I am running into a small issue and would ask for some precious help.
I have /29 ip addresses, so 5 dedicated IP address. By default the mikrotik is using masquerade for dynamic ip. With masquerade, I can ping my wan. If I configure the NAT myself based on local IP, wan is not reachable. Firewall rules seems fine and I don't see anything that could prevent pinging.
I will paste the firewall config here. Thanks in advance for your help.
Code: Select all
#
Flags: X - disabled, I - invalid, D - dynamic
D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
;;; defconf: accept ICMP after RAW
chain=input action=accept protocol=icmp
;;; defconf: accept established,related,untracked
chain=input action=accept
connection-state=established,related,untracked
;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
X ;;; defconf: accept all that matches IPSec policy
chain=forward action=accept ipsec-policy=in,ipsec
;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related
;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked
;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN
;;; defconf: drop bad forward IPs
chain=forward action=drop src-address-list=no_forward_ipv4
;;; defconf: drop bad forward IPs
chain=forward action=drop dst-address-list=no_forward_ipv4
RAW dump :
#
Flags: X - disabled, I - invalid, D - dynamic
D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
X ;;; defconf: enable for transparent firewall
chain=prerouting action=accept
;;; defconf: accept DHCP discover
chain=prerouting action=accept in-interface-list=LAN src-port=68
dst-port=67 protocol=udp src-address=0.0.0.0
dst-address=255.255.255.255
;;; defconf: drop bogon IP's
chain=prerouting action=drop src-address-list=bad_ipv4
;;; defconf: drop bogon IP's
chain=prerouting action=drop dst-address-list=bad_ipv4
;;; defconf: drop bogon IP's
chain=prerouting action=drop src-address-list=bad_src_ipv4
;;; defconf: drop bogon IP's
chain=prerouting action=drop dst-address-list=bad_dst_ipv4
;;; defconf: drop non global from WAN
chain=prerouting action=drop in-interface-list=WAN
src-address-list=not_global_ipv4
;;; defconf: drop forward to local lan from WAN
chain=prerouting action=drop in-interface-list=WAN
dst-address=192.168.88.0/24
;;; defconf: drop local if not from default IP range
chain=prerouting action=drop in-interface-list=LAN
src-address=!192.168.88.0/24
;;; defconf: drop bad UDP
chain=prerouting action=drop port=0 protocol=udp
;;; defconf: jump to ICMP chain
chain=prerouting action=jump jump-target=icmp4 protocol=icmp
;;; defconf: jump to TCP chain
chain=prerouting action=jump jump-target=bad_tcp protocol=tcp
;;; defconf: accept everything else from LAN
chain=prerouting action=accept in-interface-list=LAN
;;; defconf: accept everything else from WAN
chain=prerouting action=accept in-interface-list=WAN
;;; defconf: drop the rest
chain=prerouting action=drop
;;; defconf: TCP flag filter
chain=bad_tcp action=drop tcp-flags=!fin,!syn,!rst,!ack protocol=tcp
;;; defconf
chain=bad_tcp action=drop tcp-flags=fin,syn protocol=tcp
;;; defconf
chain=bad_tcp action=drop tcp-flags=fin,rst protocol=tcp
;;; defconf
chain=bad_tcp action=drop tcp-flags=fin,!ack protocol=tcp
;;; defconf
chain=bad_tcp action=drop tcp-flags=fin,urg protocol=tcp
;;; defconf
chain=bad_tcp action=drop tcp-flags=syn,rst protocol=tcp
;;; defconf
chain=bad_tcp action=drop tcp-flags=rst,urg protocol=tcp
;;; defconf: TCP port 0 drop
chain=bad_tcp action=drop port=0 protocol=tcp
X ;;; defconf: echo reply
chain=icmp4 action=accept icmp-options=0:0 limit=5,10:packet log=no
log-prefix="" protocol=icmp
X ;;; defconf: net unreachable
chain=icmp4 action=accept icmp-options=3:0 log=no log-prefix=""
protocol=icmp
X ;;; defconf: host unreachable
chain=icmp4 action=accept icmp-options=3:1 log=no log-prefix=""
protocol=icmp
X ;;; defconf: protocol unreachable
chain=icmp4 action=accept icmp-options=3:2 log=no log-prefix=""
protocol=icmp
X ;;; defconf: port unreachable
chain=icmp4 action=accept icmp-options=3:3 log=no log-prefix=""
protocol=icmp
X ;;; defconf: fragmentation needed
chain=icmp4 action=accept icmp-options=3:4 log=no log-prefix=""
protocol=icmp
X ;;; defconf: echo
chain=icmp4 action=accept icmp-options=8:0 limit=5,10:packet log=no
log-prefix="" protocol=icmp
X ;;; defconf: time exceeded
chain=icmp4 action=accept icmp-options=11:0-255 log=no log-prefix=""
protocol=icmp
X ;;; defconf: drop other icmp
chain=icmp4 action=drop log=no log-prefix="" protocol=icmp
NAT RULES :
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; defconf: accept all that matches IPSec policy
chain=srcnat action=accept ipsec-policy=in,ipsec
1 chain=dstnat action=dst-nat to-addresses=192.168.88.0/24
dst-address=23.91.82.50 in-interface-list=WAN
2 chain=srcnat action=src-nat to-addresses=23.91.82.50
src-address=192.168.88.0/24 out-interface-list=WAN
3 X ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no
log-prefix=""