I'm a brand new MikroTik user, so please be gentle.
I have a network that is presently working perfectly, with a firewall made from a PC running Linux (Ubuntu 20.04) with IPTables.
I am trying to duplicate it with a MikroTik CRS305-1G-4S+, starting with a very simple subset of the configuration.
I have entered the rules via the WebFig interface, so it is totally possible that I did it wrong there. I would appreciate
knowing how to correct this problem using the WebFig interface, if possible. I would also appreciate an explanation
of what I did wrong, since I am trying to learn to use WebFig.
The ISP has provided us with a /29 (x.y.z.128/29) with 5 usable static IPs: x.y.z.130 to x.y.z.134 and the gateway
to their network is x.y.z.129
Our internal network is the private network 172.31.0.0/16 with NO DHCP. Everything is assigned a private static IP.
The CRS305 internal interface is assigned 172.31.1.4.
We wish to have all non-server internal PCs have their traffic masqueraded by the CRS305, and this feature appears
to be working OK.
Our problem is with incoming connections to the servers. I will simplify this by describing only our first test case:
We want certain external users to SSH to the server, using the public IP x.y.z.132 and have that NATed to the
internal IP 172.31.220.4. That works, but with one problem: the address the server sees the connection
coming from is the MikroTik box at 172.31.1.4 instead of the external user's IP.
This royally screws up the server's intrusion detection software, which counts the number of failed login attempts
in the last hour from each IP and locks it out after a certain number of failures. This works fine if it sees the
external user's (hacker's) IP, but by seeing everyone coming from 172.31.1.4, EVERYONE gets locked out.
What should I do so that the server sees the connection coming from the external user's IP?
Here is the current configuration shown by Export:
# jan/02/1970 02:22:57 by RouterOS 6.48.3
# software id = ES33-601A
#
# model = CRS305-1G-4S+
# serial number = B9EA0EEFE310
/interface bridge
add admin-mac=2C:C8:1B:58:25:75 auto-mac=no comment=defconf name=bridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.31.1.4/16 comment="Inside network" interface=sfp-sfpplus1 network=172.31.0.0
add address=x.y.z.130/29 comment="Connection to ISP: Route" interface=ether1 network=x.y.z.128
add address=x.y.z.132/29 comment="Connection to ISP: Slug" interface=ether1 network=x.y.z.128
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
add action=dst-nat chain=dstnat dst-address=x.y.z.132 dst-port=22 protocol=tcp to-addresses=172.31.220.4 to-ports=22
/ip route
add distance=1 gateway=x.y.z.129
/system routerboard settings
set boot-os=router-os
Thank you very much for any education you can give me.