I want to make a simple port forward on the router, I pretty sure the similar configure worked on my other Mikrotik router (other location). But I have no idea why this setting doesn't work.
It got this message from the log:
Code: Select all
firewall,info dstnat: in:wan1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), xxx.xxx.xxx.xxx:58184->yyy.yyy.yyy.yyy:443, len 52
Below is the /export compact result
Code: Select all
# oct/17/2020 00:18:14 by RouterOS 6.47.4
# software id = 7K81-9IBF
#
# model = RB4011iGS+
# serial number = xxxxxxxxxxxxx
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=wan1
/interface l2tp-client
add allow-fast-path=yes connect-to=xxxxxxxxxxx disabled=no ipsec-secret=xxxxxxx name=xxxxxx password=xxxxxxxx use-ipsec=yes user=xxxxxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.14.11-192.168.14.230
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add name=xxxxxxx
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wan1 list=WAN
/ip address
add address=192.168.14.1/24 comment=defconf interface=bridge network=192.168.14.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add comment=defconf disabled=no interface=wan1
/ip dhcp-server lease
add address=192.168.14.xx mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.14.xx mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.14.xx mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.14.xx mac-address=XX:XX:XX:XX:XX:XX server=defconf
/ip dhcp-server network
add address=192.168.14.0/24 comment=defconf dns-server=192.168.14.1,1.1.1.1,8.8.8.8 gateway=192.168.14.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.14.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="cust: accept 80,443 from WAN" dst-port=80,443 in-interface=wan1 protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=192.168.14.209 dst-port=443 log=yes protocol=tcp
add action=accept chain=postrouting disabled=yes dst-address=192.168.14.209 dst-port=443 log=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="cust: dstnat 443 from WAN" dst-address=YY.YY.YY.YY dst-port=443 log=yes protocol=tcp to-addresses=192.168.14.209
add action=masquerade chain=srcnat comment="LAN to Server" disabled=yes dst-address=192.168.19.0/24 src-address=192.168.19.0/24
add action=masquerade chain=srcnat out-interface=xxxx-l2tp
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=eee.eee.eee.eee/ee gateway=xxxx-l2tp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Asia/Hong_Kong
/system identity
set name=RB4011
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
