Community discussions

MikroTik App
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Port forwarding troubles

Thu Jul 07, 2022 7:56 pm

I have a MikroTik with port forwarding to a VNC server on the LAN-side working using NAT dstnat. However, port forwarding is not working to a LAN-side device running an SSH server and Web server. Here's the MikroTik NAT config:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="VNC Server" dst-address=\
    10.199.6.39 dst-port=5900 protocol=tcp to-addresses=10.1.10.11 to-ports=\
    5900
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5800 \
    protocol=tcp to-addresses=10.1.10.11 to-ports=5800
add action=dst-nat chain=dstnat dst-address=\
    10.199.6.39 dst-port=222 protocol=tcp to-addresses=10.1.5.101 to-ports=22
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
    in-interface=PC_LAN protocol=tcp to-addresses=10.1.5.101 to-ports=5101
FWIW, there are several VLANs configured (Servers, PCs, Printers & VOIP Phones). 10.1.10.11 is a PC with a DHCP address provided by the MikroTik. 10.1.5.101 is a Server and it's IP is set statically on the device. The MikroTik WAN IP address is 10.199.6.39. It is also the gateway for each of the VLANS. If I try to ping 10.1.5.101 from the MikroTik, no response.

How can I resolve this problem? Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Thu Jul 07, 2022 8:19 pm

(1) This half rule needs to be removed it serves no purpose........

add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="VNC Server" dst-address=\
10.199.6.39 dst-port=5900 protocol=tcp to-addresses=10.1.10.11 to-ports=\
5900


(2) This looks not correct......... Why did you add in-interface?????
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
in-interface=PC_LAN protocol=tcp to-addresses=10.1.5.101 to-ports=5101

What does your firewall rule look like for port forwarding??
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Thu Jul 07, 2022 10:08 pm

Thanks for the reply. In the course researching how to configure and troubleshoot the MT firewall, additions 1 & 2 were suggested. I've just removed them. Re: "What does your firewall rule look like for port forwarding??"
Here are the firewall filter rules:
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward connection-state=established,related,new \
    in-interface=PC_LAN out-interface=Server_LAN
add action=accept chain=forward dst-address=192.168.88.241 src-address=\
    10.1.10.0/24
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
    10.1.10.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Thu Jul 07, 2022 10:22 pm

In the forward chain you have these two rules now.
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat

add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN



Get rid of the second rule its redundant and provides a bit of security,
Much better is the following (in order)

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN {assuming you want internet access}
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Thu Jul 07, 2022 10:30 pm

Furthermore suggesting these are to be reviewed.
add action=accept chain=forward connection-state=established,related,new \
in-interface=PC_LAN out-interface=Server_LAN
add action=accept chain=forward dst-address=192.168.88.241 src-address=\
10.1.10.0/24
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
10.1.10.0/24


(1) What is the purpose of this rule???
add action=accept chain=forward connection-state=established,related,new \
in-interface=PC_LAN out-interface=Server_LAN

If you want A LAN to have access to another LAN it would go here....... format and order........

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward [ from interface A ] to [ interface B ]
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


where it could be by interface name or subnet etc..........

add action=accept chain=forward in-interface=interfacenameX out-interface=interfacenameY
or
add action=accept chain=forward src-address=192.168.xx.0/24 dst-address=192.168.yy.0/24

(2) This rule seems okay just place it also before the drop rule........
add action=accept chain=forward dst-address=192.168.88.241/32 src-address=\
10.1.10.0/24

(3) This rule I dont understand the purpose??
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
10.1.10.0/24[/i]
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Thu Jul 07, 2022 11:58 pm

add action=accept chain=forward connection-state=established,related,new \
in-interface=PC_LAN out-interface=Server_LAN

This rule is intended to let a PC on the VLAN called "PC_LAN" access a server on the VLAN called "Server_LAN". Does this look better, getting rid of the connection-state?
add action=accept chain=forward in-interface=PC_LAN out-interface=Server_LAN

add action=accept chain=forward dst-address=192.168.88.241 src-address=\
10.1.10.0/24

I just disabled this. 192.168.88.241 is the dhcp address of a smart switch connected to the MicroTik.

add action=accept chain=input dst-port=80 protocol=tcp src-address=\
10.1.10.0/24

This allows me to access the MikroTik in a browser from any PC in the LAN. I'll disable this when everything is working.

It seems odd that port forwarding dst-nat for VNC to a machine on PC_LAN is working but port forwarding to a machine on Server_LAN for SSH and HTTP are not working. I cannot even ping the machine on the Server_LAN from the MikroTik device, even after adding a rule like this:
add action=accept chain=forward src-address=192.168.88.0/24 dst-address=10.1.5.0/24
Is it because the IP addresses are not DHCP addresses assigned by the MikroTik?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Fri Jul 08, 2022 2:02 am

As stated would like to see a network diagram to see relationship of devices.
Need FULL export of config (just ensure any public IPs are hidden).
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Fri Jul 08, 2022 10:17 pm

Here's a link to a network diagram: https://drive.google.com/file/d/1KlfzfK ... sp=sharing

I'll get you the full config file. I've lost remote access for now, so I have to go in and fix that. Tomorrow.

