I'm new to Mikrotik, and have been trying to set up my router to do the following:
My ISP gave me 4 usable IP addresses, that I want to map to NAT addresses as follows:
72.xxx.xxx.120
72.xxx.xxx.121 - 192.168.1.5 (Web Server)
72.xxx.xxx.122 - 192.168.1.4 (Mail Server)
72.xxx.xxx.123 - 192.168.1.3 (Web Server)
I want traffic to go inbound from the public IP addresses to these NAT servers, and I want outgoing traffic from the servers to go to the mapped public IP.
All other traffic should go out on 72.xxx.xxx.120.
I have an old Netgear router doing this now.
Using examples I found on this forum, I came up with the following config, which seems to do what I wanted.
But then intermittently I lose the connection to one or more IP address, and can't even ping it, of access the web server.
Then I'm able to again for a while until it drops again.
Sometimes I lose the connection and can't ping one IP address, but can ping another.
Anyone see any obvious errors in my config. that could cause this?
Thanks
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set WAN discover=no
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w1d name=\
defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=\
192.168.1.0
add address=72.xxx.xxx.120/24 interface=WAN network=72.xxx.xxx.0
add address=72.xxx.xxx.121/24 interface=WAN network=72.xxx.xxx.0
add address=72.xxx.xxx.122/24 interface=WAN network=72.xxx.xxx.0
add address=72.xxx.xxx.123/24 interface=WAN network=72.xxx.xxx.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=167.206.112.138,167.206.7.4
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input dst-address=72.xxx.xxx.121 in-interface=WAN \
protocol=icmp
add action=accept chain=input dst-address=72.xxx.xxx.122 in-interface=WAN \
protocol=icmp
add action=accept chain=input dst-address=72.xxx.xxx.123 in-interface=WAN \
protocol=icmp
add action=accept chain=input comment=RDP dst-address=72.xxx.xxx.121 \
dst-port=80,443 in-interface=WAN protocol=tcp
add action=accept chain=input comment=server2 dst-address=72.xxx.xxx.122 \
dst-port=25,110,143,53,80,443 in-interface=WAN \
protocol=tcp
add action=accept chain=input comment="server2 UDP" dst-address=\
72.xxx.xxx.122 dst-port=53 in-interface=WAN protocol=udp
add action=accept chain=input dst-address=72.xxx.xxx.123 dst-port=53 \
in-interface=WAN protocol=udp
add action=accept chain=input comment=server1 dst-address=\
72.xxx.xxx.123 dst-port=53,80,443 in-interface=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=72.xxx.xxx.121 \
dst-port=3389 protocol=tcp to-addresses=192.168.1.254 to-ports=3389
add action=src-nat chain=srcnat comment="Rotue traffic via 72.xxx.xxx.120" \
src-address=192.168.1.153 to-addresses=72.xxx.xxx.120
add action=src-nat chain=srcnat out-interface=WAN src-address=192.168.1.154 \
to-addresses=72.xxx.xxx.121
add action=src-nat chain=srcnat out-interface=WAN src-address=192.168.1.5 \
to-addresses=72.xxx.xxx.121
add action=src-nat chain=srcnat comment=server1 out-interface=WAN \
src-address=192.168.1.3 to-addresses=72.xxx.xxx.123
add action=src-nat chain=srcnat comment=server2 out-interface=WAN \
src-address=192.168.1.4 to-addresses=72.xxx.xxx.122
add action=src-nat chain=srcnat comment="Rotue traffic via 72.xxx.xxx.121" \
disabled=yes src-address=192.168.1.154 to-addresses=72.xxx.xxx.122
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
192.168.1.254 to-addresses=72.xxx.xxx.121
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=443 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=443
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=80 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=80
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=53 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=53
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=143 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=143
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=110 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=110
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=25 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=25
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.123 dst-port=80 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.123 dst-port=443 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=443
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.123 dst-port=53 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=53
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.121 dst-port=80 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.121 dst-port=443 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.5 to-ports=443
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=WAN
/ip route
add distance=1 gateway=72.xxx.xxx.119
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge