Good day everyone.
I Would like help configuring my RB941-2nD.
I just made a loadbalance for 2 links, 1 is ADSL (no bridge) and dedicated link.
All my out coming services ports comes from dedicated and all normal internet access on adsl.
For my servers all in coming and out coming are from dedicated, but if it fails it’s transfer to adsl, same for the desktops on adsl.
But for some reason I can’t redirect my ftp port (21) using nat, if I test the port for open it will say “open” but can’t transfer… same for DVR port.
I can’t understand why RDP and other 6500 port service works fine and the others don’t.
I paste my configuration below, I will be glade with any help.
Model RB941-nD (hAP lite)
Version v6.39.2
On passowrd I changed to ###### and external ip to EXTERNALIP, EXTERNALGATE, etc
jul/20/2017 12:05:11 by RouterOS 6.39.2
software id = VWMR-U2LT
/interface bridge
add admin-mac=6C:3B:6B:41:04:D6 auto-mac=no comment=defconf fast-forward=no
name=Wi-Fi
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce
country=brazil disabled=no distance=indoors frequency=auto mode=ap-bridge
ssid=medexpress wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether3 ] name=LAN01
set [ find default-name=ether4 ] name=LAN02
set [ find default-name=ether1 ] name=WAN01
set [ find default-name=ether2 ] name=WAN02
/ip neighbor discovery
set WAN01 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=
“#######” wpa2-pre-shared-key=“#######”
add name=profile wpa-pre-shared-key=visitante wpa2-pre-shared-key=visitante
/ip pool
#add name=dhcp ranges=192.168.88.10-192.168.88.254
#add name=MEDwDHCP ranges=10.1.1.80-10.1.1.99
add name=lanVPN ranges=10.1.2.2-10.1.2.10
/ip dhcp-server
#add address-pool=MEDwDHCP authoritative=after-2sec-delay interface=Wi-Fi
name=defconf
/ppp profile
add dns-server=10.1.1.101,8.8.8.8 idle-timeout=5m local-address=10.1.2.1
name=vpn only-one=yes remote-address=lanVPN
/system logging action
set 0 memory-lines=100 memory-stop-on-full=yes
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=Wi-Fi comment=defconf interface=LAN02
add bridge=Wi-Fi comment=defconf interface=wlan1
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
#add address=192.168.88.1/24 comment=defconf disabled=yes interface=LAN01
network=192.168.88.0
add address=“EXTERNALIP”/29 interface=WAN02 network=“EXTERNALNETWORK”
add address=10.1.1.1/24 comment=“Ponte com med” interface=LAN02 network=
10.1.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
WAN01
/ip dhcp-server network
#add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.1.1.253 disabled=yes name=router
add address=“EXTERNALGATE” name=RouterDedi
add address=192.168.15.1 name=RouterAdsl
/ip firewall address-list
#add address=10.1.1.103-10.1.1.110 comment=“Lista de Servidores do 103 ao 110”
list=Servidores2
#add address=10.1.1.101 comment=“Lista de Servidores do 101” list=Servidores1
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept establieshed,related”
connection-state=established,related
add action=accept chain=forward comment=“Redirecionar: RDP”
connection-nat-state=dstnat protocol=rdp
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=WAN01
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=WAN02
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=WAN01
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=WAN02
/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“Grupo: Esta\E7\F5es de Trabalho” new-routing-mark=MED_PCs passthrough=no
src-address=10.1.1.2-10.1.1.99
add action=mark-routing chain=prerouting comment=“Grupo: Servidores”
new-routing-mark=SERVIDORES passthrough=yes src-address=
10.1.1.100-10.1.1.108
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=WAN01
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=WAN02
working
add action=dst-nat chain=dstnat comment=“Redirecionar: Porta ArtNews”
dst-port=6500 in-interface=WAN02 protocol=tcp to-addresses=10.1.1.106
to-ports=6500
not working
add action=dst-nat chain=dstnat comment=“Redirecionar: Porta DVR” dst-port=
8000 in-interface=WAN02 protocol=tcp to-addresses=10.1.1.130 to-ports=
8000
not working (was disabled when it exported the file)
add action=dst-nat chain=dstnat comment=“Redirecionar: FTP ARQ02” disabled=
yes dst-port=1021 in-interface=WAN02 protocol=tcp to-addresses=10.1.1.108
to-ports=21
working
add action=dst-nat chain=dstnat comment=“Redirecionar: Wemin FileServer”
dst-port=10000 protocol=tcp to-addresses=10.1.1.102 to-ports=10000
working
add action=dst-nat chain=dstnat comment=“Redirecionar: Wemin FileServer2”
dst-port=10001 protocol=tcp to-addresses=10.1.1.108 to-ports=10000
working
add action=dst-nat chain=dstnat comment=“Redirecionar: Wemin FileServer2 SSH”
dst-port=10002 protocol=tcp to-addresses=10.1.1.108 to-ports=22
working
add action=dst-nat chain=dstnat comment=“Redirecionar: RDP” dst-port=10105
protocol=tcp to-addresses=10.1.1.105 to-ports=3389
working
add action=dst-nat chain=dstnat comment=“Redirecionar: RDP 107” dst-port=9999
protocol=tcp to-addresses=10.1.1.107 to-ports=3389
/ip firewall raw
add action=passthrough chain=prerouting comment=
“special dummy rule to show fasttrack counters” disabled=yes
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment=LinkADSL distance=1 gateway=192.168.15.1 routing-mark=MED_PCs
scope=255
add comment=LinkDEDI distance=1 gateway=“DEDICATEDGATE” routing-mark=SERVIDORES
scope=255
add disabled=yes distance=1 gateway=“DEDICATEDGATE”
/ip service
set ftp disabled=yes
/ppp secret
add name=daniel password=###### profile=vpn service=pptp
/system clock
set time-zone-name=America/Recife
/system identity
set name=RouterMed
/system package update
set channel=release-candidate
/system script
add name=Link_ADSL-on owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=
“/ip route {set [find comment=LinkADSL] gateway=192.168.15.1}”
add name=Link_ADSL-off owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=
“/ip route {set [find comment=LinkADSL] gateway=“DEDICATEDGATE”}”
add name=Link_DEDI-on owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=
“/ip route {set [find comment=LinkDEDI] gateway=“DEDICATEDGATE”}”
add name=Link_DEDI-off owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=
“/ip route {set [find comment=LinkDEDI] gateway=192.168.15.1}”
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=WAN02
add interface=LAN01
add interface=LAN02
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=WAN02
add interface=LAN01
add interface=LAN02
add interface=wlan1
/tool netwatch
add comment=Verifica_LinkADSL down-script=Link_ADSL-off host=192.168.15.1
up-script=Link_ADSL-on
add comment=Verifica_LinkADSL down-script=Link_DEDI-off host=“DEDICATEDGATE”
up-script=Link_DEDI-on