Hi there…
I’m trying to setup RB2011UiAS-RM (latest 6.32.2 fw, os lvl5).
This RB has 2 built-in separate switches eth1-5 1Gbps + eth6-10 100Mbit.
I’ve managed to set up WAN connection on ETH1, ETH2 is LAN port leading to multiple-port switch.
There are no bridges (yet).
So far DHCP server is not required for LAN (most devices are using other router with DHCP enabled (in same network). Couple devices dedicated to use RB2011 as gateway have static IP setups (for now).
Anyway on LAN PC with static IP setup the internet works fine. I can also ping any external (WAN) or LAN IP/address from router console itself aswell.
Thing is I’m unable to get any port forwarding working. Obviously WAN has static external IP address. I’ve opened connection ports for web/winbox access to the RB from outside and it works. However port forwarding to local devices fails everytime.
Initially I was reconfiguring basic configuration of RB. With issues on forwarding I’ve decided to reset the device with no initial configuration. I’ve configured the device from the beginning and still can’t solve simple port forwarding.
BTW. Recently I’ve added a VPN server on a RB. The connection works (I can log in to VPN from outside, my client obtains proper IP address in same pool as LAN network) however can’t even ping or browse any of LAN devices behind RB gateway.
It seems something is wrong between WAN and LAN path…
Hope some printouts below will help:
IP addresses
> ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.0.111/24 192.168.0.0 eth02-master-local
1 91xxxxxxx186/30 91xxxxxxx184 eth01-WAN1
2 192.168.10.10/24 192.168.10.0 eth06-master-local
ROUTES:
ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 91.xxxxxx.185 1
1 ADC 91xxxxxxx184/30 91xxxxxxx186 eth01-WAN1 0
2 ADC 192.168.0.0/24 192.168.0.111 eth02-master-local 0
3 DC 192.168.10.0/24 192.168.10.10 eth06-master-local 255
INTERFACES
> interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ;;; WAN port
eth01-WAN1 ether 1500 1598 4074
1 R ;;; LAN (switch 1Gbps)
eth02-master-local ether 1500 1598 4074
2 eth03-WAN2 ether 1500 1598 4074
3 S eth04-slave-local ether 1500 1598 4074
4 S eth05-slave-local ether 1500 1598 4074
5 eth06-master-local ether 1500 1598 2028
6 S eth07-slave-local ether 1500 1598 2028
7 S eth08-slave-local ether 1500 1598 2028
8 S ;;; ETH port for HotSpot device
eth09-slave-local ether 1500 1598 2028
9 S ;;; PoE (off)
eth10-slave-local ether 1500 1598 2028
10 X sfp1 ether 1500 1598 4074
11 VPN server pptp-in
FIREWALL
> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; default configuration
chain=input action=accept connection-state=established,related log=no log-prefix=""
3 ;;; remote access Mikrotik WWW
chain=input action=accept protocol=tcp in-interface=eth01-WAN1 dst-port=xxxx log=no log-prefix=""
4 ;;; remote access Mikrotik WINBOX
chain=input action=accept protocol=tcp in-interface=eth01-WAN1 dst-port=xxxx log=no log-prefix=""
5 chain=input action=accept protocol=tcp dst-port=xxxx log=no log-prefix=""
6 chain=input action=accept protocol=gre log=no log-prefix=""
7 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no log-prefix=""
8 chain=forward action=accept protocol=tcp in-interface=eth01-WAN1 out-interface=eth02-master-local log=no
log-prefix=""
9 ;;; default configuration
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
10 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
11 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=eth01-WAN1 log=no
log-prefix=""
12 ;;; default configuration
chain=input action=drop in-interface=eth01-WAN1 log=no log-prefix=""
NAT
> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; MASQ. (default)
chain=srcnat action=masquerade out-interface=eth01-WAN1 log=no log-prefix=""
1 ;;; WWW
chain=dstnat action=dst-nat to-addresses=192.168.0.x to-ports=80 protocol=tcp dst-address=192.168.0.x
in-interface=eth01-WAN1 dst-port=80 log=yes log-prefix="motoekspert-sklep"
2 ;;; RDP 1
chain=dstnat action=dst-nat to-addresses=192.168.0.x to-ports=3388 protocol=tcp in-interface=eth01-WAN1
dst-port=3388 log=yes log-prefix=""
3 ;;; RDP 2
chain=dstnat action=dst-nat to-addresses=192.168.0.x to-ports=3390 protocol=tcp in-interface=eth01-WAN1
dst-port=3390 log=yes log-prefix=""
4 ;;; RDP 3
chain=dstnat action=dst-nat to-addresses=192.168.0.x to-ports=3389 protocol=tcp in-interface=eth01-WAN1
dst-port=3389 log=yes log-prefix=""
Connecting to RDP attempt is shown in log as:
oct/09 19:17:21 firewall,info dstnat: in:eth01-WAN1 out:(none), src-mac xx:xx:xx:xx:xx:xx:, proto TCP (SYN), 95.xx.xx.7:
2225->91.xx.xx.186:3388, len 52
Sooo… help me out 