VLAN
out-interface=TECH_VLAN
add action=accept chain=forward comment=
“Main TCP Services for WEBCO LAN (Part 1)” dst-port=
53,88,135,389,636,445,464,3268,3269,5722,443,80,427,631,9100
in-interface-list=“WEBCO LAN” out-interface=SERVERS_VLAN protocol=
tcp
add action=accept chain=forward comment=
“Main TCP Services for WEBCO LAN (Part 2)” dst-port=49152-65535
in-interface-list=“WEBCO LAN” out-interface=SERVERS_VLAN protocol=
tcp
add action=accept chain=forward comment=
“Allow 3389 (RDS) from WEBCO LAN” dst-port=3389 in-interface-list=
“WEBCO LAN” out-interface=SERVERS_VLAN protocol=tcp
add action=accept chain=forward comment=
“Allow 3306 (MySQL/MariaDB) from WEBCO LAN” dst-port=3306
in-interface-list=“WEBCO LAN” out-interface=SERVERS_VLAN protocol=
tcp
add action=accept chain=forward comment=
“Main UDP Services for WEBCO LAN” dst-port=
53,88,389,123,464,3702,161,162,427 in-interface-list=“WEBCO LAN”
out-interface=SERVERS_VLAN protocol=udp
add action=accept chain=forward comment=
“NetBIOS UDP Services for WEBCO LAN (SMB1)” dst-port=137,138
in-interface-list=“WEBCO LAN” out-interface=SERVERS_VLAN protocol=
udp
add action=accept chain=forward comment=
“NetBIOS TCP Services for WEBCO LAN (SMB1)” dst-port=139
in-interface-list=“WEBCO LAN” out-interface=SERVERS_VLAN protocol=
tcp
add action=accept chain=forward comment=
“Allow ALL forward traffic from WEBCO LAN → SERVERS_VLAN” disabled=
yes in-interface-list=“WEBCO LAN” out-interface=SERVERS_VLAN
add action=accept chain=forward comment=
“Allow direct IP-based printing to printers from WEBCO VLANs”
dst-port=9100 in-interface-list=“WEBCO LAN” out-interface-list=
“WEBCO LAN” protocol=tcp
add action=accept chain=forward comment=
“Allow RDS from USERS VPN to WEBCO VLANs” dst-port=3389
in-interface=wireguard2-MOBILE-USERS out-interface-list=
“WEBCO LAN” protocol=tcp
add action=accept chain=forward comment=
“Allow RDS access from REMOTE OFFICES to SERVERS_VLAN - HRCAK”
dst-address=10.0.20.14 dst-port=3389 in-interface-list=
“REMOTE OFFICES” out-interface=SERVERS_VLAN protocol=tcp
add action=accept chain=forward comment=“Allow acces to HRCAK LUCEED RDS on 10
.0.20.14 from TERMINALS_VLAN (WiFi)” dst-address=10.0.20.14 dst-port=
3389 in-interface=TERMINALS_VLAN out-interface=SERVERS_VLAN protocol=tcp
add action=accept chain=forward comment=
“Allow acces to SSPP on 10.0.20.15 from TERMINALS_VLAN (WiFi)”
dst-address=10.0.20.15 dst-port=80 in-interface=TERMINALS_VLAN
out-interface=SERVERS_VLAN protocol=tcp
add action=drop chain=forward comment=“Block forwarding to addresses not on th
e internet from local VLANs to WAN addresses” dst-address-list=
not_in_internet in-interface-list=VLAN log=yes log-prefix=
“Drop not in internet from VLANs to WAN” out-interface-list=WAN
add action=drop chain=forward comment=“Drop everything else” log-prefix=
“DROP ALL”
/ip firewall nat
add action=masquerade chain=srcnat comment=“Default masquerade”
out-interface-list=WAN src-address=!127.0.0.1
add action=log chain=dstnat comment=TEST dst-port=45562 log-prefix=
“NAT incoming” protocol=tcp
add action=log chain=dstnat comment=TEST dst-port=22022 log-prefix=
“NAT incoming” protocol=tcp
add action=dst-nat chain=dstnat comment=TEST dst-port=56067 log=yes
log-prefix=SMOLATEST protocol=tcp to-addresses=10.0.40.252 to-ports=3389
add action=dst-nat chain=dstnat comment=“GOSOFT SSH” dst-port=22022
protocol=tcp to-addresses=10.0.20.14 to-ports=22022
add action=dst-nat chain=dstnat comment=“GOSOFT RDP” dst-port=45562
protocol=tcp to-addresses=10.0.20.14 to-ports=3389
add action=dst-nat chain=dstnat comment=“DRAGEC RDP” dst-port=45563
protocol=tcp to-addresses=10.0.20.14 to-ports=3389
add action=dst-nat chain=dstnat comment=“GOSOFT Lureed API Monitoring”
dst-port=56066 protocol=tcp to-addresses=10.0.20.14 to-ports=56066
add action=dst-nat chain=dstnat comment=“GOSOFT Lureed API” dst-port=8081
protocol=tcp to-addresses=10.0.20.14 to-ports=8081
add action=dst-nat chain=dstnat comment=“GOSOFT MySQL” dst-port=3306
protocol=tcp to-addresses=10.0.20.14 to-ports=3306
add action=dst-nat chain=dstnat comment=“GOSOFT Lureed API Monitoring”
dst-port=8081 protocol=tcp to-addresses=10.0.20.14 to-ports=8081
add action=dst-nat chain=dstnat comment=“SUPP RDP to NJOFRA” dst-port=43233
protocol=tcp to-addresses=10.0.20.12 to-ports=3389
add action=dst-nat chain=dstnat comment=“SUPP RDP to NJOFRA” dst-port=49639
protocol=tcp to-addresses=10.0.20.12 to-ports=3389
add action=dst-nat chain=dstnat comment=
“SUPP Microsoft SQL Server” dst-port=46321 protocol=tcp
to-addresses=10.0.20.12 to-ports=1433
add action=dst-nat chain=dstnat comment=
“SUPP DataIntegrator (RM komunikacijski servis) LIVE” dst-port=2001
protocol=tcp to-addresses=10.0.20.12 to-ports=2001
add action=dst-nat chain=dstnat comment=
“SUPP DataIntegrator (RM komunikacijski servis) TEST” dst-port=2002
protocol=tcp to-addresses=10.0.20.12 to-ports=2002
add action=dst-nat chain=dstnat comment=“SUPP Office WebMaster LIVE”
dst-port=21001 protocol=tcp to-addresses=10.0.20.12 to-ports=21001
add action=dst-nat chain=dstnat comment=
“SUPP Web Utility (servis za spremanje slika i drugih datoteka) LIVE”
dst-port=22001 protocol=tcp to-addresses=10.0.20.12 to-ports=22001
/ip firewall service-port
set pptp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=main
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/radius
add address=127.0.0.1 service=wireless timeout=1s
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=HA0-KOSS-MAIN-ROUTER
/system logging
add disabled=yes topics=dhcp
add topics=radius
add disabled=yes topics=caps
add disabled=yes topics=radius
add topics=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=hr.pool.ntp.org
add address=europe.pool.ntp.org
add address=pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=WINBOX
/tool mac-server mac-winbox
set allowed-interface-list=WINBOX
/tool romon port
add disabled=no forbid=yes interface=sfp28-1-WAN
/user aaa
set use-radius=yes
/user-manager
set certificate=userman-cert enabled=yes
/user-manager router
add address=127.0.0.1 name=HA0-KOSS-MAIN-ROUTER

