add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80 protocol=tcp to-addresses=192.168.29.174 to-ports=80
add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80 protocol=tcp to-addresses=192.168.29.174
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." \
in-interface=ether1 log=yes log-prefix=FI_D_port-test
+My nat
add action=masquerade chain=srcnat
after upgrading to 7.1.1 it also did not work, even if I turn off the whole firawall. After downgrading to 6.49.2 everything works.
Following your suggestion and modified by this:As noted by sob,
add action=masquerade chain=srcnat is NOT correct!
Is unconditional....]
You need
add action=masquerade chain=srcnat out-interface=ether1 or out-interface-list=WAN (for dynamic wanip)
# feb/13/2022 23:16:41 by RouterOS 7.1.2
# model = RB5009UG+S+
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
add action=masquerade chain=srcnat comment=HairpinNat dst-address=!192.168.144.1 src-address=192.168.144.0/24
/ip firewall filter
add action=accept chain=forward comment="Allow forward traffic for connection already established/related" connection-state=established,related
add action=accept chain=forward comment="Allow forward traffic for connection from LAN" connection-state=!invalid in-interface-list=LAN out-interface-list=WAN src-address=192.168.144.0/24
add action=accept chain=forward comment="Allow forward traffic for port redirections and DMZ" connection-nat-state=dstnat
add action=drop chain=forward comment="Deny rest of forward traffic"
add action=accept chain=output comment="Allow output traffic"
add action=accept chain=input comment="Allow input traffic for connection already established/related" connection-state=established,related
add action=accept chain=input comment="Allow ICMP ping requests" icmp-options=8:0 protocol=icmp
add action=accept chain=input comment="Allow ICMP messages about too big packet size (fragmentation required)" icmp-options=3:4 protocol=icmp
add action=accept chain=input comment="Allow init connection to winbox service on LAN" connection-state=new dst-address=192.168.144.1 dst-port=8291,22,80 in-interface-list=LAN protocol=tcp src-address=192.168.144.0/24
add action=accept chain=input comment="Allow requests to DNS service from LAN" connection-state=new dst-address=192.168.144.1 dst-port=53 in-interface-list=LAN protocol=udp src-address=192.168.144.0/24
add action=drop chain=input comment="Deny rest of input traffic"