Port Forwarding problem

kothet · November 15, 2023, 3:05am

Hello,

first of all, thanks for everyone helping each other. I am new with this, and I already read much about NAT, Hairpin and so on.
In my configuration, there is something special, I think, and I am not sure, where my default error is.
I want to port forward localip:80 from 1 of wan connection ip address

nov/15/2023 09:26:05 by RouterOS 6.42.12

software id = FIM7-Q0M4

model = CCR1009-7G-1C-1S+

serial number = 914F0A4EE5B4

/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full name="ether1(MPTWAN)"
set [ find default-name=ether2 ] advertise=1000M-full name=
"ether2(OredooWAN)"
set [ find default-name=ether3 ] name="ether3(LANCC)"
set [ find default-name=ether4 ] name="ether4(POEMain)"
set [ find default-name=ether5 ] arp=proxy-arp name=
"ether5(MPTCablea&Engineering)"
set [ find default-name=ether6 ] loop-protect=off
/interface vlan
add interface="ether4(POEMain)" name=Engineering vlan-id=50
add interface="ether4(POEMain)" name=Management vlan-id=10
add interface="ether4(POEMain)" name=Operation vlan-id=20
add interface="ether4(POEMain)" name=Procon vlan-id=40
add interface="ether4(POEMain)" name=Staff vlan-id=30
/interface list
add name=MPT
add name=Ooredoo
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=cfg1 static-dns=8.8.8.8 system-dns=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
add enc-algorithms=3des name=proposal1 pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ios-ikev2-proposal
pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.20.2-172.16.20.254
add name=dhcp_pool3 ranges=172.16.30.2-172.16.30.254
add name=dhcp_pool4 ranges=172.16.40.2-172.16.40.254
add name=dhcp_pool5 ranges=172.16.50.2-172.16.50.254
add name=dhcp_pool6 ranges=192.168.30.50-192.168.30.254
add name=dhcp_pool7 ranges=172.16.60.50-172.16.60.254
add name=VPN-Address-Pool ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool12 ranges=192.168.90.2-192.168.90.254
add name=dhcp_pool13 ranges=196.169.10.50-196.169.10.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="ether4(POEMain)" name=
dhcp2
add address-pool=dhcp_pool2 disabled=no interface=Management name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=Operation name=dhcp4
add address-pool=dhcp_pool4 disabled=no interface=Staff name=dhcp5
add address-pool=dhcp_pool5 disabled=no interface=Procon name=dhcp6
add address-pool=dhcp_pool6 disabled=no interface=
"ether5(MPTCablea&Engineering)" name=dhcp7
add address-pool=dhcp_pool7 disabled=no interface=Engineering name=dhcp8
add address-pool=dhcp_pool12 disabled=no interface=ether6 name=dhcp10
add address-pool=dhcp_pool13 disabled=no interface="ether3(LANCC)" name=dhcp1
/ppp profile
set *0 dns-server=8.8.8.8
add local-address=192.168.30.1 name=OVPN remote-address=dhcp_pool6
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 write-access=yes
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface="ether1(MPTWAN)" list=MPT
add interface="ether2(OredooWAN)" list=Ooredoo
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes
require-client-certificate=yes
/ip address
add address=203.81.75.50/30 interface="ether1(MPTWAN)" network=203.81.75.48
add address=69.160.5.182/30 interface="ether2(OredooWAN)" network=
69.160.5.180
add address=196.169.10.254/24 interface="ether3(LANCC)" network=196.169.10.0
add address=172.16.10.1/24 interface="ether4(POEMain)" network=172.16.10.0
add address=172.16.20.1/24 interface=Management network=172.16.20.0
add address=172.16.30.1/24 interface=Operation network=172.16.30.0
add address=172.16.40.1/24 interface=Staff network=172.16.40.0
add address=172.16.50.1/24 interface=Procon network=172.16.50.0
add address=192.168.30.1/24 interface="ether5(MPTCablea&Engineering)"
network=192.168.30.0
add address=172.16.60.1/24 interface=Engineering network=172.16.60.0
add address=192.168.90.1/24 interface=ether6 network=192.168.90.0
/ip dhcp-server lease
