Hello,
I own static IP and I want to host a webiste on RPi.
I have set up everything, I put A record of my SNI to > my public IP on CloudFlare.
But I think Internet can't access my website.
How and what should I allow on firewall ?
Re: Open hosted webiste on LAN to Internet
post your current config.
/export hide-sensitive file=anynameyouwish
/export hide-sensitive file=anynameyouwish
Re: Open hosted webiste on LAN to Internet
Hi, welcome,
I don't know what kind of connection you have or if you do it at home or at work,
but expect that, once visible on the internet, your line will be continuously attacked and scanned.
Good luck.
I don't know what kind of connection you have or if you do it at home or at work,
but expect that, once visible on the internet, your line will be continuously attacked and scanned.
Good luck.
Re: Open hosted webiste on LAN to Internet
# jun/25/2021 19:47:08 by RouterOS 6.47.8post your current config.
/export hide-sensitive file=anynameyouwish
# software id = RY13-W6WU
#
# model = RBD52G-5HacD2HnD
# serial number = D7160CB65217
/interface bridge
add admin-mac=48:8F:5A:CC:E7:E4 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=slovenia disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=Pfizer2G station-roaming=enabled \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=slovenia disabled=no frequency=auto mode=\
ap-bridge ssid=AstraZeneca5G station-roaming=enabled wireless-protocol=\
802.11
/interface vlan
add interface=ether5 name=vlan10 vlan-id=10
add interface=ether5 name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap eap-methods=\
"" mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.0.1.10-10.0.1.254
add name=dhcp_pool1 ranges=192.168.13.2-192.168.13.254
add name=dhcp_pool2 ranges=192.168.13.2-192.168.13.200
add name=dhcp_pool3 ranges=192.168.13.2-192.168.13.254
add name=dhcp_pool4 ranges=192.168.13.2-192.168.13.254
add name=dhcp_pool5 ranges=192.168.10.1,192.168.10.3-192.168.10.254
add name=dhcp_pool6 ranges=192.168.13.2-192.168.13.254
add name=dhcp_pool7 ranges=192.168.13.2-192.168.13.254
add name=dhcp_pool8 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool9 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool10 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool11 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool12 ranges=10.0.10.2-10.0.10.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool11 disabled=no interface=vlan20 name=dhcp1
add address-pool=dhcp_pool12 disabled=no interface=vlan10 name=dhcp2
/ppp profile
set *FFFFFFFE dns-server=10.0.1.1 local-address=192.168.89.1 remote-address=\
vpn
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!LAN
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.1.1/24 comment=defconf interface=ether2 network=10.0.1.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
add address=89.x.x.x/16 interface=ether1 network=89.x.x.x
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.0.1.2 client-id=1:8:55:31:30:d7:92 mac-address=\
08:55:31:30:D7:92 server=defconf
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.10.5,1.1.1.1 gateway=\
10.0.1.1 netmask=24
add address=10.0.10.0/24 dns-server=1.1.1.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=1.1.1.1 gateway=10.0.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.0.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.1.2-10.0.1.254 list=allowed_to_router
add address=10.0.20.2 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow DNS to the router" dst-port=53 \
protocol=udp src-address=10.0.10.5
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow DNS" dst-address=10.0.10.5 \
src-address=10.0.1.12
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=10050 protocol=tcp to-addresses=\
45.76.83.36 to-ports=10050
add action=dst-nat chain=dstnat dst-port=10051 protocol=tcp to-addresses=\
45.76.83.36 to-ports=10051
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add distance=1 gateway=89.x.x.xf
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.10.0/24
set ssh address=10.0.1.0/24
set www-ssl address=0.0.0.0/0 tls-version=only-1.2
set api disabled=yes
set winbox address=10.0.1.0/24,10.0.10.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=10.0.1.10
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Ljubljana
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by dnikms on Fri Jun 25, 2021 9:09 pm, edited 1 time in total.
Re: Open hosted webiste on LAN to Internet
Hi and thank you!Hi, welcome,
I don't know what kind of connection you have or if you do it at home or at work,
but expect that, once visible on the internet, your line will be continuously attacked and scanned.
Good luck.
Let's say I don't want it to be exposed on internet.
I want to use on LAN only, I want to host things and play around. What do you suggest?
Because I can't open the served nginx site on my private ip(Raspberry Pi) that is hosting nginx...
Pleace check the posted config if It's any help.
Re: Open hosted webiste on LAN to Internet
on ip firewall filters the last 2 input rules must be put at the end of other input rules
ether3 is part of a bridge or not?
the config is broken, check on bridge/ports
What is internal IP of RPi?
some suggestion, just paste on terminal, without omit { and }
ether3 is part of a bridge or not?
the config is broken, check on bridge/ports
What is internal IP of RPi?
some suggestion, just paste on terminal, without omit { and }
Code: Select all
{
/interface bridge
set bridge protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n
set [ find ] station-roaming=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=passthrough
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,!dude,tikapp"
/interface bridge port
remove [find where interface=ether3]
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=no
}
Re: Open hosted webiste on LAN to Internet
ether3 had blank role, I removed and readded it and now it has disabled port role.
RaspPi is connected to vlan10 - 10.0.10.6, pi is connected on port2 on my switch.
RaspPi is connected to vlan10 - 10.0.10.6, pi is connected on port2 on my switch.
Last edited by dnikms on Sat Jun 26, 2021 1:45 pm, edited 1 time in total.
Re: Open hosted webiste on LAN to Internet
please remove quotes on your previous post,
add it only if really needed
You want reachable 10.0.10.6 on all your LAN only, right?
If you ping 10.0.10.6 from Router, this reply?
If you ping 10.0.10.6 on one of device where RPi must be reachable, reply?
Inside Raspberry, reply on Ping is enable?
If 10.0.10.6 reply on ping, the problem is inside the configuration of the Raspberry,
add it only if really needed
You want reachable 10.0.10.6 on all your LAN only, right?
If you ping 10.0.10.6 from Router, this reply?
If you ping 10.0.10.6 on one of device where RPi must be reachable, reply?
Inside Raspberry, reply on Ping is enable?
If 10.0.10.6 reply on ping, the problem is inside the configuration of the Raspberry,
Last edited by rextended on Fri Jun 25, 2021 9:56 pm, edited 1 time in total.
Re: Open hosted webiste on LAN to Internet
Issues to discuss
(1) The IP POOL, IP address, DHCP server and DCHP server network should all line-up.
Clearly your IP POOL is not correct (too many entries) suggest it should be shortened ..........
/ip pool
add name=dhcp ranges=10.0.1.10-10.0.1.254
add name=dhcp_pool11 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool12 ranges=10.0.10.2-10.0.10.254
add name=vpn ranges=192.168.89.2-192.168.89.255
(2) Your IP address is incorrect
/ip address
add address=10.0.1.1/24 comment=defconf interface=ether2 network=10.0.1.0
should be
add address=10.0.1.1/24 comment=defconf interface=bridge network=10.0.1.0
(3) Remove ether5 from the bridge it seems as though that is being used for vlans, 10,20
(4) Remove this setting unless you are an extremely experienced user. The regular IP firewall rules suffice for 99% of cases.
/interface bridge settings
set use-ip-firewall=yes
(5) why?
/ip neighbor discovery-settings
set discover-interface-list=!LAN
=LAN is actually useful.
(6) Incomplete add
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=vlan10 list=LAN
(7) WHY??
/ip firewall address-list
add address=10.0.1.2-10.0.1.254 list=allowed_to_router
add address=10.0.20.2 list=allowed_to_router
This is not best security practice as I hardly think ALL LAN users need access to the router.
ONLY THE ADMIN needs access to the router.
What is true is that usually all LAN users need access to certain services such as DNS for example.
Due to the structure of MT, best to add to the interface list for your above purpose anways as follows:
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=vlan20 list=LAN
add interface=vlan10 list=LAN
add interface=vlan20 list=Manage
add interface=vlan10 list=Manage
Now this assumes that you as Admin may potentially want to configure the router from either vlan10 or vlan20 and if not then remove the one that is not pertinent.
Finally, you could consider adding in a source address firewall list like you had before but much better tailored for the purpose.
add ipaddress-admindesktop list=admin_access
add ipaddress-adminlaptop list=admin_access
add ipaddress-adminsmartphone list=admin_access
add ipaddress-admintablet list=admin_access
Now back to interface lists the reason its good to use interface list is due to the
TOOLS------> Winbox Mac Server setting where one has to choose an interface and in this case it would be Manage
/tool mac-server mac-winbox
set allowed-interface-list=Manage
(8) Amend firewall rules as per below. First, Note this rule
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
Is replaced because we want to block ALL Traffic you dont permit and that is wan to router or lan to router
So we add a drop all rule at the end.
Before doing that we need to put in the allow admin access rule higher up otherwise you will be locked out of the router.
Also because we stop all traffic to the router with this rule we have to ensure all the traffic to the router or router services has been allowed.
Normally s is only DNS services......
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\ <------------------------------ better order location for this rule
invalid
add action=accept chain=input comment="Allow Admin Access" in-interface-list=Manage and optional src-address-list=admin_access
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow DNS to the router" dst-port=53 \
protocol=udp src-address=10.0.10.5 -----------------------------------------------------------> Assuming this is for your DNS server on RPI?? Not sure the purpose so this part of the config needs work!!
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 -----------------------------> remove if dont use capsman
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Allow DNS" dst-address=10.0.10.5 \ -------------------------> What are you trying to accomplish here???
src-address=10.0.1.12
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
(9) These two input chain rules were found out of order down at the bottom of the forward chain???????
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
They should be removed!!!
(10) Not sure of the purpose of this NOT being disabled could be a security risk!
set www address=10.0.10.0/24
(11) FINALLY TO THE MAIN QUESTION.
Allowing access to your LAN from external in general is a very bad idea.
If you have to do so for business, you pay the money to an ISP for a business class connection and use proper authentication methods for external users meaning VPN connections or Radius servers etc......... Not trivial.
FOr simple home use, never do so unless you have encryption on teh software being used like encrypted FTP and normally with an approved user list, and thats step 1.
Step 2 is limit access to the router. Step2 is dont use standard ports commonly scanned.
So in destination NAT rule you can do two things.
a. use non standard port for dst port and then use the to-ports to translate the incoming port to the one the server is setup to use, especially as the admin you cannot change that port.
This entail telling your customers to come to your server on the non-standard port www.myserver.com:55578 for example.
add action=dst-nat chain=dstnat dst-port=55578 protocol=tcp to-addresses=\
45.76.83.36 to-ports=10050
b. The other thing to do is as noted previously create a firewall address list of your server users.
They need you to provide them with either their fixed IP address (static wanip) or if they have a dynamic Wanip, then tell them to tet a dyndns domain name and you can stick the name in the firewall address list (instead of ip address) and the router will correctly resolve the wanip. There are many FREE dyndns providers so there is no excuse!!
/ip firewall address-list
add address=48.165.19.22 comment=George list=allowed_users
add address=myowndyn.name comment=Dave list=allowed_users
add address=envyorg.net comment=Terry list=allowed_users
Thus your rule would then look like
add action=dst-nat chain=dstnat dst-port=55578 protocol=tcp to-addresses=\
45.76.83.36 to-ports=10050 src-address-list=allowed_users
The unique thing about adding source address to destination (port forwarding) nat rule is that the port will not be visible on scans.
If you do not have a source listing, the port will be visible on scans but will appear closed.
(1) The IP POOL, IP address, DHCP server and DCHP server network should all line-up.
Clearly your IP POOL is not correct (too many entries) suggest it should be shortened ..........
/ip pool
add name=dhcp ranges=10.0.1.10-10.0.1.254
add name=dhcp_pool11 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool12 ranges=10.0.10.2-10.0.10.254
add name=vpn ranges=192.168.89.2-192.168.89.255
(2) Your IP address is incorrect
/ip address
add address=10.0.1.1/24 comment=defconf interface=ether2 network=10.0.1.0
should be
add address=10.0.1.1/24 comment=defconf interface=bridge network=10.0.1.0
(3) Remove ether5 from the bridge it seems as though that is being used for vlans, 10,20
(4) Remove this setting unless you are an extremely experienced user. The regular IP firewall rules suffice for 99% of cases.
/interface bridge settings
set use-ip-firewall=yes
(5) why?
/ip neighbor discovery-settings
set discover-interface-list=!LAN
=LAN is actually useful.
(6) Incomplete add
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=vlan10 list=LAN
(7) WHY??
/ip firewall address-list
add address=10.0.1.2-10.0.1.254 list=allowed_to_router
add address=10.0.20.2 list=allowed_to_router
This is not best security practice as I hardly think ALL LAN users need access to the router.
ONLY THE ADMIN needs access to the router.
What is true is that usually all LAN users need access to certain services such as DNS for example.
Due to the structure of MT, best to add to the interface list for your above purpose anways as follows:
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=vlan20 list=LAN
add interface=vlan10 list=LAN
add interface=vlan20 list=Manage
add interface=vlan10 list=Manage
Now this assumes that you as Admin may potentially want to configure the router from either vlan10 or vlan20 and if not then remove the one that is not pertinent.
