Post your configuration, following the anonymisation hint in my automatic signature below, and a description or drawing of the setup - to which port of the Mikrotik the uplink, the server, and the client PC from which you try to access the server are connected. To me, "direct to internet" means that you've used the Mikrotik to bridge the uplink with the interface of a single server, but you've mentioned a single public address and multiple servers.
Hi Sindy, Below is the one with the export hide sensitive command issue.
P.S please ignore my ...mistake in the drawing, it should be ether6 instead of 5 for the fixed IP. Thanks!
# jun/11/2019 20:08:30 by RouterOS 6.43.10
# software id = PSI7-EAMH
#
# model = RB4011iGS+
# serial number = AAB00A13E45C
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether6 ] name=Ether6-FixedMaxis100
set [ find default-name=ether8 ] name=Ether8-WAN3-Maxis4G
set [ find default-name=ether9 ] name=Ether9-WAN2-Maxis
set [ find default-name=ether10 ] name=Ether10-WAN1-UniFi
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] name=ether2-LAN2
set [ find default-name=ether3 ] name=ether3-DMZ
set [ find default-name=ether4 ] name=ether4-HPiLo
/interface vlan
add interface=Ether10-WAN1-UniFi name=vlan500 vlan-id=500
add interface=Ether9-WAN2-Maxis name=vlan621 vlan-id=621
add interface=Ether6-FixedMaxis100 name=vlan621-2 vlan-id=621
add name=vlan800 vlan-id=800
/interface pppoe-client
add disabled=no interface=vlan621 name=Maxis service-name=Maxis user=\
add add-default-route=yes disabled=no interface=vlan621-2 name=Maxis-Fixed \
use-peer-dns=yes user=
add disabled=no interface=vlan500 name=UniFi service-name=UniFi use-peer-dns=\
yes user=
/ip pool
add name=dhcp_pool4 ranges=192.168.1.100-192.168.1.230
add name=ipsec_vpn_pool ranges=192.168.102.2-192.168.102.100
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=ether1-LAN name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether3-DMZ
/ip address
add address=192.168.1.1/24 interface=ether1-LAN network=192.168.1.0
add address=58.71.188.77/30 interface=ether3-DMZ network=58.71.188.76
/ip arp
add address=192.168.1.230 interface=ether1-LAN mac-address=00:0C:29:6A:C7:C6
add address=192.168.1.253 interface=ether1-LAN mac-address=00:0C:29:FA:8F:4C
add address=192.168.1.254 interface=ether1-LAN mac-address=00:01:2E:6C:B8:6B
add address=192.168.1.227 interface=ether1-LAN mac-address=00:0C:29:CD:95:10
/ip dhcp-server lease
add address=192.168.1.230 client-id=1:0:c:29:6a:c7:c6 mac-address=\
00:0C:29:6A:C7:C6 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 \
gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers="58.71.132.10,58.71.136.10,1.1.1.1,1.0.0\
.1,208.188.18.188,1.9.1.9,8.8.8.8,8.8.4.4"
/ip firewall address-list
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=1.1.1.1 list=Allow_DNS
add address=1.0.0.1 list=Allow_DNS
add address=8.8.8.8 list=Allow_DNS
add address=8.8.4.4 list=Allow_DNS
/ip firewall filter
add action=accept chain=forward comment="WHM ---- START" dst-address=\
58.71.188.78 dst-port=20,25,53,80,110,143,443,465,587,993,995,2087 \
protocol=tcp
add action=accept chain=forward dst-address=58.71.188.78 dst-port=53 \
protocol=udp
add action=accept chain=forward protocol=tcp src-address=58.71.188.78
add action=accept chain=forward comment="WHM ----- STOP" protocol=udp \
src-address=58.71.188.78
add action=accept chain=input dst-port=500,1701,4500 in-interface=Maxis-Fixed \
protocol=udp
add action=drop chain=input comment="dropping ping" icmp-options=8:0 \
protocol=icmp
add action=drop chain=forward comment=dropping-ping-through icmp-options=8:0 \
protocol=icmp
add action=accept chain=forward comment="SIP Connection" dst-address=\
192.168.1.254 dst-port=5060 in-interface=Maxis-Fixed protocol=udp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=\
10000-40000 in-interface=Maxis-Fixed protocol=udp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=5060-5061 \
in-interface=Maxis-Fixed protocol=tcp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=9999 \
in-interface=Maxis-Fixed protocol=tcp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=5000-5001 \
in-interface=Maxis-Fixed protocol=tcp
add action=jump chain=forward comment=block-ddos connection-state=new \
jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.1.254
add action=return chain=detect-ddos src-address=192.168.1.253
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
src-address-list=ddoser
add action=drop chain=forward comment="forward -> through the router" \
dst-port=443 protocol=udp
add action=drop chain=input comment=\
"Drop new connections from blacklisted IP's to this router" \
connection-state=new src-address-list=blacklist
add action=drop chain=forward comment=\
"Drop new connections from blacklisted IP's through router" \
connection-state=new src-address-list=blacklist
