This is my first post on this Forum.
Ive been hanging my head on this one.
I have 5 public IPs from ISP, the first IP is used for NAT overloading so my LAN can acess the Internet (this works)
I also added a dst-nat using the second public IP from my ISP, a To-Address and TCP port 80 and another on port 8080, because I have one web server on my LAN and RouterOS needs to provide access to it on either port (this works)
Now, I need to have the ability of creating a Firewall Rule that blocks one of the Ports (lets say, 80) incoming from the second ISP IP that I assigned on the dst-nat. (this sounds confusing, why would I want to block a port that I just created a NAT for?)
Well, no real reason but I would imagine that NAT controls the translation, and Filter controls what flows (translated or not), so I would expect to control the 'door' on the Filter , and not on the NAT.
Everytime I tried creating rules in different places I ended up blocking nothing or blocking the wrong, so I need advice.
I understand on the packet flow that dst-nat gets processed before the Firewall Rules, so I tried creating rules that block the internal IP/Port after it gets translated, etc etc, I also tried to use a 'prerouting' mangle to mark the traffic, but if I block it on the firewall rules I also block other things that I dont want.