New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

jerseyknoll · Sat Aug 10, 2019 4:28 am

I just switched to a Mikrotik RB3011 from an Asus router. I have an unraid server and desktop behind a Mikrotik CRS305 which is bridged to the RB3011 which has a dsl modem in bridged mode connected to eth1. When I was still using the Asus router I had ports 80 and 443 forwarded to ports 180 and 1443 on the Unraid server ip 192.168.1.245 for the purpose of access to the outside world for services like Sonarr via letsencrypt and nginx. This was all working fine with the Asus router but I haven't been able to get it working with my Mikrotik router. One of the subdomains I am trying to reach is sonarr.jerseyknoll.com. If I try to use https I receive the following error. This site can’t provide a secure connection sonarr.jerseyknoll.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH. If I try to use HTTP I get the WebFig login page for my router. Please let me know what I can post to help troubleshoot. Thanks in advance.

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; defconf
     address=192.168.88.1/24 network=192.168.88.0 interface=ether2 
     actual-interface=bridge 

 1 D address=72.161.250.66/32 network=72.161.250.1 interface=pppoe-out1 
     actual-interface=pppoe-out1 

 /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable distance=1 scope=30 target-scope=10 

 1 ADC  dst-address=72.161.250.1/32 pref-src=72.161.250.66 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge 
        gateway-status=bridge reachable distance=0 scope=10
 /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=8156 mac-address=74:4D:28:30:C7:23 
       last-link-up-time=aug/09/2019 16:58:37 link-downs=0 

 1  RS name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=8156 mac-address=74:4D:28:30:C7:24 
       last-link-up-time=aug/09/2019 16:58:37 link-downs=0 

 2   S name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=8156 mac-address=74:4D:28:30:C7:25 link-downs=0 

 3   S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=8156 mac-address=74:4D:28:30:C7:26 link-downs=0 

 4   S name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=8156 mac-address=74:4D:28:30:C7:27 link-downs=0 

 5   S name="ether6" default-name="ether6" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=8156 mac-address=74:4D:28:30:C7:29 link-downs=0 

 6  RS name="ether7" default-name="ether7" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=8156 mac-address=74:4D:28:30:C7:2A
/ip firewall export
# aug/09/2019 20:19:13 by RouterOS 6.45.3
# software id = W44L-WQN2
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A0F8170
/ip firewall filter
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=\
    pppoe-out1 protocol=tcp
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=\
    pppoe-out1 protocol=udp
add action=accept chain=forward dst-port=80 in-interface=pppoe-out1 protocol=\
    tcp
add action=accept chain=forward dst-port=443 in-interface=pppoe-out1 protocol=\
    tcp
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.88.245 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.88.245 to-ports=32400
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.245 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.245 to-ports=1443
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN

sebastia · Sat Aug 10, 2019 1:51 pm

Hey

# You don't need these
add action=accept chain=forward dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-port=443 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat

# as these are covered by
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
# implicit accept everything else not already matched

How did you test? from inside the network?
* https: ssl error -> that's dependent on browser & server
* http: webfig ws not accessible from outside (=pppoe) as it's dst-nat-ted to your internal server, from internal network you can access webfig as dst-nat doesn't apply then: in-interface != pppoe. to solve that add entry in the dns cache for the dns name -> internal server ip

jerseyknoll · Sat Aug 10, 2019 1:59 pm

Yes I was testing from within the network.

jerseyknoll · Sat Aug 10, 2019 2:44 pm

https://1drv.ms/u/s!Ap0pEULGO__sjCtcSOL ... l?e=br8Fs0
With subdomain entries added to static DNS I am now able to access nextcloud.jerseyknoll.com but all of my subdomains I listed in static DNS resolve to nextcloud subdomain.

2frogs · Sat Aug 10, 2019 3:21 pm

Instead of the DNS trick, try correcting your dst-nat rules.

If you have a static IP:

/ip firewall nat

add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=your.external.ip.address protocol=tcp to-addresses=192.168.88.245 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=your.external.ip.address protocol=tcp to-addresses=192.168.88.245 to-ports=1443

If you don't have a static IP:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.245 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.245 to-ports=1443

And then a hairpin nat in both cases:

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt/Local Access dst-port=180,1443 dst-address=192.168.88.254 protocol=tcp

jerseyknoll · Sat Aug 10, 2019 4:38 pm

Thanks 2frogs this worked great for getting access outside my network. When I try to reach any of my subdomains from within my network they still all redirect to the nextcloud.jerseyknoll.com subdomain when using https, when using http they try to redirect to the webfig login.
Thanks for all your help.