add address=172.16.20.152 client-id=1:64:27:37:59:48:5a mac-address=
64:27:37:59:48:5A server=dhcp3
add address=172.16.10.158 client-id=1:0:e0:4c:68:2:6 mac-address=
00:E0:4C:68:02:06 server=dhcp2
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.90.0/24 gateway=192.168.90.1
add address=196.169.10.0/24 gateway=196.169.10.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=203.81.75.50 list=Wan
add address=192.168.90.0/24 list=LAN
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=log chain=forward dst-address=192.168.90.100 dst-port=80
log-prefix=3 protocol=tcp
add action=log chain=forward log-prefix=6 protocol=tcp src-address=
192.168.90.100 src-port=80
/ip firewall mangle
add action=mark-connection chain=prerouting comment=HairPin_NAT disabled=yes
dst-address-list=Wan dst-address-type="" dst-port=82 log=yes
new-connection-mark=HairPin_NAT passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting new-routing-mark=Oredoo passthrough=
no src-address=172.16.10.0/24
add action=mark-routing chain=prerouting new-routing-mark=Oredoo passthrough=
no src-address=196.169.10.0/24
add action=mark-routing chain=prerouting new-routing-mark=Oredoo passthrough=
no src-address=172.16.20.0/24
add action=mark-routing chain=prerouting dst-address-type=""
new-routing-mark=MPT passthrough=no src-address=192.168.30.0/24
add action=mark-routing chain=prerouting fragment=no new-routing-mark=Oredoo
passthrough=no src-address=172.16.30.0/24
add action=mark-routing chain=prerouting new-routing-mark=Oredoo passthrough=
no src-address=172.16.40.0/24
add action=mark-routing chain=prerouting new-routing-mark=MPT passthrough=no
src-address=172.16.50.0/24
add action=mark-routing chain=prerouting new-routing-mark=Oredoo passthrough=
no src-address=172.16.60.0/24
add action=mark-routing chain=prerouting new-routing-mark=MPT passthrough=no
src-address=192.168.90.0/24
add action=mark-routing chain=prerouting dst-port=80 new-routing-mark=MPT
passthrough=no protocol=tcp src-address=192.168.90.100
add action=accept chain=prerouting comment="test route" disabled=yes
dst-address=172.16.20.0/24 src-address=172.16.50.0/24
add action=accept chain=prerouting comment="MGMT to SOC" disabled=yes
dst-address=192.168.90.0/24 dst-address-type="" fragment=no hotspot=""
log=yes src-address=172.16.20.0/24 src-address-type=""
add action=accept chain=prerouting comment="SOC to MGMT" disabled=yes
dst-address=172.16.20.0/24 log=yes src-address=192.168.90.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.90.0/24
src-address=172.16.10.0/24
add action=accept chain=prerouting disabled=yes dst-address=172.16.10.0/24
src-address=192.168.90.0/24
add action=accept chain=prerouting comment=30tophone disabled=yes
dst-address=196.169.10.0/24 src-address=192.168.30.0/24
add action=accept chain=prerouting comment=40tophone disabled=yes
dst-address=196.169.10.0/24 src-address=172.16.40.0/24
add action=accept chain=prerouting comment="Lan to 20network" disabled=yes
dst-address=172.16.20.0/24 src-address=172.16.20.0/24
add action=accept chain=prerouting comment=10to10 disabled=yes dst-address=
196.169.10.0/24 src-address=196.169.10.0/24
add action=accept chain=prerouting comment=50to10 disabled=yes dst-address=
172.16.10.0/24 src-address=172.16.50.0/24
add action=accept chain=prerouting comment=50to10 disabled=yes dst-address=
172.16.50.0/24 src-address=172.16.10.0/24
add action=accept chain=prerouting comment="20 to Phone" disabled=yes
dst-address=196.169.10.0/24 src-address=172.16.20.0/24
add action=accept chain=prerouting comment="50 to Phone" disabled=yes
dst-address=196.169.10.0/24 src-address=172.16.50.0/24
add action=accept chain=prerouting comment="50 to Phone" disabled=yes
dst-address=172.16.50.0/24 src-address=196.169.10.0/24
add action=accept chain=prerouting comment="SOC to MPT Cable" disabled=yes
dst-address=192.168.30.0/24 src-address=192.168.90.0/24
add action=accept chain=prerouting comment="MPT Cable to SOC" disabled=yes
