For reference, my network has 2 MikroTiks, an RB2011 and a hEx S. My devices are plugged into the hEx S which is acting as a switch as the main RB2011 is handling the routing/internet traffic. I have a NAS with the local IP of 192.168.1.36. My computer's local IP is 192.168.1.32. I had my DST-NAT rule log so that I could see where it is getting stuck. This is the output of the log when attempting to access the NAS over WAN IP:
Code: Select all
dstnat: in:local(ether5 JayTik) out:(unknown 0), src-mac 70:85:c2:f0:8a:b4, proto TCP (SYN), 192.168.1.32:61399->[WAN IP and PORT omitted], len 52
Firewall Filter Rules:
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
"Accept to established, related connections" connection-state=\
established,related
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface-list=\
WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface-list=LAN \
log-prefix=LAN_!LAN src-address-list=!allowed_users src-address-type=""
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=ICMP comment=\
"Echo request - Avoiding Ping Flood, adjust the limit as needed" \
icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
Firewall NAT Rules:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="Autogenerated Hairpin NAT" \
connection-mark=HAIRPIN ipsec-policy=out,none
add action=masquerade chain=srcnat out-interface=MTW src-address-list=\
allowed_users
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=VCN \
src-address-list=allowed_users
add action=dst-nat chain=dstnat comment="MTW VNC For Gaming Computer" \
dst-address=MTW dst-port=5900 protocol=tcp to-addresses=\
192.168.1.2 to-ports=5900
add action=dst-nat chain=dstnat comment="MTW VNC for Blue Iris Server" \
dst-address=MTW dst-port=5901 protocol=tcp to-addresses=\
192.168.1.5 to-ports=5901
add action=dst-nat chain=dstnat dst-address=MTW dst-port=554 \
protocol=tcp to-addresses=192.168.1.50 to-ports=554
add action=dst-nat chain=dstnat comment="VCN VNC For Gaming Computer" \
dst-address=VCN dst-port=5900 protocol=tcp to-addresses=\
192.168.1.2 to-ports=5900
add action=dst-nat chain=dstnat comment="VCN VNC For Blue Iris Server" \
dst-address=VCN dst-port=5901 protocol=tcp to-addresses=\
192.168.1.5 to-ports=5901
add action=accept chain=srcnat disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.3.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.3.0/24 \
src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Operator SECURE HW Provisioning" \
dst-address=VCN dst-port=465 protocol=tcp to-addresses=\
192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment="Operator UDP SIP" dst-address=\
VCN dst-port=5060 protocol=udp to-addresses=192.168.1.3 \
to-ports=5060
add action=dst-nat chain=dstnat comment="Operator TCP SIP" dst-address=\
VCN dst-port=5060 protocol=tcp to-addresses=192.168.1.3 \
to-ports=5060
add action=dst-nat chain=dstnat comment="Operator UDP SIP" dst-address=\
VCN dst-port=5061 protocol=udp to-addresses=192.168.1.3 \
to-ports=5061
add action=dst-nat chain=dstnat comment="Blue Iris 5 HTTP Server" dst-port=\
65526 protocol=tcp to-addresses=192.168.1.2 to-ports=65526
add action=dst-nat chain=dstnat comment="Blue Iris 4 HTTP Server" dst-port=\
65527 protocol=tcp to-addresses=192.168.1.5 to-ports=65527
add action=dst-nat chain=dstnat comment="Operator TCP SIP" dst-address=\
VCN dst-port=5061 protocol=tcp to-addresses=192.168.1.3 \
to-ports=5061
add action=dst-nat chain=dstnat comment="Operator TCP HW Provisioning" \
dst-address=VCN dst-port=80 protocol=tcp to-addresses=\
192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment="Operator Media UDP" dst-address=\
VCN dst-port=18000-19001 protocol=udp to-addresses=192.168.1.3 \
to-ports=18000-19001
add action=dst-nat chain=dstnat dst-address=VCN dst-address-type=\
"" dst-port=6069 log=yes protocol=tcp to-addresses=192.168.1.36 to-ports=\
6069
add action=dst-nat chain=dstnat dst-address=VCN dst-port=25 \
protocol=tcp to-addresses=192.168.1.36 to-ports=25
add action=dst-nat chain=dstnat dst-address=VCN dst-port=587 \
protocol=tcp to-addresses=192.168.1.36 to-ports=587
add action=dst-nat chain=dstnat dst-address=VCN dst-port=465 \
protocol=tcp to-addresses=192.168.1.36 to-ports=465
add action=dst-nat chain=dstnat dst-address=VCN dst-port=143 \
protocol=tcp to-addresses=192.168.1.36 to-ports=143
add action=dst-nat chain=dstnat dst-address=VCN dst-port=993 \
protocol=tcp to-addresses=192.168.1.36 to-ports=993
add action=dst-nat chain=dstnat dst-address=VCN dst-port=80 \
protocol=tcp to-addresses=192.168.1.36 to-ports=80
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment="VCN Conn Mark" \
connection-mark=no-mark in-interface=VCN new-connection-mark=VCN_conn \
passthrough=yes
add action=mark-routing chain=prerouting comment="Synology -> VCN Route Mark" \
new-routing-mark=to_VCN passthrough=yes src-address=192.168.1.36
add action=mark-routing chain=prerouting comment="JayPC -> VCN Route Mark" \
new-routing-mark=to_VCN passthrough=yes src-address=192.168.1.32
add action=mark-routing chain=prerouting comment="TrevPC -> VCN Route Mark" \
new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.1.2
add action=mark-routing chain=prerouting comment="ServPC -> VCN Route Mark" \
new-routing-mark=to_VCN passthrough=yes src-address=192.168.1.5
add action=mark-routing chain=prerouting comment="Wireless -> VCN Route Mark" \
in-interface=local_wireless new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="VCN Route Mark" \
connection-mark=VCN_conn new-routing-mark=to_VCN passthrough=yes
add action=mark-connection chain=forward comment="Autogenerated Hairpin NAT" \
connection-nat-state=dstnat connection-state=new dst-address=\
192.168.1.0/24 new-connection-mark=HAIRPIN passthrough=yes src-address=\
192.168.1.0/24
add action=mark-connection chain=forward comment="Autogenerated Hairpin NAT" \
connection-nat-state=dstnat connection-state=new dst-address=\
192.168.2.0/24 new-connection-mark=HAIRPIN src-address=192.168.2.0/24
Any help that can be provided would be greatly appreciated and thank you in advance for taking a look and helping me.