Since I feel like a beginner, I hope this counts as a beginners question. Our setup had been created by my son but he also has no idea why the following setup does not do what I’d like it to do.
We have several households that are served by a common internet connection using a Mikrotik Router to control everything. So each subnet is connecting to two WANs (LTE) and this works well. What also works well is that we have separated the subnets since we have no need to send data that way. This is all fine and working.
Now I have a nextcloud instance running in my subnet which is reachable via a public fixed IP (provided by one of the LTE connections). This works fine - inside my subnet and also when the user is “elsewhere”. A user from one of the isolated subnets can’t reach that server however. Sounds as if this has something to do with the isolation. So I tried to add rules to the firewall to allow packets directed to the IP of the nextcloud-host also from the other subnets. Seems not to work and I fear I have some basic misunderstanding here.
I have attached a dump of my config.
The rule added is
add action=accept chain=forward dst-address=192.168.80.100 dst-port=443 log=yes log-prefix=NEXTCLOUD protocol=tcp
Any connection from in-interface-list=LAN (except those to 192.168.1-4.0/24) will get connection mark WANx-connection and then routing mark to-WANx. Problem is, routing table to-WANx has only single default route to internet and no route to local subnets. So packet to 192.168.80.100 will end up going to internet and won’t reach your server.
If you’d want to allow direct connections to 192.168.80.100, you could add similar rule like you already have for 192.168.1-4.0/24 at the beginning of “/ip firewall mangle”. If you want it to work with public address, you need dstnat rule like this: