supernewbie... help with ip filter table and NAT

Hi all.

Im newbie with mikrotik configuration and need some help:

I have configured my wan on ether1 and my lan on ether2. I have to enter my vigor rules in the firewall, like this:
Source IP Subnet Mask Port Destination IP Subnet Mask Port Protocol Direction Block
83.36.59.198 255.255.255.255 >1 any 255.255.255.0 >1 any protocol WAN to LAN Pass immediately

For this rule, y have used in filter rules:
chain src address in.interface out interface action
fordward 83.36.59.198 ehter1 ether2 accept

¿is this the correct way?

Thanks a lots for the help

Sorry do not understand your requirement to be of assistance.

Do you have a server that external users are trying to reach?
Are you trying to block traffic?
In other words describe the use case without referring to the configuration or equipment.

Also please post complete config
/export hide-sensitive file=anynameyouwish

Thank you very much Anav for your interest and sorry, I write my question quickly an is not very complete.

As I have commented in my post, I am trying to replace a Vigor3300 router with a Mikrotik router. I have a local network and a PBX in my office, and I need to configure port fowaring and a serie of rules to allow access from other offices to my office.

I have found in several tutorials how to do port fowaring, but I need to translate various rules from my Vigor to Mikrotik and I´m not sure how to do it.

For example, as you can see in the image, I need to allow access to my LAN from some external IPs, that is, traffic from WAN to my LAN. In this example, I need to allow access from IP 83.36.59.198/32, any port > 1 and any protocol to any ip of my lan, with subnet mask /24 and to any port.

I’ve been watching some tutorials and I think, but I’m not sure, that this should be done in the menu ip-> firewall-> filter rules, and add a new filter rule with the following parameters:

chain: forward
src address: 83.36.59.198
in.interface: ether1
out.interface: ether2
action: accept

If I am not in a mistake, this mean that the incoming traffic from ip 83.36.59.198 and passing the router through ether1 (my WAN) with destination ether2 (my LAN) is accepted.0

I don’t know if with a rule like that I am doing a “correct” translation of what I need and what I have configured in my Vigor, since, in this case, the problem is that I dont know how to specify the subnet mask.

Today I have been doing some tests in my office and it has not gone too bad, although I have problems with my Elastix pbx and I am trying to solve it with some tips from the forum.

My main question is the correct way to configure my Mikrotik according to the capture that I have attached.

Sorry if I can’t post complete config, but I’m currently working from home and I don’t have access to the router I’m setting up again until Thursday, that I work in office.

Thank you very much for spend your time trying to help me.

Actually, this is my complete config:

I think some things are not correct and the rules under “filter section” could go in “nat section”, but I’m not sure. I hope you can help me. Thank you very much.

Hi there, the setup looks good until we hit the fw filter rules. So lets clean those up.
Will be posting here once I start looking at it closely.

Okay, unplug your router from the internet immediately as I see no protection from the internet…
I would put back in place all the default firewall rules FIRST.
None of the forward rules you have are any good (serve no purpose). and should be removed and replaced with the default fw rules.

Once done we can tackle port forward using the proper area, the dst-nat rules.

The format for the rules will be basically
add chain=dst-nat action=dstnat protocol =(tcp or udp), dst-port=xxxxx in-interface-list=WAN
source-address-list=aceptar to-addresses=LANIPofServer to-ports=(only required if port translating)

If a web server is open to more than one external WANIP use a source address list such as acceptar, if you have only a single external WANIP requiring access, you can
simply state it as 'src-address= ’

Use ‘in-interface-list=WAN’ vice ether1
You can also use instead, dst-address-list=External_WAN
Where External_Wan is defined by the address of the IP Cloud of the MT
(enable IP Cloud and copy DNS name into the address part of the address list entry)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You will have to add which rules also need ‘src-address-list=aceptar’ OR ANY address lists with two or more external users,
or any single only external users with 'src-address= ’

add action=dst-nat chain=dstnat comment=“web claranet” connection-type="
dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=172.26.0.200

add action=dst-nat chain=dstnat comment=“SIP Telsone” dst-port=5060-6000
in-interface-list=WAN protocol=udp to-addresses=172.26.0.200

add action=dst-nat chain=dstnat comment=RTP-Telsome dst-port=10000-50000
in-interface-list=WAN protocol=udp to-addresses=172.26.0.200

add action=dst-nat chain=dstnat comment=“SSH PBX” dst-port=22 in-interface-list=WAN
protocol=tcp to-addresses=172.26.0.200

add action=dst-nat chain=dstnat comment=Camaras dst-port=80 in-interface-list+WAN
protocol=tcp to-addresses=172.26.0.251 to-ports=80

add action=dst-nat chain=dstnat comment=“Camaras 2 tcp” dst-port=8000-8003
in-interface-list=WAN protocol=tcp to-addresses=172.26.0.251

add action=dst-nat chain=dstnat comment=“Camaras 2 udp” dst-port=8000-8003
in-interface-list=WAN protocol=udp to-addresses=172.26.0.251

add action=dst-nat chain=dstnat comment=ftp_nas dst-port=21 in-interface-list=WAN
protocol=tcp to-addresses=172.26.0.253

This rule is concerning as there is no protocol or dst port and have not seen such an open door to a server???

add action=dst-nat chain=dstnat comment=“DMZ HOST” in-interface=ether1
to-addresses=172.26.0.200

Thank you very much anav for your help.

Don’t worry about the internet protection, the router is currently not connected.

At the begining, I included a serie of recommended protection rules in addition to my rules, but since I had problems, I removed the other rules and leave only mine to test.

The router is connected only when I want to test, but it will definitely not connect until it is configured correctly. Thank you very much for your advise.

This rule is included because in my Vigor I have configured something similar and I read a tutorial about the dmz topic.

