Hi There,
Can any one help?
I have my WAN connection and also a LAN connection which uses NAT and works just fine.
BUT i also have a /28 network y.y.y and despite knowing it worked previously (Juniper SRX went faulty) i cannot get it to work on the Mikrotik.
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
WAN add address=x.x.x.174/29 interface=ether1-WAN network=x.x.x.168
add address=192.168.1.1/24 interface=ether3-192.168.1.1/24 network=192.168.1.0
add address=y.y.y.97/28 interface=ether4-y.y.y..96/28 network=y.y.y..96
The public range y.y.y. will not need nat.
I have added these firewall rules
add action=accept chain=forward connection-state=established,new out-interface=ether1-WAN src-address=y.y.y..96/28
add action=accept chain=forward connection-state=established,new dst-address=y.y.y..96/28 in-interface=all-ethernet
But still unable to reach the y.y.y. from the internet/wan
Can some one please help.
Might need a /export of the relevant sections
It really depends how you’ve set your firewall filter rules up, but if you have a typical set of requirements (public IP that the LAN shares, additional public IP’s for other devices) you shouldn’t need anything at all in ‘firewall filter’ you just need 1 rule in ‘firewall nat’ which is to prevent NAT’ing of public IP addresses, and/or specify which internal IP addresses would get NAT’d as which IP
You shouldn’t need ‘firewall filter’ for this, unless you want to block incoming access (since devices will have a public IP address and not be inherently protected behind NAT)
i.e. if you normally have
/ip firewall nat add chain=src-nat out-interface=WAN action=masquerade
Then all traffic going out the WAN interface will be masquerade/NAT’d with the IP address on the WAN interface
Either add this rule above it
/ip firewall nat add chain=src-nat out-interface=WAN src-address=y.y.y.y/28 action=accept
Which will match first and then effectively just do nothing
Or adjust the other rule to something like
/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.88.0/24 action=masquerade comment=“Masquerade 192.168.88.0/24 addresses going out WAN”
Then it would only match that range. It just depends on your requirements, the first example is a broad scope covering all possible LAN ranges you might add in the future, the last example is being very specific but can be more useful when its something like…
/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.88.0/24 action=src-nat to-address=1.1.1.1 comment=“Masquerade 192.168.88.0/24 addresses going out WAN as 1.1.1.1”
/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.1.0/24 action=src-nat to-address=2.2.2.2 comment=“Masquerade 192.168.88.0/24 addresses going out WAN as 2.2.2.2”
/ip firewall nat add chain=src-nat out-interface=WAN action=src-nat to-address=3.3.3.3 comment=“Masquerade anything else going out WAN as 3.3.3.3”
i also have a problem i have RBLHGR&R11e-LTE i cannot do port forwading for dvr the simcard.