Thanks.
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Mon Jul 11, 2022 9:12 pm

Thanks for your patience. Here's the current rsc file:
# jul/11/2022 13:59:49 by RouterOS 6.49.6
# software id = BFI3-972K
#
# model = RB750Gr3
# serial number = D5030F24F9A6
/interface bridge
add admin-mac=DC:2C:6E:B7:2F:E7 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=LAN_Port
/interface vlan
add interface=LAN_Port name=PC_LAN vlan-id=10
add interface=LAN_Port name=Print_LAN vlan-id=30
add interface=LAN_Port name=Server_LAN vlan-id=5
add interface=LAN_Port name=VOIP_LAN vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=disabled
set 1 default-vlan-id=0 vlan-mode=disabled
set 2 default-vlan-id=0 vlan-mode=disabled
set 3 default-vlan-id=0 vlan-mode=disabled
set 4 default-vlan-id=0 vlan-mode=disabled
set 5 default-vlan-id=0 vlan-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Printer_LAN_Pool ranges=172.16.30.50-172.16.30.99
add name=VOIP_LAN_Pool ranges=192.168.20.50-192.168.20.99
add name=PC_LAN_Pool ranges=10.1.10.50-10.1.10.99
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=Printer_LAN_Pool disabled=no interface=Print_LAN name=\
    Print_DHCP
add address-pool=VOIP_LAN_Pool disabled=no interface=VOIP_LAN name=VOIP_DHCP
add address-pool=PC_LAN_Pool disabled=no interface=PC_LAN name=PC_DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=LAN_Port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
    switch=switch1 vlan-id=0
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.1.10.1/24 interface=PC_LAN network=10.1.10.0
add address=192.168.20.1/24 interface=VOIP_LAN network=192.168.20.0
add address=172.16.30.1/24 interface=Print_LAN network=172.16.30.0
add address=10.1.5.1/24 interface=Server_LAN network=10.1.5.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.20.99 client-id=1:10:bd:18:ae:55:6e mac-address=\
    10:BD:18:AE:55:6E server=VOIP_DHCP
add address=172.16.30.50 client-id=1:9c:ae:d3:ea:85:56 mac-address=\
    9C:AE:D3:EA:85:56 server=Print_DHCP
add address=192.168.88.241 client-id=1:78:45:58:fd:d1:52 comment="Switch1" \
    mac-address=78:45:58:FD:D1:52 server=defconf
add address=172.16.30.52 client-id=1:48:ba:4e:3a:4:38 mac-address=\
    48:BA:4E:3A:04:38 server=Print_DHCP
add address=192.168.20.98 client-id=1:a4:93:4c:fe:ef:b mac-address=\
    A4:93:4C:FE:EF:0B server=VOIP_DHCP
add address=192.168.20.97 client-id=1:a4:93:4c:fe:ee:f8 mac-address=\
    A4:93:4C:FE:EE:F8 server=VOIP_DHCP
add address=192.168.20.96 client-id=1:e8:ed:f3:6b:6:9c mac-address=\
    E8:ED:F3:6B:06:9C server=VOIP_DHCP
add address=192.168.20.95 client-id=1:e0:2f:6d:60:4c:6b mac-address=\
    E0:2F:6D:60:4C:6B server=VOIP_DHCP
add address=192.168.20.94 client-id=1:e0:2f:6d:60:4c:10 mac-address=\
    E0:2F:6D:60:4C:10 server=VOIP_DHCP
add address=192.168.20.93 client-id=1:e0:2f:6d:60:4b:e7 mac-address=\
    E0:2F:6D:60:4B:E7 server=VOIP_DHCP
add address=192.168.20.92 client-id=1:a4:93:4c:fe:f3:55 mac-address=\
    A4:93:4C:FE:F3:55 server=VOIP_DHCP
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=solv.local gateway=\
    10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=solv.local gateway=\
    172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=10.1.5.101 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=10.199.6.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    out-interface=PC_LAN src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    out-interface=Server_LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=tcp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=udp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=udp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 out-interface-list=LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=192.168.88.241 src-address=\
    10.1.10.0/24
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
    10.1.10.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related,new
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=9100 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3289 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=515 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3702 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=2968 \
    protocol=tcp src-address=172.16.30.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=2968 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=445 \
    protocol=tcp src-address=172.16.30.0/24
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat comment="VNC to PC" dst-address=\
    10.199.6.39 dst-port=5900 protocol=tcp to-addresses=10.1.10.11 to-ports=\
    5900
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5800 \
    protocol=tcp to-addresses=10.1.10.11 to-ports=5800
add action=dst-nat chain=dstnat comment="Rsync backup" dst-address=\
    10.199.6.39 dst-port=222 protocol=tcp to-addresses=10.1.5.101 to-ports=22
add action=dst-nat chain=dstnat comment="HTTP to WS" dst-address=10.199.6.39 \
    dst-port=81 protocol=tcp to-addresses=10.1.5.100 to-ports=81
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=82 protocol=\
    tcp to-addresses=10.1.5.99 to-ports=81
add action=dst-nat chain=dstnat comment="RDP to Hyper-V Host " dst-address=\
    10.199.6.39 dst-port=3389 protocol=tcp to-addresses=10.1.5.91 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
    in-interface=PC_LAN protocol=tcp to-addresses=10.1.5.101 to-ports=5101
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Mon Jul 11, 2022 10:38 pm

Comments:
(1) Missing entry, once all is complete.
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge vlan-filtering=yes

(2) Assign vlans to the bridge.......
/interface vlan
add interface=bridge name=PC_LAN vlan-id=10
add interface=bridge name=Print_LAN vlan-id=30
add interface=bridge name=Server_LAN vlan-id=5
add interface=bridge name=VOIP_LAN vlan-id=20

(3) Why does the Server vlan "5" not have any other definitions.

(4) Get rid of the apples and oranges, if you want a subnet use a vlan.
Thus bridge subnet, should be changed to a vlan
/interface vlan
add interface=bridge name=88_LAN vlan-id=88

(5) Where is IP pool, DHCP server, DHCP server network for Server_LAN ??

(6) Clean up Bridge port settings............ now having ether2 ( or LAN-PORT) on bridge makes more sense,.........
/interface bridge port
add bridge=bridge comment=defconf interface=LAN_Port ingress-filtering=yes frame-type=admit-only-vlan-tagged
add bridge=bridge comment=defconf interface=ether3 pvid=88 ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether4 pvid=88 ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether5 pvid=88 ingress-filtering=yes frame-type=admit-priority-and-untagged

(7) This should be set to the management INTERFACE LIST or in other words, the one time a single SUBNET is identified as and interface list entry - which all your managed devices get their IP address from!!!
/ip neighbor discovery-settings
set discover-interface-list=Manage

Where
/interface list
add name=Manage
/interface list members
add interface=88_LAN list=Manage

OVERALL needs to change to this..............
/interface list member
add interface=Server_LAN list=LAN
add interface=PC_LAN list=LAN
add interface=VOIP_LAN list=LAN
add interface=Print_LAN list=LAN
add interface=88_LAN list=LAN
add interface=88_LAN list=Manage
add comment=defconf interface=ether1 list=WAN

(8) This MISSING knowledge, your network diagram Failed to show me what IP address the switch has !!!
I will assume its the former bridge lanip structure so now our vlan88

Thus things get a tad complicated only because of unifi products.
Case A - unifi switch is like any other and thus its management vlan comes in tagged as per a proper TRUNK port. No change to bridge port settings required.
Case B - unifi switch expects the management vlan as untagged if so the Bridge ports above have to be modified as such to recognize that ether2 would have to be a HYBRID port.

/interface bridge port
add bridge=bridge comment=defconf interface=LAN_Port pvid=88
add bridge=bridge comment=defconf interface=ether3 pvid=88 ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether4 pvid=88 ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether5 pvid=88 ingress-filtering=yes frame-type=admit-priority-and-untagged

(9) MISSING, Bridge vlan interface settings to match

Case A (ether2 is trunk)
/interface bridge vlan
add bridge=bridge tagged=bridge,LAN_Port untagged=ether3,ether4,ether5 vlan-ids=88
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=5
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=10
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=20
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=30

Of course this could be shortened to
/interface bridge vlan
add bridge=bridge tagged=bridge,LAN_Port untagged=ether3,ether4,ether5 vlan-ids=88
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=5,10,20,30

CASE B (ether2 is hybrid)
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=LAN_Port,ether3,ether4,ether5 vlan-ids=88
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=5,10,20,30

(10) Dont know what you are doing here, but its not standard on a hex............... suggest not using it.
/interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
switch=switch1 vlan-id=0


(11) Modify IP address to match above and also missing definition of vlan5 here as well!
/ip address
add address=192.168.88.1/24 comment=defconf interface=88_LAN network=\
192.168.88.0

(12) In terms of firewall rules. Input chain is SAFE but not optimal......... It depends if you want access to the router to be minimized to just the admin or not.
Thats up to you to decide.