I’m not sure this is a correct rule. I think it can be removed as you indicate.

Now I am going to try to understand the rules that you have posted and prepare a script to incorporate them into my router.

I think that Monday I can try again and see how everything works. The problem is that I cannot test much because I am working from home and in the office I cannot stop working the old router too long.

Thank you very much for your time and your suggestions.

Best regards.

No worries and remember the default firewall filter rules are great to start out with and can be tweaked once up and running.

Hi Anav.

I have been trying to follow your instructions and I have created, in addition to the port fowaring rules that I already had, the following rules to translate the rules of the image that I attach.

I would like to know your opinion.

Thanks for your time. Have a nice day.

Okay, so its clear that
you wish to give a bunch of external users access to ALL ports on a specific LAN subnet, not just a single IP address (server).
Is that accurate??

Well then thats a different use case of which I will have to think about!!

Okay after some thought what you are trying to do is impossible.
The router needs to know some identifying information to know where to send the packets when they arrive at the Router.
Without a specific port set to a specific server LANIP, its impossible.

What you need to do is setup a vPN tunnel for those 8 users such that they have access to the subnet.

Hi anav!

You are right, I want to give a bunch of external users access to all ports and hosts on my LAN subnet.

For example, rules “Regla Vigor 1” and “Regla Vigor 2” are two offices in a different location than my office. The idea is that any traffic from any port or protocol in those offices can access my office’s lan (any ip, port or protocol).

Best regards.

IMHO the whole scheme might work …

I have some doubts, for example, if it is necessary to use src-port and dst-port when they are really the same. I also have doubts in action field, that I don’t know if it is dst-nat or accept, since, I understand, the dst-address does not need translation and should be accept. I have doubts.

src-port snd dst-port are (almost) never the same. src-port is originating port on the packet originating side (and if originating side is client of a service, it almost certainly is >1024) and dst-port is port number on target side (and if target side runs service, it is often <1024). For example: browser conecting to HTTPS service run in your LAN … src-port will be random number larger than 1024 and dst-port will be 443 (standard port for https).

What you don’t have to set in NAT definition rule is to-ports (if it’s the same as dst-port).

Action field should be dst-nat, without it router won’t rewrite dst-address with LAN IP and packet won’t reach LAN server … unless you’re running pubkic IPs in LAN, but in that case you wouldn’t be bothering with dst-nat in the first place.

Mkx, your explanation (not very detailed) of IMHO it just may work, is the worst post i have seen you write since being here.

(1) Its is incoherent and does not explain how the router will know where to send a query on port 53222 and specifically to which LANIP on an entire subnet???

(2) It does not make it plain that such an effort may have serious security implications (at least for the servers and then back to those sites once the servers are infiltrated).

Am I totally off base or is someone impersonating your avatar, or are you wildly inebriated, or did you commit some crime and haven lost all sense of moral purpose. )

Thank you, anav my friend. I totally overlooked that OP obviously mis-used dst-address as well (should be to-addresses actually). I’m still holding on to idea that DST-NAT is actually required.

And I’ve largely given up the idea of giving holistic advices here … those are given in numerous on-line courses (and posts by @sindy) so I basically assume posters at least partly understand what they want to do and that their problem is in implementation. Hence my posts seem to lack some basic configuration (such as security) because I wan’t to believe that posters will think of that themselves. And come back to ask for further asistance if needed.

I just read your answer and it has worried me a lot.

I thought that in my Mikrotik router there would be an easy way to transfer the configuration of my Vigor. A friend recommended in my office to buy the Mikrotik router for its flexibility and simplicity.

Can you tell me where I can find information on how to create that vpn tunnel? I am seeing some websites with information and I have access only to my router and to that of my offices, which are not all mikrotik.

Is it possible to do what you say if I do not have access to the router of the source ips? (for example, 80.38.116.134 and 80.38.115.212 are the IP of the security control center and they have to access my LAN ip 172.26.0.251 and others, If I’m not wrong).

Thanks for your time and patience, but I don’t have much experience with configuring a router and my boss assigned me to do it.

Thanks a lot mkx for your help!

I am trying to study all the information that anav and you are giving me to see the easiest way to do what I want.

All possible contributions are welcome.

Best regards!

Hi Mkx, okay, fair enough.
What I dont understand is how any given client will actually reach the server they need though.
Can you explain how that is possible with DSNTNAT??
What I have read in the past might point one toward EOIP and/or GRE tunnels without enryption and with encryption (with ipsec - as long as all units are MT)???.


https://wiki.mikrotik.com/wiki/Manual:Interface/EoIP
https://wiki.mikrotik.com/wiki/Manual:Interface/Gre

Well, I’m assuming usual SOHO scenario, where there’s single public IP on WAN interface of a router, let’s say it’s 20.30.40.50 … So when peer with address 83.36.59.198 from any random port tries to connect 20.30.40.50 on (say) TCP port YY, dst-nat rule should forward it to LAN IP address 172.26.0.1 and should leave destination port intact. And do the same for a number of WAN addresses. At the same time LAN server should be inaccessible for the rest of internet.

Basically what does netmap but only for certain src addresses and single dst-address mapped to single LAN address..

One single thing which would highly optimize dst-nat rule would be to use address list containing allowed remote addresses …

… and firewall properly set up.

There is no server at 176.26.0.1, thats simply the lanip of the subnet.
dst-address=172.26.0.1/24

now tell me how is the incoming request on a random port going to reach a server???

Network address of indicated subnet (mask /24) is 172.26.0.0 … address …1 is ordinary IP address within that subnet (the first one). While it’s customary to assign it to router it doesn’t have to be … and I’m assuming here that OP’s got addressing right.

Yeah, I know, I’m assuming awfullly lots of things, but one has to be optimistic about the rest of human race …