EDIT: Now when using HTTP with any of my subdomains from inside my network it redirects to my Unraid server GUI.

sebastia · Sat Aug 10, 2019 5:23 pm

@2frogs

Split DNS configuration is standard practice in networks with internal and external addressing.

It is a proper solution if internal resources need to accessed. The alternative "hairpin" is abusing natting, as two NAT's are needed, first redirect to internal destination (dst-nat) then a source natting to ensure proper response routing.

2frogs · Sun Aug 11, 2019 5:44 am

@sebastia

I believe you missed that the server is on ports 180 & 1443. Static DNS entries will not work in this case as it points to ports 80 & 443.

Sob · Sun Aug 11, 2019 7:06 pm

The alternative "hairpin" is abusing natting, ...

I prefer "clever hack". It would be better if we didn't need it, but it's transparent (hostnames, numeric addresses, it doesn't care, everything works, even if device uses different resolver) and maintenance-free (add the universal rule once and you don't need to touch it again, no matter how many hostnames you add or remove in future). And if it ever happens that end devices will validate DNSSEC, it will still work, while split DNS will be doomed (that's probably the reason why this won't happen, because it would break too much). Don't fight it, it's ugly, but also in a way beautiful!

sebastia · Tue Aug 13, 2019 9:57 am

Agreed with port number change, nat is needed.

@Sob: not sure what would brake with DNSSEC, as the internal dns server, as an authoritative server, would present internal records with own signatures.

Sob · Tue Aug 13, 2019 2:48 pm

You're thinking about proper config with your own authoritative server doing split DNS, i.e. about some bigger network. But half of people who need this (I'd guess even more) don't have that. They buy a domain name, authoritative DNS server is run by registrar (on external network, with no split DNS support), and they only add local override in router's "/ip dns static". Any device that would really validate DNSSEC (i.e. going all the way from root zone) would detect this as unauthorized tampering.

But even without this (currently it's more hypothetical scenario), there's a problem if you don't have complete control over devices. If they don't use your resolver, they will get public address. You can redirect their regular port 53 queries to your server, but if they use some external DNS over HTTPS server, you can't do that.

jerseyknoll · Tue Aug 13, 2019 11:39 pm

Is there anything I can do to get my subdomains to resolve properly from within my network. They currently resolve fine outside my network but won't from within.

Sob · Wed Aug 14, 2019 6:07 am

Do you still have static DNS records pointing to 192.168.88.245? Because those would not work well when combined with different internal and external ports.

If you do not have them and hostnames resolve to same public address from both inside and outside, NAT rules from 2frogs must work exactly same for both inside and outside connections, i.e. connections to <hostname>:<80/443> (so to <public addres>:<80/443>) will be dstnatted to 192.168.88.245:<180/1443>.

But if you do have static records pointing to internal address, connections to <hostname>:<80/443> will go to 192.168.88.245:<80/443>.

jerseyknoll · Wed Aug 14, 2019 5:33 pm

These are the only static DNS enties I have left in place.

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=52.85.184.245 name="upgrade.mikrotik.com "

2frogs · Wed Aug 14, 2019 6:03 pm

And you have flushed dns on your device?
What is doing or not doing?
Can you provide:

/ip firewall nat export

Sob · Wed Aug 14, 2019 6:11 pm

Also, can you try to describe in more detail what and how exactly redirects or doesn't redirect as you want? I'm not sure if I understood that right. With the given rules, everything must work the same from inside and outside, target server can't see any difference.

One small problem I noticed, this rule is actually slightly wrong:

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt/Local Access dst-port=180,1443 dst-address=192.168.88.254 protocol=tcp

It must work, but since it's missing src-address=192.168.88.0/24, it would hide original addresses even for connections from outside.
Personally I prefer simple and universal:

/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin NAT" src-address=192.168.88.0/24 dst-address=192.168.88.0/24

jerseyknoll · Wed Aug 14, 2019 6:19 pm

DNS cache has been flushed.

# aug/14/2019 10:18:12 by RouterOS 6.45.3
# software id = W44L-WQN2
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A0F8170
/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
    dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.245 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
    dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.245 to-ports=\
    1443
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.88.245 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=udp \
    to-addresses=192.168.88.245 to-ports=32400
add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \
    dst-port=180,1443 protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN

jerseyknoll · Wed Aug 14, 2019 6:43 pm

When testing from outside my network HTTPS://sonarr.jerseyknoll.com resolves fine. From within my network the connection times out and I have to connect via IP address. This creates a problem on mobile devices while at home using services like nextcloud and bitwarden. I'm going to repost my current info from both routers and CAP because a made a few changes while trying to get the CAP setup correctly (which I'm still having trouble with also. Mobile devices are working fine but wireless Windows clients can connect to the CAP but don't get internet access). Thanks for the help. I really want to understand how this all works so that I can fix issues on my own and maybe be able to help others later too.