(13) For the forward chain
a. the order is out of whack. below is fixed!!
b. Also any mention of new etc... is redundant and not required / removed

This rule is now redundant and should have been removed............
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related,new
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,new,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

++++++++++++++++++++++++++++++++++++++++++++++ above are basic default rules that should start the chain
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN { good! = to allow internet access by all LAN members}
+++++++++++++++++++++++++++++++++++++++++++++

Rest are partially okay but I see issues....... one by one............

This is a better example of format but lets look at your logic...........
add action=accept chain=forward dst-address=10.1.5.101 src-address=\
192.168.88.0/24
add action=accept chain=forward dst-address=10.199.6.0/24 src-address=\
192.168.88.0/24
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
192.168.88.0/24

First of all the last rule Already includes the first rule!!!
The second rule is weird, you are allowing access to your own router which is an input chain rule.
I will have to think about the validity of this second rule....

Something seriously wrong with these including OVERLAP anything with the 10.199.6.6
THE FORWARD CHAIN is NOT for PORT FORWARDING.
You have External IPs that are attempting access to the MT device................
The best solution is on the MAIN ROUTER to create routes that point to the subnets and associate them with the WANIP of the MT device as the solution.
Then these rules should make sense.......... as its more of a LAN to LAN type allowance.....
Right now there is no way for the main router to reach the mT device if people are looking for 192.168.88.0 its traffic the main router will just drop.
Example of this type of rule...................
add action=accept chain=forward dst-address=192.168.88.0/24 out-interface-list=LAN \
src-address=10.199.6.6

I will have to think about this as well. :-(


Overall, I would try to simplify your rulesets and make sense of them, they are all over the place.
Try to find common themes by grouping use cases together.
It may be useful to use firewall address lists and interfaces to reduce the number of rules.
There certainly is duplication that can be avoided and that stems from poor requirements planning......


(14) DESTINATION NAT..........
Didnt find too much off here. I dont know why you have RDP in the mix, thats usually a security nightmare that attracts unwanted attention. Is there anyway to avoid that like use wireguard vpn instead LOL.

This rule - get rid of the in-interface not helpful..........
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
in-interface=PC_LAN protocol=tcp to-addresses=10.1.5.101 to-ports=5101

(15) If you have users using the WANIP to access servers (vice direct LANIP) and the server is within the same subnet as the user you will run into hairpin nat issues, but I dont know if that is the case.

(16) Set to none, its not a secure access method
/tool mac-server
set allowed-interface-list=NONE

(17) Set to management interface...........
/tool mac-server mac-winbox
set allowed-interface-list=Manage
Last edited by anav on Mon Jul 11, 2022 11:45 pm, edited 1 time in total.
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Mon Jul 11, 2022 11:15 pm

All the servers are configured with static IPs. Should I configure the servers with DHCP and make them static on the MikroTik?
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Mon Jul 11, 2022 11:21 pm

The IP of the Unifi switch is 192.168.88.241 (DHCP). It's connected to the LAN port of the Mikrotik from a Trunk port on the Unifi.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Mon Jul 11, 2022 11:46 pm

Okay so it sounds like Case A and a trunk port is good!
I typically either let the MT select it and then make it static or enter the IP of a device manually to the MT leases with mac address.
Either way....do whats easiest.
Servers should be on their respective subnet, I am talking about the managed device itself and it seems the switch is on the correct management subnet already.
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Tue Jul 12, 2022 12:00 am

Your command, add bridge=bridge comment=defconf interface=ether3 pvid=88 ingress-filtering=yes frame-type=admit-priority-and-untagged and the like should(?) be add bridge=bridge comment=defconf interface=ether3 pvid=88 ingress-filtering=yes frame-types=admit-only-untagged and priority. However, the result is "failure: device already added as bridge port"

Same goes for all the other "add bridge=bridge..." commands.
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Tue Jul 12, 2022 12:24 am

ANAV - Thanks for all your help. I'm done for today. I'll report back tomorrow.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Tue Jul 12, 2022 3:25 am

As they say, one bridge at a time! :-)
You will get there, will take some patience and perseverance.
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Tue Jul 12, 2022 6:23 pm

I lost remote access to my 88_LAN machine, so I had to go on-site. I have total(?) access to the Internet from PC_LAN and VOIP_LAN. I have limited access to the internet from 88_LAN. For example, when I go to https://community.ui.com/ from my machine on 88_LAN, it hangs loading fonts from google and ends with a "Fetch" error. No such issue getting ui.com from PC_LAN.

I still have no access to a machine on the Server_LAN. I can only ping 10.1.5.1 and not 10.1.5.101 for example. I must have a problem with the switch config.

