I would like to set up three port forwarding on the router, unfortunately it does not work.
What am I doing wrong?
Here once my config:
Code: Select all
# jan/16/2023 12:30:51 by RouterOS 7.7
# software id = 8RC1-JJFZ
#
# model = CRS125-24G-1S
# serial number = 5A8C0513D7D9
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=Internet
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=aXXXXXX.sn.mynetname.net exchange-mode=ike2 name=Aschendorf
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip kid-control
add fri="" mon=5h-5h1m name="Gerate ohne Internet " rate-limit=1K sat="" sun=\
"" thu="" tue="" wed=""
/ip pool
add name=dhcp ranges=192.168.30.10-192.168.30.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=3d name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE use-mpls=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
profile=default-encryption user=XXXXXXXXXXXXXXXX@t-online.de
/queue type
add kind=fq-codel name=FQ-Codel
/queue simple
add max-limit=70M/30M name=queue1 packet-marks=no-mark queue=\
FQ-Codel/FQ-Codel target=pppoe-out1 total-queue=FQ-Codel
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=192.168.30.0/24 endpoint-address=192.168.31.2 \
endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s \
public-key="XXXXXXXXXXXXXX"
/ip address
add address=192.168.30.1/24 interface=bridge1 network=192.168.30.0
add address=192.168.31.1 disabled=yes interface=wireguard1 network=\
192.168.31.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.30.200 client-id=1:7c:10:c9:83:4a:47 comment=Dirk-PC \
mac-address=7C:10:C9:83:4A:47 server=dhcp1
add address=192.168.30.199 client-id=1:0:11:32:88:99:e6 comment=\
"Synology NAS" mac-address=00:11:32:88:99:E6 server=dhcp1
add address=192.168.30.197 client-id=1:50:e6:36:76:d8:d comment=\
"fritzbox 7590ax" mac-address=50:E6:36:76:D8:0D server=dhcp1
add address=192.168.30.195 client-id=1:3c:2a:f4:9e:5f:b7 comment=\
"Brother Drucker" mac-address=3C:2A:F4:9E:5F:B7 server=dhcp1
add address=192.168.30.183 mac-address=00:17:88:6B:0C:0F server=dhcp1
/ip dhcp-server network
add address=192.168.30.0/24 caps-manager=192.168.30.1 dns-server=\
192.168.30.1,8.8.8.8 gateway=192.168.30.1 netmask=24 ntp-server=\
192.168.30.1 wins-server=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.30.197 name=fritz.local
add address=192.168.30.181 name=ps3.lars
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.30.2-192.168.30.254 list=allowed_to_routerto_router
add address=192.168.30.0/24 list=lan_ip
add address=192.168.20.0/24 list=lan_ip
add address=192.168.10.0/24 list=lan_ip
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=accept chain=input comment=Default connection-state=\
established,related
add action=accept chain=input src-address-list=allowed_to_routerto_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=jump chain=forward comment="Zu ICMP Rules" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not Public Addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming that are not NATted" \
connection-nat-state=dstnat connection-state=new in-interface=all-ppp \
log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" disabled=yes \
in-interface=ether1 log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=drop chain=forward comment="Drop from LAN that do not have LAN IP" \
in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address-list=!lan_ip
add action=accept chain=icmp comment="ICMP List" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp icmp-options=3:0 protocol=icmp
add action=accept chain=icmp icmp-options=3:1 protocol=icmp
add action=accept chain=icmp icmp-options=3:4 protocol=icmp
add action=accept chain=icmp icmp-options=8:0 protocol=icmp
add action=accept chain=icmp icmp-options=11:0 protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp protocol=icmp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Zu Fritzbox" dst-port=44695 \
in-interface=ether1 protocol=tcp to-addresses=192.168.30.197 to-ports=\
44695
add action=dst-nat chain=dstnat comment="Zu Proxy" dst-port=443 in-interface=\
ether1 protocol=tcp to-addresses=192.168.30.171 to-ports=4434
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
to-addresses=192.168.30.171 to-ports=8080
add action=accept chain=srcnat comment=VPN dst-address=192.168.20.0/24 \
src-address=192.168.30.0/24
add action=dst-nat chain=dstnat comment="Vault Backup" dst-port=6281 \
protocol=tcp to-addresses=192.168.30.199 to-ports=6281
add action=masquerade chain=srcnat comment=Main out-interface-list=WAN
/ip ipsec identity
add peer=Aschendorf
/ip ipsec mode-config
add address-pool=*2 name=vpndhcp
/ip ipsec policy
add dst-address=192.168.20.0/24 peer=Aschendorf src-address=192.168.30.0/24 \
tunnel=yes
/ip kid-control device
add mac-address=00:1F:A7:7C:CF:CD name=PlayStation3 user=\
"Gerate ohne Internet "
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=192.168.30.174 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.20.0/24 gateway=192.168.30.174 \
routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.30.0/24 disabled=yes
set ssh disabled=yes
set www-ssl certificate=SSL-Webseite
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge1 type=internal
/lcd interface pages
set 0 interfaces=\
ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/ppp secret
add name=vpn profile=default-encryption
add name=vpn2 profile=default-encryption
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes