Based on the documentation on: help.mikrotik
Brief firewall filter rule explanation:
- drop incoming packets that are not NAT`ed, ether1 is public interface, log attempts with "!NAT" prefix;
Code: Select all
# r1 | ether1 - 172.16.5.231/28 (isp) | bridge1 - 172.16.10.1/24 (lan)
/ip firewall filter
add action=accept chain=forward comment="Establishet, Related" connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="DNAT con state ISP -> LAN" connection-nat-state=!dstnat in-interface=ether1 out-interface=bridge1
add action=drop chain=forward comment="Drop all not allowed"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 to-addresses=172.16.10.254
# pc1 | 172.16.10.254/24 GW 172.16.10.1
# r2 | ether1 - 172.16.5.232/28 (isp) | bridge1 - 172.16.11.1/24 (lan)
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
# pc2 | 172.16.11.254/24 GW 172.16.11.1
Code: Select all
add action=accept chain=forward comment="DNAT con state ISP -> LAN" connection-nat-state=dstnat in-interface=ether1 out-interface=bridge1
Code: Select all
add action=drop chain=forward comment="DNAT con state ISP -> LAN" connection-nat-state=!dstnat in-interface=ether1 out-interface=bridge1
These two rules should equally allow.
Code: Select all
/ip firewall filter
add action=accept chain=forward dst-address=!172.16.10.253 in-interface=ether1 out-interface=bridge1 - work
/ip firewall filter add
action=drop chain=forward dst-address=!172.16.10.254 in-interface=ether1 out-interface=bridge1 - not work
This is how it should be or is it a mistake??