AFAIK, this line is baked in. I cannot find where/how to delete it: /interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
switch=switch1 vlan-id=0


Here's the current config file.
# jul/12/2022 11:16:50 by RouterOS 6.49.6
# software id = BFI3-972K
#
# model = RB750Gr3
# serial number = D5030F24F9A6
/interface bridge
add admin-mac=DC:2C:6E:B7:2F:E7 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=LAN_Port
/interface vlan
add interface=bridge name=88_LAN vlan-id=88
add interface=bridge name=PC_LAN vlan-id=10
add interface=bridge name=Print_LAN vlan-id=30
add interface=bridge name=Server_LAN vlan-id=5
add interface=bridge name=VOIP_LAN vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=disabled
set 1 default-vlan-id=0 vlan-mode=disabled
set 2 default-vlan-id=0 vlan-mode=disabled
set 3 default-vlan-id=0 vlan-mode=disabled
set 4 default-vlan-id=0 vlan-mode=disabled
set 5 default-vlan-id=0 vlan-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Printer_LAN_Pool ranges=172.16.30.50-172.16.30.99
add name=VOIP_LAN_Pool ranges=192.168.20.50-192.168.20.99
add name=PC_LAN_Pool ranges=10.1.10.50-10.1.10.99
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=Printer_LAN_Pool disabled=no interface=Print_LAN name=\
    Print_DHCP
add address-pool=VOIP_LAN_Pool disabled=no interface=VOIP_LAN name=VOIP_DHCP
add address-pool=PC_LAN_Pool disabled=no interface=PC_LAN name=PC_DHCP
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=LAN_Port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=Manage
/interface bridge vlan
add bridge=bridge tagged=bridge,LAN_Port untagged=ether3,ether4,ether5 \
    vlan-ids=88
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=5,10,20,30
/interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
    switch=switch1 vlan-id=0
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=88_LAN list=Manage
add interface=Server_LAN list=LAN
add interface=PC_LAN list=LAN
add interface=VOIP_LAN list=LAN
add interface=Print_LAN list=LAN
add interface=88_LAN list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.1.10.1/24 interface=PC_LAN network=10.1.10.0
add address=192.168.20.1/24 interface=VOIP_LAN network=192.168.20.0
add address=172.16.30.1/24 interface=Print_LAN network=172.16.30.0
add address=10.1.5.1/24 interface=Server_LAN network=10.1.5.0
add address=192.168.88.1/24 comment=defconf interface=88_LAN network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.20.99 client-id=1:10:bd:18:ae:55:6e mac-address=\
    10:BD:18:AE:55:6E server=VOIP_DHCP
add address=172.16.30.50 client-id=1:9c:ae:d3:ea:85:56 mac-address=\
    9C:AE:D3:EA:85:56 server=Print_DHCP
add address=192.168.88.241 client-id=1:78:45:58:fd:d1:52 comment=" Uni1" \
    mac-address=78:45:58:FD:D1:52 server=defconf
add address=172.16.30.52 client-id=1:48:ba:4e:3a:4:38 mac-address=\
    48:BA:4E:3A:04:38 server=Print_DHCP
add address=192.168.20.98 client-id=1:a4:93:4c:fe:ef:b mac-address=\
    A4:93:4C:FE:EF:0B server=VOIP_DHCP
add address=192.168.20.97 client-id=1:a4:93:4c:fe:ee:f8 mac-address=\
    A4:93:4C:FE:EE:F8 server=VOIP_DHCP
add address=192.168.20.96 client-id=1:e8:ed:f3:6b:6:9c mac-address=\
    E8:ED:F3:6B:06:9C server=VOIP_DHCP
add address=192.168.20.95 client-id=1:e0:2f:6d:60:4c:6b mac-address=\
    E0:2F:6D:60:4C:6B server=VOIP_DHCP
add address=192.168.20.94 client-id=1:e0:2f:6d:60:4c:10 mac-address=\
    E0:2F:6D:60:4C:10 server=VOIP_DHCP
add address=192.168.20.93 client-id=1:e0:2f:6d:60:4b:e7 mac-address=\
    E0:2F:6D:60:4B:E7 server=VOIP_DHCP
add address=192.168.20.92 client-id=1:a4:93:4c:fe:f3:55 mac-address=\
    A4:93:4C:FE:F3:55 server=VOIP_DHCP
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
    10.1.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related,new
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    10.1.10.0/24
add action=accept chain=forward dst-address=10.1.5.101 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=10.199.6.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    out-interface=PC_LAN src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    out-interface=Server_LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=tcp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=udp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=udp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 out-interface-list=LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=192.168.88.241 src-address=\
    10.1.10.0/24
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=9100 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3289 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=515 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3702 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=2968 \
    protocol=tcp src-address=172.16.30.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=2968 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=445 \
    protocol=tcp src-address=172.16.30.0/24
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat comment="VNC to GIS PC" dst-address=\
    10.199.6.39 dst-port=5900 protocol=tcp to-addresses=10.1.10.11 to-ports=\
    5900
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5800 \
    protocol=tcp to-addresses=10.1.10.11 to-ports=5800
add action=dst-nat chain=dstnat comment="Rsync backup" dst-address=\
    10.199.6.39 dst-port=222 protocol=tcp to-addresses=10.1.5.101 to-ports=22
add action=dst-nat chain=dstnat comment="HTTP to WTS" dst-address=10.199.6.39 \
    dst-port=81 protocol=tcp to-addresses=10.1.5.100 to-ports=81
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=82 protocol=\
    tcp to-addresses=10.1.5.99 to-ports=81
add action=dst-nat chain=dstnat comment="RDP to Hyper-V Host " dst-address=\
    10.199.6.39 dst-port=3389 protocol=tcp to-addresses=10.1.5.91 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
    protocol=tcp to-addresses=10.1.5.101 to-ports=5101
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Tue Jul 12, 2022 6:46 pm

(1a) First thing you need to REMOVE THE DUPLICATE IP ADDRESS!!!!!!
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0

add address=10.1.10.1/24 interface=PC_LAN network=10.1.10.0
add address=192.168.20.1/24 interface=VOIP_LAN network=192.168.20.0
add address=172.16.30.1/24 interface=Print_LAN network=172.16.30.0
add address=10.1.5.1/24 interface=Server_LAN network=10.1.5.0
add address=192.168.88.1/24 comment=defconf interface=88_LAN network=\
192.168.88.0
{ the correct one }

(1b) Second thing is you are missing the all important vlan-filtering=yes on the /interface bridge. This might clear up most issues!!

(2) You still have not solved the mystery of vlan5, does it exist? No IP address, NO DHCP server etc...........

(3) Remove the bridge entry, the VLAN are the required interfaces to identify!
/interface list member
add comment=defconf interface=bridge list=LAN

(4) What is the purpose of this rule?
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
10.1.10.0/24
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Tue Jul 12, 2022 8:05 pm

  • I fixed #1 a &b and #3 per your suggestions.
  • Re #2, I added IP Address, DHCP server, and Pool for Server_LAN.
  • Re #4, the rule allows me to access the GUI of the MikroTik from the machine I'm VNC'd to at the moment.
Still not able to ping 10.1.5.101 from PC_LAN. Still not able to connect remotely to a machine on 88_LAN (instead I am VNC'd to the machine on PC_LAN). Here's the current config file.
# jul/12/2022 12:50:07 by RouterOS 6.49.6
# software id = BFI3-972K
#
# model = RB750Gr3
# serial number = D5030F24F9A6
/interface bridge
add admin-mac=DC:2C:6E:B7:2F:E7 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=LAN_Port
/interface vlan
add interface=bridge name=88_LAN vlan-id=88
add interface=bridge name=PC_LAN vlan-id=10
add interface=bridge name=Print_LAN vlan-id=30
add interface=bridge name=Server_LAN vlan-id=5
add interface=bridge name=VOIP_LAN vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=disabled
set 1 default-vlan-id=0 vlan-mode=disabled
set 2 default-vlan-id=0 vlan-mode=disabled
set 3 default-vlan-id=0 vlan-mode=disabled
set 4 default-vlan-id=0 vlan-mode=disabled
set 5 default-vlan-id=0 vlan-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Printer_LAN_Pool ranges=172.16.30.50-172.16.30.99
add name=VOIP_LAN_Pool ranges=192.168.20.50-192.168.20.99
add name=PC_LAN_Pool ranges=10.1.10.50-10.1.10.99
add name=Server_LAN_Pool ranges=10.1.5.50-10.1.5.59
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=Printer_LAN_Pool disabled=no interface=Print_LAN name=\
    Print_DHCP
add address-pool=VOIP_LAN_Pool disabled=no interface=VOIP_LAN name=VOIP_DHCP
add address-pool=PC_LAN_Pool disabled=no interface=PC_LAN name=PC_DHCP
add address-pool=Server_LAN_Pool disabled=no interface=Server_LAN name=\
    Server_DHCP
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=LAN_Port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=Manage
/interface bridge vlan
add bridge=bridge tagged=bridge,LAN_Port untagged=ether3,ether4,ether5 \
    vlan-ids=88
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=5,10,20,30
/interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
    switch=switch1 vlan-id=0
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=88_LAN list=Manage
add interface=Server_LAN list=LAN
add interface=PC_LAN list=LAN
add interface=VOIP_LAN list=LAN
add interface=Print_LAN list=LAN
add interface=88_LAN list=LAN
/ip address
add address=10.1.10.1/24 interface=PC_LAN network=10.1.10.0
add address=192.168.20.1/24 interface=VOIP_LAN network=192.168.20.0
add address=172.16.30.1/24 interface=Print_LAN network=172.16.30.0
add address=10.1.5.1/24 interface=Server_LAN network=10.1.5.0
add address=192.168.88.1/24 comment=defconf interface=88_LAN network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.20.99 client-id=1:10:bd:18:ae:55:6e mac-address=\
    10:BD:18:AE:55:6E server=VOIP_DHCP
add address=172.16.30.50 client-id=1:9c:ae:d3:ea:85:56 mac-address=\
    9C:AE:D3:EA:85:56 server=Print_DHCP
add address=192.168.88.241 client-id=1:78:45:58:fd:d1:52 comment="ABC Uni1" \
    mac-address=78:45:58:FD:D1:52 server=defconf
add address=172.16.30.52 client-id=1:48:ba:4e:3a:4:38 mac-address=\
    48:BA:4E:3A:04:38 server=Print_DHCP
add address=192.168.20.98 client-id=1:a4:93:4c:fe:ef:b mac-address=\
    A4:93:4C:FE:EF:0B server=VOIP_DHCP
add address=192.168.20.97 client-id=1:a4:93:4c:fe:ee:f8 mac-address=\
    A4:93:4C:FE:EE:F8 server=VOIP_DHCP
add address=192.168.20.96 client-id=1:e8:ed:f3:6b:6:9c mac-address=\
    E8:ED:F3:6B:06:9C server=VOIP_DHCP
add address=192.168.20.95 client-id=1:e0:2f:6d:60:4c:6b mac-address=\
    E0:2F:6D:60:4C:6B server=VOIP_DHCP
add address=192.168.20.94 client-id=1:e0:2f:6d:60:4c:10 mac-address=\
    E0:2F:6D:60:4C:10 server=VOIP_DHCP
add address=192.168.20.93 client-id=1:e0:2f:6d:60:4b:e7 mac-address=\
    E0:2F:6D:60:4B:E7 server=VOIP_DHCP
add address=192.168.20.92 client-id=1:a4:93:4c:fe:f3:55 mac-address=\
    A4:93:4C:FE:F3:55 server=VOIP_DHCP
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
    10.1.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related,new
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    10.1.10.0/24
add action=accept chain=forward dst-address=10.1.5.101 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=10.199.6.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    out-interface=PC_LAN src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    out-interface=Server_LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=tcp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=udp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=udp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 out-interface-list=LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=192.168.88.241 src-address=\
    10.1.10.0/24
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=9100 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3289 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=515 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3702 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=2968 \
    protocol=tcp src-address=172.16.30.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=2968 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=445 \
    protocol=tcp src-address=172.16.30.0/24
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat comment="VNC to GIS PC" dst-address=\
    10.199.6.39 dst-port=5900 protocol=tcp to-addresses=10.1.10.11 to-ports=\
    5900
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5800 \
    protocol=tcp to-addresses=10.1.10.11 to-ports=5800
add action=dst-nat chain=dstnat comment="Rsync backup" dst-address=\
    10.199.6.39 dst-port=222 protocol=tcp to-addresses=10.1.5.101 to-ports=22
add action=dst-nat chain=dstnat comment="HTTP to WTS" dst-address=10.199.6.39 \
    dst-port=81 protocol=tcp to-addresses=10.1.5.100 to-ports=81
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=82 protocol=\
    tcp to-addresses=10.1.5.99 to-ports=81
add action=dst-nat chain=dstnat comment="RDP to WTS-VMs Host " dst-address=\
    10.199.6.39 dst-port=3389 protocol=tcp to-addresses=10.1.5.91 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
    protocol=tcp to-addresses=10.1.5.101 to-ports=5101
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Tue Jul 12, 2022 8:34 pm

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Eventually we want that to be Manage, but lets wait until we solve the issues at hand.

Where are you trying to access the MT device from?
One of the MT subnets?
A device behind the MAIN router but not behind the MT?
other??

You should be able to use winbox and not have to use any webgui etc.........
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Tue Jul 12, 2022 9:18 pm

When I am onsite, I can access the MT from a PC that has the IP address 192.168.88.254 and another PC that has the IP 10.1.10.11. Both of these are connected to the Unifi switch. The first is connected to a Trunk port on the switch and the other to a PC_LAN port on the switch.

Currently I am offsite. I can only VPN to the MAIN router then VNC to the 10.1.10.11 machine behind the MT.

I don't currently have Winbox installed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Tue Jul 12, 2022 9:44 pm

Ahh okay, got it.
I would set up a wireguard connection from your pc at home directly to the MT device and then via winbox access the router config.
Basically bypassing the main router altogether (well you would have to forward the listening port to 10.199.6.39 at the main router).
(I do the same from my iphone using wireguard vpn and IOS MT app).
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Tue Jul 12, 2022 11:55 pm

For the time being, I can do what I need to by remoting to 10.1.10.11. Not ideal, but easier than setting up wireguard to the MT.

