Hi people! Been using Mikrotik for a bit but still can't get the magic of port forwarding work. I see packet counter changing on the NAT page when I try to RDP on port 3389 or 13389 but don't see anything on the computer 88.253. How does it manage to escape?
I have removed inactive rules, so some numbers are missing
[root@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept protocol=tcp dst-port=3390,3966,3990,3991,4132,3389,13389 log=no log-prefix=""
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
8 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
11 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
12 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
15 ;;; deny 8.8.4.4 via reserve internet channel
chain=output action=drop dst-address=8.8.4.4 out-interface=ether2 log=no log-prefix=""
16 chain=forward action=accept protocol=tcp dst-port=80,443 log=no log-prefix=""
[root@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; RDP
chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=3389 protocol=tcp dst-port=3390,3966,3990,3991,4132,3389,13389 log=no log-prefix=""
1 ;;; NAT ISP1
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" ipsec-policy=out,none
2 ;;; NAT ISP2
chain=srcnat action=masquerade out-interface=ether2 log=no log-prefix=""