dst-address=192.168.90.0/24 src-address=192.168.30.0/24
add action=accept chain=prerouting comment="SOC to Engineering" disabled=yes
dst-address=172.16.60.0/24 src-address=192.168.90.0/24
add action=accept chain=prerouting comment="Engineering to SOC" disabled=yes
dst-address=192.168.90.0/24 src-address=172.16.60.0/24
add action=accept chain=prerouting comment="SOC to Procon" disabled=yes
dst-address=172.16.50.0/24 src-address=192.168.90.0/24
add action=accept chain=prerouting comment="Procon to SOC" disabled=yes
dst-address=192.168.90.0/24 src-address=172.16.50.0/24
add action=accept chain=prerouting comment="SOC to Staff" disabled=yes
dst-address=172.16.40.0/24 src-address=192.168.90.0/24
add action=accept chain=prerouting comment="Staff to SOC" disabled=yes
dst-address=192.168.90.0/24 src-address=172.16.40.0/24
add action=accept chain=prerouting comment="SOC to Operation" disabled=yes
dst-address=172.16.30.0/24 src-address=192.168.90.0/24
add action=accept chain=prerouting comment="Operation to SOC" disabled=yes
dst-address=192.168.90.0/24 src-address=172.16.30.0/24
add action=accept chain=prerouting comment="SOC to Phone" disabled=yes
dst-address=196.169.10.0/24 log=yes src-address=192.168.90.0/24
add action=accept chain=prerouting comment="Phone to SOC" disabled=yes
dst-address=192.168.90.0/24 src-address=196.169.10.0/24
add action=accept chain=prerouting comment="20 to phone" disabled=yes
dst-address=172.16.20.0/24 src-address=196.169.10.0/24
add action=accept chain=prerouting comment=50to10 disabled=yes dst-address=
172.16.50.0/24 src-address=172.16.10.0/24
add action=accept chain=prerouting comment=30to30 disabled=yes dst-address=
172.16.20.0/24 src-address=172.16.20.38
add action=accept chain=prerouting comment=30to50 disabled=yes dst-address=
172.16.50.0/24 src-address=192.168.30.0/24
add action=accept chain=prerouting comment=40to30 disabled=yes dst-address=
192.168.30.0/24 src-address=172.16.40.0/24
add action=accept chain=prerouting comment=20to30 disabled=yes dst-address=
192.168.30.0/24 src-address=172.16.20.0/24
add action=accept chain=prerouting comment=20to30 disabled=yes dst-address=
172.16.20.0/24 src-address=192.168.30.0/24
add action=accept chain=prerouting comment=30to30 disabled=yes dst-address=
172.16.30.0/24 src-address=192.168.30.0/24
add action=accept chain=prerouting comment=30to10 disabled=yes dst-address=
172.16.10.0/24 src-address=192.168.30.0/24
add action=accept chain=prerouting comment=30to40 disabled=yes dst-address=
172.16.40.0/24 src-address=192.168.30.0/24
add action=accept chain=prerouting comment=50to30 disabled=yes dst-address=
192.168.30.0/24 src-address=172.16.50.0/24
add action=accept chain=prerouting comment=LanTo10network disabled=yes
dst-address=196.169.10.10 src-address=172.16.50.0/24
add action=accept chain=prerouting comment="LanTo10 Zabbix network" disabled=
yes dst-address=196.169.10.253 src-address=172.16.50.0/24
add action=accept chain=prerouting comment="wifiprocon to unifi-server"
disabled=yes dst-address=172.16.20.152 src-address=172.16.50.0/24
add action=accept chain=prerouting comment="wifimgmt to unifi-server"
disabled=yes dst-address=172.16.20.152 src-address=172.16.20.0/24
add action=accept chain=prerouting comment=LanTo10netwrok disabled=yes
dst-address=196.169.10.10 src-address=192.168.30.0/24
add action=accept chain=prerouting comment=Printer disabled=yes dst-address=
192.168.30.9 src-address=172.16.50.0/24
add action=accept chain=prerouting comment=LanTo10network disabled=yes
dst-address=196.169.10.10 src-address=172.16.20.0/24
add action=mark-connection chain=prerouting comment=to_ISP connection-mark=
no-mark disabled=yes dst-address-type=local in-interface=ether6
new-connection-mark=to_MPT passthrough=yes
add action=mark-connection chain=forward connection-mark=mpt_pfw disabled=yes
in-interface="ether1(MPTWAN)" new-connection-mark=mpt_pfw passthrough=no
add action=mark-connection chain=input disabled=yes in-interface=