baragoon · February 13, 2024, 10:54am

please clarify, you are trying to connect to port 3389 from router (?) to which address, internal or external (?)

atomicduck · February 13, 2024, 11:15am

Thank you for replying.

I am trying to port forward to 10.0.20.14 to 3389

I run wireshark a bit and I could see IP from main router when I used telnet on the server and also could connect to it from another server which worked. However, when I tried to connect from external client the connetion was impossible and I could not see coming IP. However, the try did trigger a port.

Also - I lost complete network suddenly. All just flopped. ??

I reconnected servers directly to the router now, and restarted them.

baragoon · February 13, 2024, 1:03pm

Honestly, I can’t spot the error in the config.
Only one thing (actually two) is unclear for me and may cause access problems is

/ip firewall nat
add action=log chain=dstnat comment=TEST dst-port=45562 log-prefix=\
"NAT incoming" protocol=tcp
add action=log chain=dstnat comment=TEST dst-port=22022 log-prefix=\
"NAT incoming" protocol=tcp

for my opinion, packets with dst-port=45562,22022 are processed with these rules and then stop processing. Try to disable them and try again from external.

Mesquite · February 13, 2024, 1:11pm

It would appear that you dont have the single allow dstnat rule in the forward chain but have created the firewall portion of every dstnat rule as a separate entry also in the forward chain. Or maybe not???
Q. Can you confirm if all those forward chain rules with dst are simply LAN to LAN or wireguard to lan traffic please. In other words confirming that none of them are for traffic coming in from the local WAN.