Finally, you could consider adding in a source address firewall list like you had before but much better tailored for the purpose.
add ipaddress-admindesktop list=admin_access
add ipaddress-adminlaptop list=admin_access
add ipaddress-adminsmartphone list=admin_access
add ipaddress-admintablet list=admin_access
Now back to interface lists the reason its good to use interface list is due to the
TOOLS------> Winbox Mac Server setting where one has to choose an interface and in this case it would be Manage
/tool mac-server mac-winbox
set allowed-interface-list=Manage
(8) Amend firewall rules as per below. First, Note this rule
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
Is replaced because we want to block ALL Traffic you dont permit and that is wan to router or lan to router
So we add a drop all rule at the end.
Before doing that we need to put in the allow admin access rule higher up otherwise you will be locked out of the router.
Also because we stop all traffic to the router with this rule we have to ensure all the traffic to the router or router services has been allowed.
Normally s is only DNS services......
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\ <------------------------------ better order location for this rule
invalid
add action=accept chain=input comment="Allow Admin Access" in-interface-list=Manage and optional src-address-list=admin_access
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow DNS to the router" dst-port=53 \
protocol=udp src-address=10.0.10.5 -----------------------------------------------------------> Assuming this is for your DNS server on RPI?? Not sure the purpose so this part of the config needs work!!
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 -----------------------------> remove if dont use capsman
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Allow DNS" dst-address=10.0.10.5 \ -------------------------> What are you trying to accomplish here???
src-address=10.0.1.12
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
(9) These two input chain rules were found out of order down at the bottom of the forward chain???????
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
They should be removed!!!
(10) Not sure of the purpose of this NOT being disabled could be a security risk!
set www address=10.0.10.0/24
(11) FINALLY TO THE MAIN QUESTION.
Allowing access to your LAN from external in general is a very bad idea.
If you have to do so for business, you pay the money to an ISP for a business class connection and use proper authentication methods for external users meaning VPN connections or Radius servers etc......... Not trivial.
FOr simple home use, never do so unless you have encryption on teh software being used like encrypted FTP and normally with an approved user list, and thats step 1.
Step 2 is limit access to the router. Step2 is dont use standard ports commonly scanned.
So in destination NAT rule you can do two things.
a. use non standard port for dst port and then use the to-ports to translate the incoming port to the one the server is setup to use, especially as the admin you cannot change that port.
This entail telling your customers to come to your server on the non-standard port www.myserver.com:55578 for example.
add action=dst-nat chain=dstnat dst-port=55578 protocol=tcp to-addresses=\
45.76.83.36 to-ports=10050
b. The other thing to do is as noted previously create a firewall address list of your server users.
They need you to provide them with either their fixed IP address (static wanip) or if they have a dynamic Wanip, then tell them to tet a dyndns domain name and you can stick the name in the firewall address list (instead of ip address) and the router will correctly resolve the wanip. There are many FREE dyndns providers so there is no excuse!!
/ip firewall address-list
add address=48.165.19.22 comment=George list=allowed_users
add address=myowndyn.name comment=Dave list=allowed_users
add address=envyorg.net comment=Terry list=allowed_users
Thus your rule would then look like
add action=dst-nat chain=dstnat dst-port=55578 protocol=tcp to-addresses=\
45.76.83.36 to-ports=10050 src-address-list=allowed_users
The unique thing about adding source address to destination (port forwarding) nat rule is that the port will not be visible on scans.
If you do not have a source listing, the port will be visible on scans but will appear closed.
Re: Open hosted webiste on LAN to Internet
anav, thank you so much for this detailed reply!
I learned ton!
While adding interfaces vlan10,20 to list Manage, I am getting "input does not match any value of list"
Any workaround? I tried adding Manage to list but no luck.
I learned ton!
While adding interfaces vlan10,20 to list Manage, I am getting "input does not match any value of list"
Any workaround? I tried adding Manage to list but no luck.
Re: Open hosted webiste on LAN to Internet
Yes, the trickiest part about lists is creating new ones as the router provides by default WAN and LAN.
You need to make the Manage list first before you assign it to different sections!
(1) GO TO INTERFACE MENU SELECTION
(2) SELECT INTERFACE LIST MENU SELECTION
(3) Select the Lists Box and then use the PLUS + symbol to create a new name, fill in the name and hit "Apply" and then "OK".
....
You need to make the Manage list first before you assign it to different sections!
(1) GO TO INTERFACE MENU SELECTION
(2) SELECT INTERFACE LIST MENU SELECTION
(3) Select the Lists Box and then use the PLUS + symbol to create a new name, fill in the name and hit "Apply" and then "OK".
....
You do not have the required permissions to view the files attached to this post.