"ether1(MPTWAN)" new-connection-mark=to_MPTFW passthrough=yes
add action=mark-routing chain=output connection-mark=to_MPTFW disabled=yes
new-routing-mark=to_MPTtraffic passthrough=no
add action=mark-connection chain=input comment=
"Mark Connection - IN wan1,OUT wan1 Syed.Jahanzaib" disabled=yes
in-interface="ether1(MPTWAN)" new-connection-mark=MPT_out1_conn
passthrough=yes
add action=mark-routing chain=output comment=
"Mark Routing - IN wan1,OUT wan1" connection-mark=MPT_out1_conn disabled=
yes new-routing-mark=MPT_out1_traffic passthrough=no
add action=mark-routing chain=output comment=
"Mark Routing - IN wan1,OUT wan1" connection-mark=MPT_out1_conn disabled=
yes new-routing-mark=MPT_out1_traffic passthrough=no
add action=mark-connection chain=forward comment=
"Mark Connection for new conn - Packet Forward wan1, out wan1"
connection-state=new disabled=yes in-interface="ether1(MPTWAN)"
new-connection-mark=MPT_out1_pfw passthrough=no
add action=mark-routing chain=prerouting comment=
"Mark Packets forward wan1, out wan1" connection-mark=MPT_out1_pfw
disabled=yes in-interface=ether6 new-routing-mark=MPT_out1_traffic
passthrough=no
add action=mark-routing chain=prerouting comment=
"Mark Packets forward wan1, out wan1" connection-mark=MPT_out1_pfw
disabled=yes in-interface="ether5(MPTCablea&Engineering)"
new-routing-mark=MPT_out1_traffic passthrough=no
add action=log chain=prerouting dst-address=203.81.75.50 dst-port=82
log-prefix=1 protocol=tcp
add action=log chain=postrouting dst-address=192.168.90.100 dst-port=80
log-prefix=4 protocol=tcp
add action=log chain=prerouting log-prefix=5 protocol=tcp src-address=
192.168.90.100 src-port=80
add action=log chain=postrouting log-prefix=7 protocol=tcp src-address=
192.168.90.100 src-port=80
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=HairPin_NAT disabled=yes
log=yes
add action=masquerade chain=srcnat
add action=add-src-to-address-list address-list=192.168.90.100
address-list-timeout=none-dynamic chain=srcnat disabled=yes log=yes
add action=dst-nat chain=dstnat comment="FW traffic via 1.2.3.1" disabled=yes
dst-port=80 out-interface="ether1(MPTWAN)" protocol=tcp to-addresses=
192.168.90.100 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address-list=Wan dst-port=82
in-interface-list=MPT log=yes protocol=tcp src-address-list=LAN
to-addresses=192.168.90.100 to-ports=80
add action=dst-nat chain=dstnat dst-address=203.81.75.50 dst-port=82 log=yes
log-prefix=2 protocol=tcp to-addresses=192.168.90.100 to-ports=80
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature dh-group=modp2048 disabled=
yes enc-algorithm=aes-256,aes-128 exchange-mode=ike2 generate-policy=
port-strict mode-config=cfg1 my-id=fqdn:vpn.server passive=yes
send-initial-contact=no
/ip route
add check-gateway=ping comment="can disable" distance=1 gateway=203.81.75.49
routing-mark=MPT
add check-gateway=ping distance=2 gateway=69.160.5.181 routing-mark=MPT
scope=5
add check-gateway=ping comment="Can Disable" distance=1 gateway=69.160.5.181
routing-mark=Oredoo
add check-gateway=ping distance=2 gateway=203.81.75.49 routing-mark=Oredoo
scope=5
add disabled=yes distance=1 gateway="ether1(MPTWAN)" routing-mark=
MPT_out1_traffic
/ip route rule
add comment="20 to phone 10" dst-address=196.169.10.0/24 src-address=
172.16.20.0/24 table=main
add comment="phone 10 to 20" dst-address=172.16.20.0/24 src-address=
196.169.10.0/24 table=main
add comment=10tophone10 dst-address=196.169.10.0/24 src-address=
172.16.10.0/24 table=main
add comment=30tophone10 dst-address=196.169.10.0/24 src-address=
172.16.30.0/24 table=main
add comment=40tophone10 dst-address=196.169.10.0/24 src-address=
172.16.40.0/24 table=main
add comment=50tophone10 dst-address=196.169.10.0/24 src-address=
172.16.50.0/24 table=main
add comment=60tophone10 dst-address=196.169.10.0/24 src-address=
172.16.60.0/24 table=main
add comment=Lan30toPhone10 dst-address=196.169.10.0/24 src-address=
192.168.30.0/24 table=main
