So I'm been sitting with Router OS for about a day now, so I've a lot to learn.
I've set up the initial settings. Internet works and so on.
But...I cannot get the forwarding rules to work. I've been looking at videos and I have read instructions, manual and examples. To my knowledge it should work, but it does not.
Oh and of course it worked fine on my old home router.
I have set up NAT rules and I've set up firewall rules. Then I use my cellphone (disconnected from the wifi) for testing the access.
My goal is to set up access to my Synology NAS on port 5001 for external access.
I also found something a bit strange which is more to do with how my isp works I guess. I get an address on my MikroTik WAN port in the range 100.x.y.z but if I look at myip for example it reports a public address which is in the range of 155.4.xx.yy. Is that something I need to set up to make it work?
I've set it up as follows:
Code: Select all
# may/16/2021 15:23:30 by RouterOS 6.48.2
# software id = 3VDA-B7BE
#
# model = RB3011UiAS
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=08:xxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN-port
/interface vlan
add interface=ether6 name=vlan2 vlan-id=30
/interface ethernet switch port
set 5 default-vlan-id=30 vlan-header=add-if-missing vlan-mode=check
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.xx.xx.1-10.xx.yy.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp disabled=no interface=ether6 name=VLAN2_DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=ether6 pvid=30
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN-port list=WAN
add comment="LAN VLAN2" interface=ether6 list=LAN
/ip address
add address=10.xx.yy.1/24 comment=defconf interface=bridge network=10.xx.yy.0
/ip dhcp-client
add comment=defconf disabled=no interface=WAN-port
/ip dhcp-server network
add address=10.xx.yy.0/24 comment=defconf gateway=10.xx.yy.1 netmask=24
add address=10.xx.yz.2/32 comment="vlan2 dhcp"
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.xx.yy.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.xx.yy.120 list=NAS
add address=155.xx.yy.225 list=EXTERNAL-IP
/ip firewall filter
add action=accept chain=forward disabled=yes log=yes port=5001 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked log=yes
add action=accept chain=forward comment="Accept all that is DST NATed" \
connection-nat-state=dstnat connection-state=new log=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes
add action=accept chain=forward comment="NAS log in" disabled=yes dst-port=\
5000-5001 in-interface=WAN-port log=yes protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=5000-5001 in-interface=\
WAN-port protocol=tcp to-addresses=10.xx.yy.120 to-ports=5000-5001
add action=dst-nat chain=dstnat dst-port=5000-5001 in-interface=WAN-port log=\
yes protocol=udp to-addresses=10.xx.yy.120 to-ports=5000-5001
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN-port log=yes \
protocol=tcp to-addresses=10.xx.yy.120 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN-port protocol=\
tcp to-addresses=10.xx.yy.120 to-ports=443
/ip smb
set domain=HOME
/lcd interface
set sfp1 disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=MikroTik_Galaxy
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set watch-address=10.xx.yy.120
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add host=10.xx.yy.120