add action=jump chain=forward comment="SYN Flood protect - through" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect - input" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=accept chain=forward comment="Allow client LAN traffic out WAN" \
out-interface=UniFi src-address=192.168.1.254
add action=accept chain=forward comment="Allow client LAN traffic out WAN" \
out-interface=Maxis src-address=192.168.1.253
add action=accept chain=forward comment="Allow client LAN traffic out WAN" \
out-interface=Maxis-Fixed src-address=192.168.102.0/24
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=Maxis-Fixed log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=Maxis log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=UniFi log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
Maxis-Fixed log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=UniFi \
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=Maxis \
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=Maxis-Fixed \
log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=UniFi \
log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=Maxis \
log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=udp comment="deny TFTP - ALL UDP PORTS" dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
udp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list NEW" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=forward comment="Drop everything else - Through Router" \
connection-state="" log-prefix=through_log
add action=drop chain=input comment="Drop everything else - To Router" \
log-prefix=inbound_log
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TW01 \
passthrough=yes src-address=192.168.1.254
add action=mark-routing chain=prerouting new-routing-mark=TW02 passthrough=\
yes src-address=192.168.1.253
/ip firewall nat
add action=masquerade chain=srcnat out-interface=UniFi src-address=\
192.168.1.254
add action=masquerade chain=srcnat out-interface=Maxis-Fixed src-address=\
192.168.102.0/24
add action=masquerade chain=srcnat out-interface=Maxis src-address=\
192.168.1.253
add action=dst-nat chain=dstnat comment="IP Phone Freepbx" dst-port=5000-5001 \
in-interface=Maxis-Fixed protocol=tcp to-addresses=192.168.1.254 \
to-ports=5000-5001
add action=dst-nat chain=dstnat dst-port=5060-5061 in-interface=Maxis-Fixed \
protocol=tcp to-addresses=192.168.1.254 to-ports=5060-5061
add action=dst-nat chain=dstnat dst-port=9999 in-interface=Maxis-Fixed \
protocol=tcp to-addresses=192.168.1.254 to-ports=9999
add action=dst-nat chain=dstnat dst-port=5060 in-interface=Maxis-Fixed \
protocol=udp to-addresses=192.168.1.254 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-40000 in-interface=Maxis-Fixed \
protocol=udp to-addresses=192.168.1.254 to-ports=10000-40000
add action=dst-nat chain=dstnat comment=RDP-2 dst-port=44199 in-interface=\
UniFi protocol=tcp to-addresses=192.168.1.254 to-ports=44199
add action=dst-nat chain=dstnat dst-port=7777-7790 in-interface=Maxis-Fixed \
protocol=udp to-addresses=192.168.1.254 to-ports=7777-7780
add action=dst-nat chain=dstnat dst-port=7777-7790 in-interface=Maxis-Fixed \
protocol=tcp to-addresses=192.168.1.254 to-ports=7777-7780
/ip firewall service-port
set sip disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override \
passive=yes send-initial-contact=no
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=UniFi routing-mark=TW01
add check-gateway=ping distance=1 gateway=Maxis routing-mark=TW02
add disabled=yes distance=1 dst-address=58.71.188.78/32 gateway=192.168.1.254
add comment="To access to internal firewall only." distance=1 dst-address=\
192.168.0.0/24 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24,192.168.102.0/24
set ssh address=192.168.1.0/24,192.168.102.0/24 port=2200
set www-ssl address=192.168.1.0/24,192.168.102.0/24 certificate=Webfig
set api disabled=yes
set winbox address=192.168.1.0/24,192.168.102.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=error0024 profile=ipsec_vpn service=l2tp
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system clock manual
set time-zone=+08:00
/system identity
set name=ros01.home
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=info
add action=disk topics=warning
/system ntp client
set enabled=yes server-dns-names="0.asia.pool.ntp.org,1.asia.pool.ntp.org,2.as\
ia.pool.ntp.org,3.asia.pool.ntp.org"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
So as per based on my diagram. The local computers etc are behind the PfSense firewall, with 192.168.0.0/24 as the network. So whenever I tried using the computers to access the 58.71.188.78, I can't get through, and I tried monitoring the firewall rules and that comes back to the first picture I've attached in the post.
Hope there's something I can do, since the current ISP2 will be my main internet use for all the computers behind PfSense, while ISP1(Fixed) will solely be used for servers only.
You do not have the required permissions to view the files attached to this post.