I have a similar configuration in another router and it works, but on this one I can't seem to make it work.
The container can see the internet, it can see the router, the router can connect to the container.
If I set up an input rule that logs whenever I hit a port that is dest-nat'ed it will print and count a hit on the firewall filter input. But I think this should not happen as it should have been trapped by the dnat in pre-routing.
What am I missing?
Code: Select all
# 2023-10-02 17:29:58 by RouterOS 7.12beta9
# software id =
#
/interface bridge
add fast-forward=no name=containers protocol-mode=none
/interface veth
add address=172.17.17.2/24 gateway=172.17.17.1 gateway6="" name=veth1
/container mounts
add dst=/mediamtx.yml name=mediamtx_yml src=/containers/mediamtx/mediamtx.yml
/disk
set sata1 type=hardware
/container
add interface=veth1 logging=yes mounts=mediamtx_yml root-dir=/containers/mediamtx/filesystem start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io/ tmpdir=/containers/tmp
/interface bridge port
add bridge=containers ingress-filtering=no interface=veth1 trusted=yes
/ipv6 settings
set disable-ipv6=yes forward=no
/ip address
add address=public.ip/24 interface=ether1
add address=172.17.17.1/24 interface=containers network=172.17.17.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward comment="accept stablished, related, untracked" connection-state=established,related,untracked hw-offload=yes
add action=accept chain=forward comment="Allow dnat'd packets" connection-nat-state=dstnat
add action=accept chain=forward connection-state=established,related,untracked in-interface=ether1 log=yes out-interface=containers
add action=accept chain=forward in-interface=containers out-interface=ether1
add action=drop chain=forward comment="drop evreything else" in-interface=ether1
add action=accept chain=input comment="accept stablished, related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop blocked ips" src-address-list=blacklist
add action=fasttrack-connection chain=input connection-state=established,related,untracked hw-offload=no
add action=accept chain=input in-interface=containers
add action=accept chain=input comment="allow ping" protocol=icmp
add action=drop chain=input comment="drop everything else"
add action=accept chain=output comment="Accept is default for any output"
/ip firewall nat
add action=masquerade chain=srcnat comment="Containers -> Internet" dst-address-type=!local out-interface=ether1 src-address=172.17.17.0/24
add action=dst-nat chain=dnat dst-port=1935 protocol=tcp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8000 protocol=tcp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8001 protocol=tcp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8554 protocol=tcp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8888 protocol=tcp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8889 protocol=tcp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8890 protocol=tcp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=1935 protocol=udp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8000 protocol=udp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8001 protocol=udp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8554 protocol=udp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8888 protocol=udp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8889 protocol=udp to-addresses=172.17.17.2
add action=dst-nat chain=dnat dst-port=8890 protocol=udp to-addresses=172.17.17.2
/ip route
add dst-address=0.0.0.0/0 gateway=public.ip.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/system package update
set channel=testing