Trouble configuring a router from behind a DMZ

RouterOS Beginner Basics
1

I set up a DMZ on a Hex S to allow tinkering on a RB5009 without affecting the entire network. I created a dedicated bridge for the DMZ with a separate subnet and assigned eth3 (going to the RB5009) to it. I used dst-nat to forward all traffic to the RB5009 and set up some rules to drop traffic between the DMZ bridge and the existing ones. Isolated and independent configuration is working properly. However, I’d like to be able to configure the Hex S from behind the RB5009 occasionally. I forget everything I’ve tried and the RB5009 seems to have configured all the necessary routes, but no amount of changes I’ve made allow the connection through, though I can ping the Hex S all day. What am I missing? And is this DMZ set up correctly in the first place? Thank you for your help!

Filter and NAT rules on the Hex S. (The RB5009 has the default config)

 /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    ;;; Rule to create 'DMZ' for Secondary Network
      chain=dstnat action=dst-nat to-addresses=192.168.90.2 
      in-interface=ether1 log=no log-prefix="" 

 2    ;;; TCP: Deluge
      chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=53400 
      protocol=tcp in-interface-list=WAN dst-port=53400 log=no log-prefix="" 

 3 X  ;;; TCP: qBittorrent
      chain=dstnat action=dst-nat to-addresses=192.168.88.9 to-ports=53398 
      protocol=tcp in-interface-list=WAN dst-port=53398 log=no log-prefix="" 

 4 X  ;;; TCP: Transmission
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=53399 
      protocol=tcp in-interface-list=WAN dst-port=53399 log=no log-prefix="" 

 5    ;;; UDP: Deluge
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=53400 
      protocol=udp in-interface-list=WAN dst-port=53400 log=no log-prefix="" 

 6 X  ;;; UDP: qBittorrent
      chain=dstnat action=dst-nat to-addresses=192.168.88.9 to-ports=53398 
      protocol=udp in-interface-list=WAN dst-port=53398 log=no log-prefix="" 

 7 X  ;;; UDP: Transmission
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=53399 
      protocol=udp in-interface-list=WAN dst-port=53399 log=no log-prefix="" 

 8 X  ;;; Allow return traffic for Management from Secondary Network
      chain=srcnat action=accept src-address=192.168.90.0/24 
      dst-address=8.8.8.0/24 log=no log-prefix="" 

 9 X  chain=srcnat action=accept protocol=tcp src-address=192.168.90.2 
      dst-address=192.168.90.1 out-interface=Secondary src-port=8728 
      dst-port=8728 log=no log-prefix="" 

ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1 X  ;;; Allow management from Secondary Network
      chain=input action=accept protocol=tcp src-address=8.8.8.0/24 
      dst-address=192.168.90.1 dst-port=8291 log=no log-prefix="" 

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!BOTH log=no log-prefix="" 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked 

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

13 X  chain=input action=accept connection-nat-state=dstnat protocol=tcp 
      in-interface-list=WAN dst-port=53398 log=no log-prefix="" 

14    ;;; Block wireless from accessing lan
      chain=forward action=drop connection-state=new in-interface-list=WLAN 
      out-interface-list=LAN log=no log-prefix="" 

15    ;;; Block LAN from accessing wireless
      chain=forward action=drop connection-state=new in-interface-list=LAN 
      out-interface-list=WLAN log=no log-prefix="" 

16    ;;; Block DMZ from accessing LAN and WLAN
      chain=forward action=drop connection-state=new in-interface-list=DMZ 
      out-interface-list=BOTH log=no log-prefix="" 

17    ;;; Block LAN and WLAN from accessing DMZ
      chain=forward action=drop connection-state=new in-interface-list=BOTH 
      out-interface-list=DMZ log=no log-prefix=""
2

On the last firewall rule add an exception for dst-port=8291

3

I’m not sure how to add the exception in the rule itself because the GUI doesn’t allow me to only add the port as an exception. So I tried the method below with no success

 ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1 X  ;;; Allow management from Osyris Network
      chain=input action=accept protocol=tcp src-address=8.8.8.0/24 
      dst-address=192.168.90.1 dst-port=8291 log=no log-prefix="" 

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!BOTH log=no log-prefix="" 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked 

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

13 X  chain=input action=accept connection-nat-state=dstnat protocol=tcp 
      in-interface-list=WAN dst-port=53398 log=no log-prefix="" 

14    ;;; Block wireless from accessing lan
      chain=forward action=drop connection-state=new in-interface-list=WLAN 
      out-interface-list=LAN log=no log-prefix="" 

15    ;;; Block LAN from accessing wireless
      chain=forward action=drop connection-state=new in-interface-list=LAN 
      out-interface-list=WLAN log=no log-prefix="" 

16    ;;; 8291 Exception
      chain=forward action=accept connection-state=new protocol=tcp 
      in-interface-list=DMZ out-interface-list=BOTH dst-port=8291 log=no 
      log-prefix="" 

17    ;;; Block DMZ from accessing LAN and WLAN
      chain=forward action=drop connection-state=new in-interface-list=DMZ 
      out-interface-list=BOTH log=no log-prefix="" 

18    ;;; 8291 Exception
      chain=forward action=accept connection-state=new protocol=tcp 
      in-interface-list=BOTH out-interface-list=DMZ dst-port=8291 log=no 
      log-prefix="" 

19    ;;; Block LAN and WLAN from accessing DMZ
      chain=forward action=drop connection-state=new in-interface-list=BOTH 
      out-interface-list=DMZ log=no log-prefix=""
4

Have you changed the default Winbox port? If so, edit the rules acceordingly because in theory they should work the way you’ve created and placed them

5

I have not. Were these rules supposed to be made on the second or first router? I only tried that change on the first but I feel like both need to be configured to enable this. I’ll have to try when I get home today.

6

There is a small detail from the default firewall I forgot about - the rule “Drop all input not coming from LAN”. If you edit it, for example, to also allow your main network as src-address, then you should start accessing the RB5009 from behind the hEX S