From the RB3011

[admin@Mikrotik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; defconf
     address=192.168.88.1/24 network=192.168.88.0 interface=bridge actual-interface=bridge 

 1 D address=207.119.172.190/32 network=207.119.172.1 interface=pppoe-out1 
     actual-interface=pppoe-out1 
[admin@Mikrotik] >

Export RB3011

[admin@Mikrotik] > /export hide-sensitive  
# aug/14/2019 10:34:14 by RouterOS 6.45.3
# software id = W44L-WQN2
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A0F8170
/interface bridge
add admin-mac=74:4D:28:30:C7:24 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=\
    centurylink user=CTL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=ether10
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip accounting
set enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 mac-address=00:18:61:07:E4:5B server=defconf
add address=192.168.88.250 client-id=1:0:2:c9:52:74:ba mac-address=00:02:C9:52:74:BA server=\
    defconf
add address=192.168.88.246 client-id=1:b8:27:eb:72:1b:c9 mac-address=B8:27:EB:72:1B:C9 \
    server=defconf
add address=192.168.1.245 client-id=1:0:2:c9:52:6d:6e mac-address=00:02:C9:52:6D:6E server=\
    defconf
add address=192.168.88.243 client-id=1:5c:41:5a:20:27:8f mac-address=5C:41:5A:20:27:8F \
    server=defconf
add address=192.168.88.242 client-id=1:cc:f7:35:ad:b6:35 mac-address=CC:F7:35:AD:B6:35 \
    server=defconf
add address=192.168.88.240 client-id=1:74:4d:28:c5:ad:eb mac-address=74:4D:28:C5:AD:EB \
    server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.246,192.168.88.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=52.85.184.245 name="upgrade.mikrotik.com "
/ip firewall filter
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=pppoe-out1 protocol=\
    tcp
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=pppoe-out1 protocol=\
    udp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log
    log-prefix=FI_D_port-test
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" 
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=
    out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-st
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked"
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
    dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.245 to-ports
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
    dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.245 to-port
    1443
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.88.245 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=udp \
    to-addresses=192.168.88.245 to-ports=32400
add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \
    dst-port=180,1443 protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Mikrotik
/system logging
add prefix=MikroTik topics=dhcp
add prefix=MikroTik topics=!debug
add prefix=MikroTik topics=!debug
/system scheduler
add disabled=yes interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog 
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
    aug/11/2019 start-time=16:01:38
/tool graphing interface
add allow-address=192.168.88.250/32
/tool graphing queue
add allow-address=192.168.88.250/32
/tool graphing resource
add allow-address=192.168.88.250/32
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

From the CRS305

[admin@MikroTik10G] > /export hide-sensitive    
# jan/05/1970 21:34:18 by RouterOS 6.45.3
# software id = KUUU-7KNA
#
# model = CRS305-1G-4S+
# serial number = AB5C0AB4352D
/interface bridge
add admin-mac=74:4D:28:85:B4:16 auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=sfp-sfpplus1 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dns static
add address=52.85.184.245 disabled=yes name="upgrade.mikrotik.com "
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik10G
/system routerboard settings
set boot-os=router-os
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "

From the CAP AC

[admin@MikroTik] > /export hide-sensitive
# aug/14/2019 10:41:42 by RouterOS 6.44.1
# software id = 4EN7-XA7R
#
# model = RBcAPGi-5acD2nD
# serial number = B9380AAA7B33
/interface bridge
add admin-mac=74:4D:28:C5:AD:EB auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-C5ADED wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-C5ADEE wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge \
    use-peer-dns=no
/ip dns static
add address=52.85.184.245 disabled=yes name=upgrade.mikrotik.com
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/Chicago
/system leds
add interface=ether1 leds=user-led type=interface-activity
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "

Sob · Thu Aug 15, 2019 3:48 am

And how is everything connected? For start, I see address 192.168.88.1/24 on RB3011, but you also have the same 192.168.88.1/24 on CRS305 (where it's additionally on wrong interface, should be on bridge), so if those two devices are connected, it's clearly wrong. You DNS config on RB3011 is also suspicious, are you sure you have DNS servers on 192.168.88.246 and 192.168.88.2? If not, that could possibly explain your problem with Windows clients (mobile devices may use some hardcoded server).

jerseyknoll · Thu Aug 15, 2019 2:21 pm

192.168.88.2 was second Pi-Hole instance running in a docker container on my Unraid server. I removed it yesterday because it was causing my server to freeze up. I have also changed my dns settings on the RB3011 since yesterday because after looking at them I didn't think they were correct.I now have the pppoe-out1 set to use peer DNS and DHCP network 192.168.88.0/24 set to use the Pi-Hole 192.168.88.246 for DNS.

