Community discussions

MikroTik App
 
xfactor
just joined
Topic Author
Posts: 1
Joined: Wed Jul 21, 2021 1:06 am

Port Forward assistance

Thu Jul 22, 2021 5:56 pm

New to RouterOS, figured there's something im missing. Trying to port forward to a server (homeassistant) on a vlan. Any help would be appreciated

Have a dst-nat set up, and a mangle prerouting rule set up. Looks like info is passing through the firewall, but it appears to be going straight to the WAN interface. Below is log file with mac and IP omitted.
Torched the IOT_Vlan interface and didnt see the traffic being passed through. Looks like its just coming into the WAN interface and getting lost

prerouting: in:ether1 out:(unknown 0), src-mac (Src-mac), proto TCP (SYN), *SRCIP:PORT*->WAN:8123, len 60
fwd dstnat: in:ether1 out:(unknown 0), src-mac (Src-mac), proto TCP (SYN), *SRCIP:PORT*->WAN:8123, len 60

below is my config export

# jul/22/2021 09:44:41 by RouterOS 6.48.3
# software id = DK1D-JYM8
#
# model = RB750Gr3
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=BR1 \
vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=IOT_VLAN vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
add name=IOT_POOL ranges=192.168.50.10-192.168.50.250
/ip dhcp-server
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
/interface bridge port
add bridge=BR1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether2 pvid=99
add bridge=BR1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether3 pvid=50
add bridge=BR1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether4 pvid=50
add bridge=BR1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether5 pvid=50
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=99
add bridge=BR1 tagged=BR1 vlan-ids=50
/interface list member
add comment=defconf interface=BR1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=IOT_VLAN list=VLAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 comment=defconf interface=BASE_VLAN network=\
192.168.0.0
add address=192.168.50.1/24 interface=IOT_VLAN network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1 netmask=24
add address=192.168.50.0/24 dns-server=192.168.0.1 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop log-prefix=drp
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop log-prefix=drpf
add action=accept chain=forward connection-state=new disabled=yes dst-port=8123 \
log=yes protocol=tcp
/ip firewall mangle
add action=passthrough chain=prerouting dst-port=8123 log=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8123 log=yes log-prefix=fwd protocol=\
tcp to-addresses=192.168.50.192 to-ports=8123
/ip route rule
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Who is online

Users browsing this forum: DanMos79 and 63 guests