add action=masquerade chain=srcnat src-address=10.0.10.0/24
add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface=\
"Orange Optic" protocol=tcp to-addresses=10.0.10.241 to-ports=53
add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface=\
"Orange Optic" protocol=udp to-addresses=10.0.10.241 to-ports=53
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=\
"Orange Optic" protocol=tcp to-addresses=10.0.10.241 to-ports=5678
add action=dst-nat chain=dstnat comment="HTTP - Synology WEB Access" \
in-interface="Orange Optic" protocol=tcp src-port=5678 to-addresses=\
10.0.10.241 to-ports=5678
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
"Orange Optic" protocol=tcp to-addresses=10.0.10.241 to-ports=5679
add action=dst-nat chain=dstnat comment="HTTPS - Synology Web Access" \
dst-port=5679 in-interface="Orange Optic" protocol=tcp to-addresses=\
10.0.10.241 to-ports=5679
add action=dst-nat chain=dstnat comment="Synology Cloud" dst-port=5000-5001 \
in-interface="Orange Optic" protocol=tcp to-addresses=10.0.10.241 \
to-ports=5000-5001
add action=dst-nat chain=dstnat comment="Synology Cloud" dst-port=6690 \
in-interface="Orange Optic" protocol=tcp to-addresses=10.0.10.241 \
to-ports=6690
You can choose either the interface "Orange Optic" or the interface list WAN (assuming the interface is added tot the list as WAN).Ok and what should I choose in the out. Interface (list)? - LAN, Wan, all, dynamic, none and static
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=WAN
Can you please post your configuration here:I have change it to the WAN, but no change. Its the same.
add action=masquerade chain=srcnat src-address=10.0.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.20.11.0/24
add chain=srcnat action=masquerade out-interface-list=WAN
OK have done it.Can you changeto:Code: Select alladd action=masquerade chain=srcnat src-address=10.0.10.0/24 add action=masquerade chain=srcnat disabled=yes src-address=10.20.11.0/24
Code: Select alladd chain=srcnat action=masquerade out-interface-list=WAN
Hi Sob,But in your config, interface "Orange Optic" is ethernet. PPPoE is named "PPPoE-Orange". So you need in-interface=PPPoE-Orange in dstnat rules.
Disabled is disabled...so it won't interfere.OK have done it.
Will be a problem with the disabled Masquerade? Is needed to delete it or it can be disabled?
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN
add chain=srcnat action=masquerade out-interface=PPPoE-Orange
add chain=srcnat action=masquerade src-address=10.0.10.0/24
add chain=srcnat action=masquerade src-address=10.0.10.0/24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=WAN
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked comment="allow established, related and untracked"
add action=drop chain=forward connection-state=invalid comment="drop invalid"
# things to allow:
add action=accept chain=forward in-interface-list=LAN comment="allow everything from LAN"
add action=accept chain=forward connection-nat-state=dstnat comment="allow forwarded ports"
...
# end of things to allow
add action=log chain=forward comment="log what will be blocked; use before enabling the last reject rule"
add action=reject chain=forward disabled=yes reject-with=icmp-admin-prohibited comment="block everything else"
Hi Sob,VPN is already not exactly as if you'd be directly connected. And if you use different subnet (which is otherwise fine), it will be even further from that. What I meant is to find interface Bridge1 and change its ARP option from default "enabled" to "proxy-arp". Then you can keep same subnet and it will work.
/ip firewall filter
add chain=forward in-interface=all-ppp out-interface-list=LAN action=accept
/ip firewall filter
add action=accept chain=input comment="allow established, related and untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow everything from LAN" in-interface-list=LAN
add action=accept chain=input comment="allow IPSec (IKE)" protocol=udp dst-port=500,4500 action=accept
add action=accept chain=input comment="allow IPSec (ESP)" protocol=ipsec-esp action=accept
add action=accept chain=input comment="allow L2TP" ipsec-policy=in,ipsec protocol=udp dst-port=1701 action=accept
# ... add other allowed things here
add action=log chain=input comment="log what will be blocked; use before enabling the last reject rule"
add action=drop chain=input disabled=yes comment="block everything else"
add action=accept chain=input comment="allow IPSec (IKE)" protocol=udp dst-port=500,4500 action=accept
add action=accept chain=input comment="allow IPSec (ESP)" protocol=ipsec-esp action=accept
add action=accept chain=input comment="allow L2TP" ipsec-policy=in,ipsec protocol=udp dst-port=1701 action=accept
Request timeout for icmp_seq 42
92 bytes from 10.0.10.101: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 bb06 0 0000 3f 01 973a 10.0.10.120 10.0.10.241
/interface ethernet
set [ find default-name=ether2 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E5 \
name="Local 1" speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E6 \
name="Local 2" speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E7 \
name="Local 3" speed=100Mbps
set [ find default-name=ether5 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E8 \
name="Local 4" speed=100Mbps
set [ find default-name=ether1 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E4 \
name="Orange Optic" speed=100Mbps
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto \
auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 \
loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
B8:69:F4:20:A5:49 mtu=1500 name=ether1 orig-mac-address=B8:69:F4:20:A5:49 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
Is possible to tell me which changes do you suggest on the network by the new configuration?