Tue Mar 23, 2021 2:01 am
Upgrade your firmware its dated, use long term version 6.47.9
From
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=19132 in-interface=ether1 \
in-interface-list=WAN protocol=tcp src-port=19132 to-addresses=\
192.168.88.172 to-ports=19132
add action=dst-nat chain=dstnat disabled=yes dst-port=19132 in-interface=\
ether1 protocol=tcp to-addresses=192.168.88.172 to-ports=19132
TO
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=19132 \
in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.172
(Note: dont need to ports if same as dst-port)
Ensure this line in your winbox has DNS selected.
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=192.168.88.1
These input rules need work, the one in red looks more like a nat rule in the wrong place..........
/ip firewall filter
{forward chain seem seems OK}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
{input chain needs work}
add action=accept chain=input connection-state=\
established,related,untracked
add action=drop chain=input connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
This rule needs to be removed.
add action=accept chain=forward dst-address=192.168.88.172 dst-port=19132 \
protocol=tcp