The actual port forwarding rules (dstnat) are all missing either in-interface=WAN, (dynamic) or dst-address=WANIP if static.

atomicduck · February 13, 2024, 1:56pm

Honestly, I can't spot the error in the config.
Only one thing (actually two) is unclear for me and may cause access problems is
/ip firewall nat
add action=log chain=dstnat comment=TEST dst-port=45562 log-prefix=\
"NAT incoming" protocol=tcp
add action=log chain=dstnat comment=TEST dst-port=22022 log-prefix=\
"NAT incoming" protocol=tcp
for my opinion, packets with dst-port=45562,22022 are processed with these rules and then stop processing. Try to disable them and try again from external.

Thank you for your time.

I am currently on the location trying to find the issue. I have to wait when work is over at 18pm and then pull of part by part of the network.

In the meantime I have allowed additional 3 port forwards to DVR-s which all work fine, and as they are "stupid" devices (meaning no DC) they will be good for testing.

The two things I am thinking might cause these issues are:

server NIC issue (I will flash new firmware if awailable and update drivers)
some cable that is looping the network?

loop detect is disabled dua to VLANs...

Is there maybe an error in VLAN config?

At certain poing everythign hung (services on servers) and after I restarted both servers stuff started working again.

Any ideas welcome!

EDIT: I did disable the two rules you mentioned.

atomicduck · February 13, 2024, 2:03pm

If you are referring to missing IN port ’ list, I did change that. This is the rule set now:

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN src-address=!127.0.0.1
add action=log chain=dstnat comment=TESTIRANJE dst-port=45562 log-prefix="NAT incoming" protocol=tcp
add action=log chain=dstnat comment=TESTIRANJE dst-port=22022 log-prefix="NAT incoming" protocol=tcp
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.14 to-ports=22022
add action=dst-nat chain=dstnat dst-port=45562 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.14 to-ports=3389
add action=dst-nat chain=dstnat dst-port=45563 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.14 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56066 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.14 to-ports=56066
add action=dst-nat chain=dstnat dst-port=8081 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.14 to-ports=8081
add action=dst-nat chain=dstnat dst-port=3306 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.14 to-ports=3306
add action=dst-nat chain=dstnat dst-port=8081 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.14 to-ports=8081
add action=dst-nat chain=dstnat dst-port=43233 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.12 to-ports=3389
add action=dst-nat chain=dstnat dst-port=49639 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.12 to-ports=3389
add action=dst-nat chain=dstnat dst-port=46321 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.12 to-ports=1433
add action=dst-nat chain=dstnat dst-port=2001 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.12 to-ports=2001
add action=dst-nat chain=dstnat dst-port=2002 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.12 to-ports=2002
add action=dst-nat chain=dstnat dst-port=21001 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.12 to-ports=21001
add action=dst-nat chain=dstnat dst-port=22001 in-interface-list=WAN protocol=tcp to-addresses=10.0.20.12 to-ports=22001
add action=dst-nat chain=dstnat dst-port=9090 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.12 to-ports=9090
add action=dst-nat chain=dstnat disabled=yes dst-port=81 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.253 to-ports=81
add action=dst-nat chain=dstnat dst-port=8001 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.253 to-ports=8001
add action=dst-nat chain=dstnat disabled=yes dst-port=82 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.58 to-ports=82
add action=dst-nat chain=dstnat dst-port=8002 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.58 to-ports=8002
add action=dst-nat chain=dstnat disabled=yes dst-port=83 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.100 to-ports=83
add action=dst-nat chain=dstnat dst-port=8003 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.100 to-ports=8003
add action=dst-nat chain=dstnat dst-port=82 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.200 to-ports=82
add action=dst-nat chain=dstnat dst-port=8004 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.200 to-ports=8004

(No comments)

The two test rules are just dummies that I use to test if the packets are arrivign to port.

atomicduck · February 13, 2024, 6:46pm

Here is an update; I have disconnected everything from router ecept my own laptop and internet feed. Tried checking routers own (VPN) ports open and nothing. Under NAT I can see that ports get triggered.

atomicduck · February 14, 2024, 11:29am

Fast forward a bit. MikroTik S-RJ01 modules seem to not work well / work at all with RB2004, possibly other devices.

I detected that the modules are failing in mysterious ways.

For example, after a reboot some wouldn’t start. Other just turned off after a while, and back on.

Anyways, we have connected the ISP 4011 and our RB2004 with 3m copper interlink S+DA0003, and now all works. We didn’t have one drop since.

Go figure.

gigabyte091 · February 14, 2024, 11:42am

You connected RB4011 with S+DA0003 and it’s working ? But i think that RB4011 doesn’t support that cable…