I tried for few hours to sort this out, but just cannot...
In theory, easy thing - want to access Web server in my LAN via WAN interface.
But it's not working (even though on my other RB - RB912 it's working [between LTE and LAN]).
Here's my RB450 with 2x WAN (Eth4&Eth5) + LAN bridge where my Web server is (192.168.88.71).
WAN2(Eth4) I set up just for testing purposes. WAN1 (Eth5) is connected to ISP device.
Code: Select all
# jun/17/2021 12:22:17 by RouterOS 6.48.3
# software id = 2QS3-Q818
#
# model = 450G
# serial number = 23260186B69C
/interface bridge
add admin-mac=00:0C:42:5B:EE:2C arp=proxy-arp auto-mac=no comment=defconf \
name=bridge_eth1-3
/interface ethernet
set [ find default-name=ether1 ] name=ether1-mgmt speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] name=ether4-wan2 speed=100Mbps
set [ find default-name=ether5 ] name=ether5-pronet speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.200
add name=WAN2-DHCP ranges=10.1.1.10-10.1.1.100
/ip dhcp-server
add address-pool=default-dhcp bootp-support=none disabled=no interface=\
bridge_eth1-3 lease-time=8h name=dhcp1
add address-pool=WAN2-DHCP disabled=no interface=ether4-wan2 name=WAN2-DHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge_eth1-3 comment=defconf interface=ether1-mgmt
add bridge=bridge_eth1-3 interface=ether2
add bridge=bridge_eth1-3 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge_eth1-3 list=LAN
add interface=ether5-pronet list=WAN
add interface=ether4-wan2 list=LAN
/ip address
add address=192.168.88.250/24 comment="LAN Bridge Eth1-Eth3" interface=\
bridge_eth1-3 network=192.168.88.0
add address=10.1.1.1/24 comment="TEST WAN" interface=ether4-wan2 network=\
10.1.1.0
/ip dhcp-client
add disabled=no interface=ether5-pronet
/ip dhcp-server network
add address=10.1.1.0/24 comment=WAN2-DHCP dns-none=yes gateway=10.1.1.1 \
netmask=24
add address=192.168.88.0/24 comment="LAN" dns-server=\
8.8.8.8,8.8.4.4 gateway=192.168.88.250
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"Allow Fasttrack Established Related " connection-state=\
established,related
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=accept chain=input comment="Accept Established / Related" \
connection-state=established,related
add action=accept chain=forward connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"Accept Management input from LAN on ETH1-3" in-interface-list=LAN \
src-address=192.168.88.0/24
add action=accept chain=input comment="Allow Management Input on WAN2 - Eth4" \
in-interface=ether4-wan2
add action=accept chain=forward in-interface=ether4-wan2
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat connection-state=new log=yes
add action=drop chain=forward comment="Drop All from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=drop chain=input comment="Drop Input ALL" in-interface-list=all \
log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forward to SuperZFS (80)" \
dst-address=10.1.1.1 dst-port=80 in-interface=ether4-wan2 log=yes \
protocol=tcp to-addresses=192.168.88.71 to-ports=80
/ip route
add check-gateway=ping comment="ISP Otvarta" disabled=yes distance=10 \
gateway=192.168.88.1
add check-gateway=ping comment="ISP ProNet" disabled=yes distance=1 gateway=\
192.168.2.254
add comment="Otvarta WAN" distance=1 dst-address=10.250.5.0/24 gateway=\
192.168.88.1
add distance=1 dst-address=172.16.0.0/24 gateway=192.168.88.1
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik RB450"
/system note
set note="\
\n##### WARNING #####\
\nAuthorized administrators only.\
\nAccess to this device is monitored."
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool netwatch
add down-script="/ip route disable 0" host=155.133.0.7 interval=10s \
up-script="/ip route enable 0"
add down-script="/ip route disable 1" host=10.250.2.86 interval=10s \
up-script="/ip route enable 1"
PS. Few things might be wrong, as just changed ISP, but for dst-nas this should not have impact.