add comment=phone10to10 dst-address=172.16.10.0/24 src-address=
196.169.10.0/24 table=main
add comment=phone10to30 dst-address=172.16.30.0/24 src-address=
196.169.10.0/24 table=main
add comment=phone10to40 dst-address=172.16.40.0/24 src-address=
196.169.10.0/24 table=main
add comment=phone10to50 dst-address=172.16.50.0/24 src-address=
196.169.10.0/24 table=main
add comment=phone10to60 dst-address=172.16.60.0/24 src-address=
196.169.10.0/24 table=main
add comment=Phone10toLan30 dst-address=192.168.30.0/24 src-address=
196.169.10.0/24 table=main
add comment=SOC90to10 dst-address=172.16.10.0/24 src-address=192.168.90.0/24
table=main
add comment=SOC90to20 dst-address=172.16.20.0/24 src-address=192.168.90.0/24
table=main
add comment=SOC90to30 dst-address=172.16.30.0/24 src-address=192.168.90.0/24
table=main
add comment=SOC90to40 dst-address=172.16.40.0/24 src-address=192.168.90.0/24
table=main
add comment=SOC90to50 dst-address=172.16.50.0/24 src-address=192.168.90.0/24
table=main
add comment=SOC90to60 dst-address=172.16.60.0/24 src-address=192.168.90.0/24
table=main
add comment=SOC90toPhone10 dst-address=196.169.10.0/24 src-address=
192.168.90.0/24 table=main
add comment=SOC90toLan30 dst-address=192.168.30.0/24 src-address=
192.168.90.0/24 table=main
add comment=10toSOC90 dst-address=192.168.90.0/24 src-address=172.16.60.0/24
table=main
add comment="20 to SOC 90" dst-address=192.168.90.0/24 src-address=
172.16.20.0/24 table=main
add comment=30toSOC90 dst-address=192.168.90.0/24 src-address=172.16.30.0/24
table=main
add comment=40toSOC90 dst-address=192.168.90.0/24 src-address=172.16.40.0/24
table=main
add comment=50toSOC90 dst-address=192.168.90.0/24 src-address=172.16.50.0/24
table=main
add comment=60toSOC90 dst-address=192.168.90.0/24 src-address=172.16.60.0/24
table=main
add comment=Lan30toSOC90 dst-address=192.168.90.0/24 src-address=
192.168.30.0/24 table=main
add comment=Phone10toSOC90 dst-address=192.168.90.0/24 src-address=
192.168.1.0/24 table=main
add comment=50toLan30 dst-address=192.168.30.0/24 src-address=172.16.50.0/24
table=main
add comment=Lan30to50 dst-address=172.16.50.0/24 src-address=192.168.30.0/24
table=main
add comment=Lan30to20 dst-address=172.16.20.0/24 src-address=192.168.30.0/24
table=main
add comment=20toLan30 dst-address=192.168.30.0/24 src-address=172.16.20.0/24
table=main
add comment=10to20 dst-address=172.16.10.0/24 src-address=172.16.20.0/24
table=main
add comment=20to10 dst-address=172.16.20.0/24 src-address=172.16.10.0/24
table=main
add disabled=yes dst-address=192.168.90.100/32 src-address=172.16.20.0/24
table=main
add disabled=yes dst-address=172.16.20.0/24 src-address=192.168.90.100/32
table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=1500
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=4M enabled=yes interfaces=
"ether2(OredooWAN)"
/ip traffic-flow target
add disabled=yes dst-address=192.168.30.254 port=9996 v9-template-refresh=5
v9-template-timeout=20s
add dst-address=172.16.20.38 src-address=192.168.90.1
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=192.168.90.1 name="L2tp Profile"
remote-address=*B
/ppp secret
add name=thet profile=OVPN service=ovpn
add local-address=192.168.30.1 name=ako profile=default-encryption
remote-address=192.168.30.26 service=l2tp
add local-address=192.168.90.1 name=testuser remote-address=192.168.90.200
service=l2tp
/snmp
set contact=it@owaytrip.com enabled=yes location=Oway
/special-login
add disabled=yes port=serial1 user=admin
add disabled=yes port=serial0 user=admin
/system clock
set time-zone-name=Asia/Yangon
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
/tool graphing interface
add
/tool graphing resource
add
Thanks for any help

anav · November 15, 2023, 3:55pm

Please put code blocks at start/end of config, the black square with white square brackets above, on the same line as bold and underline!!

Did you read → https://forum.mikrotik.com/viewtopic.php?t=179343