I am using a RB760iGS running 7.16.2 packages and firmware.
I have a LAN bridge configured on ether2&3 and the SFP socket subnet 172.16.23.0/24
I have a DMZ configured on ether4 subnet 172.16.24.0/28
I have a Raspberry pi running Network UPS Tools on 172.16.23.4:3493 and I am trying (without any sucess) to allow a NUT Client on my Ubuntu server (172.16.24.

I used to run OpnSense firewall and this was known as a pinhole between networks and was easy to setup through the web interface as it would write the firewall rules for you.
The firewall rules from the config are below. I am sure its something simple that my lack of knowledge is missing or knowing the right phrase to search for. Any help would be greatly appreciated. If there are any good references for learning the RouterOS firewall that would be great as I am using a lot of the hex routers for work and seem to be muddling through.
Code: Select all
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward in-interface-list=DMZ
add action=accept chain=input comment="defconf: accept ICMP" \
in-bridge-port-list=LAN protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="OVPN Pass" dst-port=1194 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=new in-interface="DMZ Port" \
out-interface=LAN_bridge
add action=drop chain=forward in-interface=ether5 out-interface=LAN_bridge
add action=drop chain=forward in-interface=VLAN_SCS_WORKSHOP out-interface=\
LAN_bridge
add action=drop chain=forward in-interface=VLAN_SCS_WAN2 out-interface=\
LAN_bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT Incoming Mail " dst-address=\
212.159.16.166 dst-port=587 protocol=tcp to-addresses=172.16.24.8 \
to-ports=587
add action=dst-nat chain=dstnat comment="NAT SMTPS Incoming Mail " \
dst-address=212.159.16.166 dst-port=465 protocol=tcp to-addresses=\
172.16.24.8 to-ports=465
add action=dst-nat chain=dstnat comment="NAT SMTP Incoming Mail " \
dst-address=212.159.16.166 dst-port=25 protocol=tcp to-addresses=\
172.16.24.8 to-ports=25
add action=dst-nat chain=dstnat comment="NAT HTTP to the web server" \
dst-address=212.159.16.166 dst-port=80 protocol=tcp to-addresses=\
172.16.24.8 to-ports=80
add action=dst-nat chain=dstnat comment=\
"NAT HTTP to the web server for webmail" dst-address=212.159.16.166 \
dst-port=8081 protocol=tcp to-addresses=172.16.24.8 to-ports=8081
add action=dst-nat chain=dstnat dst-address=212.159.16.166 dst-port=110 \
protocol=tcp to-addresses=172.16.24.8 to-ports=110
add action=dst-nat chain=dstnat dst-address=212.159.16.166 dst-port=143 \
protocol=tcp to-addresses=172.16.24.8 to-ports=143
add action=dst-nat chain=dstnat comment="NAT IMAP to mail Server " \
dst-address=212.159.16.166 dst-port=993 protocol=tcp to-addresses=\
172.16.24.8 to-ports=993
add action=dst-nat chain=dstnat comment="NAT HTTPS to Web Server " \
dst-address=212.159.16.166 dst-port=443 protocol=tcp to-addresses=\
172.16.24.8 to-ports=443
add action=masquerade chain=srcnat out-interface=ether1