Thu May 28, 2020 2:34 am
Might need a /export of the relevant sections
It really depends how you've set your firewall filter rules up, but if you have a typical set of requirements (public IP that the LAN shares, additional public IP's for other devices) you shouldn't need anything at all in 'firewall filter' you just need 1 rule in 'firewall nat' which is to prevent NAT'ing of public IP addresses, and/or specify which internal IP addresses would get NAT'd as which IP
You shouldn't need 'firewall filter' for this, unless you want to block incoming access (since devices will have a public IP address and not be inherently protected behind NAT)
i.e. if you normally have
/ip firewall nat add chain=src-nat out-interface=WAN action=masquerade
Then all traffic going out the WAN interface will be masquerade/NAT'd with the IP address on the WAN interface
Either add this rule above it
/ip firewall nat add chain=src-nat out-interface=WAN src-address=y.y.y.y/28 action=accept
Which will match first and then effectively just do nothing
Or adjust the other rule to something like
/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.88.0/24 action=masquerade comment="Masquerade 192.168.88.0/24 addresses going out WAN"
Then it would only match that range. It just depends on your requirements, the first example is a broad scope covering all possible LAN ranges you might add in the future, the last example is being very specific but can be more useful when its something like....
/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.88.0/24 action=src-nat to-address=1.1.1.1 comment="Masquerade 192.168.88.0/24 addresses going out WAN as 1.1.1.1"
/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.1.0/24 action=src-nat to-address=2.2.2.2 comment="Masquerade 192.168.88.0/24 addresses going out WAN as 2.2.2.2"
/ip firewall nat add chain=src-nat out-interface=WAN action=src-nat to-address=3.3.3.3 comment="Masquerade anything else going out WAN as 3.3.3.3"