[admin@Mikrotik] > /export hide-sensitive 
# aug/15/2019 06:17:01 by RouterOS 6.45.3
# software id = W44L-WQN2
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A0F8170
/interface bridge
add admin-mac=74:4D:28:30:C7:24 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=\
    centurylink use-peer-dns=yes user=CTL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=ether10
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip accounting
set enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 mac-address=00:18:61:07:E4:5B server=defconf
add address=192.168.88.250 client-id=1:0:2:c9:52:74:ba mac-address=00:02:C9:52:74:BA server=\
    defconf
add address=192.168.88.246 client-id=1:b8:27:eb:72:1b:c9 mac-address=B8:27:EB:72:1B:C9 \
    server=defconf
add address=192.168.1.245 client-id=1:0:2:c9:52:6d:6e mac-address=00:02:C9:52:6D:6E server=\
    defconf
add address=192.168.88.243 client-id=1:5c:41:5a:20:27:8f mac-address=5C:41:5A:20:27:8F \
    server=defconf
add address=192.168.88.242 client-id=1:cc:f7:35:ad:b6:35 mac-address=CC:F7:35:AD:B6:35 \
    server=defconf
add address=192.168.88.240 client-id=1:74:4d:28:c5:ad:eb mac-address=74:4D:28:C5:AD:EB \
    server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.246 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=52.85.184.245 name="upgrade.mikrotik.com "
/ip firewall filter
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=pppoe-out1 protocol=\
    tcp
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=pppoe-out1 protocol=\
    udp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes \
    log-prefix=FI_D_port-test
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
    dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.245 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
    dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.245 to-ports=\
    1443
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.88.245 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=udp \
    to-addresses=192.168.88.245 to-ports=32400
add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \
    dst-port=180,1443 protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ip service
set www-ssl disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Mikrotik
/system logging
add prefix=MikroTik topics=dhcp
add prefix=MikroTik topics=!debug
add prefix=MikroTik topics=!debug
/system scheduler
add disabled=yes interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
    aug/11/2019 start-time=16:01:38
/tool graphing interface
add allow-address=192.168.88.250/32
/tool graphing queue
add allow-address=192.168.88.250/32
/tool graphing resource
add allow-address=192.168.88.250/32
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Mikrotik] > /export help               
expected end of command (line 1 column 9)
[admin@Mikrotik] >

2frogs · Thu Aug 15, 2019 3:08 pm

Change:

add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \
    dst-port=180,1443 protocol=tcp

to

add action=masquerade chain=srcnat comment=Hairpin NAT dst-address=192.168.88.0/24 src-address=192.168.88.0/24

as SOB suggested as it is universal.

Do you have any static entries or cache on your pi-hole for your domains? I do not see any other reason why it should not work from local unless ports other than 180 & 1443 are involved.

By the way [?] provides help in cli. The [TAB] is very use full as well.

jerseyknoll · Thu Aug 15, 2019 4:29 pm

I just noticed a typo in the following.

add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \
    dst-port=180,1443 protocol=tcp

It should have been

add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.245 \
    dst-port=180,1443 protocol=tcp

It works as expected with the IP change but I went ahead and used the hairpin nat rule instead and that also works. Thanks for the help.

jerseyknoll · Thu Aug 15, 2019 5:20 pm

Is there still something I need to change with my CRS305 setup to make it correct? Also I'm going to start digging into CAPSman and QOS any recommendations for info or tutorials for a beginner?

Sob · Thu Aug 15, 2019 7:01 pm

Give it own unique address, instead of 192.168.88.1 already used by RB, and move it to bridge.

2frogs · Thu Aug 15, 2019 7:08 pm

Since you have a dhcp-client on bridge, just remove the 192.168.88.1/24 address

jerseyknoll · Thu Aug 15, 2019 7:53 pm

Here's what I see in the WInbox on both routers for IP addresses for the CRS305. I'm a little confused about what I need to change and where.

2019-08-15.png

2019-08-15 (2).png

2frogs · Thu Aug 15, 2019 9:41 pm

On CRS, navigate to IP>Addresses. Or

/ip address remove [find address="192.168.88.1/24"]

The address is most likely a left-over from the default config.

New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Who is online