At this point the issues appear to be:
  • 88_LAN is broken. It is not connecting to the Internet. I can ping 192.168.88.1 but not the switch nor the PC I was remoting to.
  • Server_LAN is broken. I cannot ping 10.1.5.1. I added this missing line to the config (still not fixed):
add address=10.1.5.0/24 dns-server=10.199.6.6 domain=solv.local gateway=\
10.1.5.1 wins-server=10.199.6.6
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 12:33 am

Two things pop out

(1) This is still incorrect!!

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf

Should be
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=88_LAN name=defconf

(2) Still missing........
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
WHERE IS VLAN 5 ???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 12:37 am

Why are you using 10.199.6.6 as some sort of DNS server??
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Wed Jul 13, 2022 6:25 pm

There's a Windows Active Directory domain controller at 10.199.6.6.

I've made the changes you suggested. See current config below.

I can ping 10.1.5.1 from 10.1.10.11 now. I cannot get to the 88_LAN from the 10.1.10.11.

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=Printer_LAN_Pool disabled=no interface=Print_LAN name=\
Print_DHCP
add address-pool=VOIP_LAN_Pool disabled=no interface=VOIP_LAN name=VOIP_DHCP
add address-pool=PC_LAN_Pool disabled=no interface=PC_LAN name=PC_DHCP
add address-pool=Server_LAN_Pool disabled=no interface=Server_LAN name=\
Server_DHCP
add address-pool=default-dhcp disabled=no interface=88_LAN name=defcon


/ip dhcp-server network
add address=10.1.5.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
10.1.5.1 wins-server=10.199.6.6
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 7:32 pm

Can the 88 subnet get to the internet?
The only difference I am seeing on .88 thus far is the DNS server setting on the dhcp network settings..........

What is the purpose of the windows active directory domain controller at 10.199.6.6 ?? ( have no clue why such things are used )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 7:37 pm

One of these days I am going to chop your firewall rules down or make sense of them LOL......
But here is a perfect example of the mess.....

as you can see in the second rule you give the entire 10.1.5.0/24 subnet access to the 88 LAN.
therefore it makes the first rule redundant (not required).
Thus either the first rule is correct and the second rule should not be there or the first rule needs to be removed.

add action=accept chain=forward dst-address=10.1.5.101 src-address=\
192.168.88.0/24
add action=accept chain=forward dst-address=10.199.6.0/24 src-address=\
192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
out-interface=PC_LAN src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
out-interface=Server_LAN src-address=10.199.6.6

add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
192.168.88.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 7:48 pm

Okay that makes sense you have no rule allowing 10.1.5.X to access the 88 LAN.
So in fact the config is correct, in that the behaviour is as expected. :-)

Further the only rule you do have that is close.
add action=accept chain=forward dst-address=192.168.88.241 src-address=10.1.10.0/24

This only gives access to one IP address on the 88 LAN.
So you should be able to ping at least 192.168.88.241
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Wed Jul 13, 2022 8:36 pm

I have a PC connected to a "trunk" port on the switch. Neither the PC nor the switch are getting DHCP 192.168.88.xxx from the MT anymore. I cannot connect the PC to the MT or the internet nor can I access the GUI of the switch. If I give the PC a static IP of 192.168.88.200, it cannot ping the MT at 192.168.88.1.

There are no Neighbors listed on the MT Webfig interface. 88_LAN is broken.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 8:47 pm

Can you send a copy of the latest config please!
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Wed Jul 13, 2022 9:01 pm

Here it is. Thanks!
# jul/13/2022 13:57:51 by RouterOS 6.49.6
# software id = BFI3-972K
#
# model = RB750Gr3
# serial number = D5030F24F9A6
/interface bridge
add admin-mac=DC:2C:6E:B7:2F:E7 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=LAN_Port
/interface vlan
add interface=bridge name=88_LAN vlan-id=88
add interface=bridge name=PC_LAN vlan-id=10
add interface=bridge name=Print_LAN vlan-id=30
add interface=bridge name=Server_LAN vlan-id=5
add interface=bridge name=VOIP_LAN vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=disabled
set 1 default-vlan-id=0 vlan-mode=disabled
set 2 default-vlan-id=0 vlan-mode=disabled
set 3 default-vlan-id=0 vlan-mode=disabled
set 4 default-vlan-id=0 vlan-mode=disabled
set 5 default-vlan-id=0 vlan-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Printer_LAN_Pool ranges=172.16.30.50-172.16.30.99
add name=VOIP_LAN_Pool ranges=192.168.20.50-192.168.20.99
add name=PC_LAN_Pool ranges=10.1.10.50-10.1.10.99
add name=Server_LAN_Pool ranges=10.1.5.50-10.1.5.59
/ip dhcp-server
add address-pool=Printer_LAN_Pool disabled=no interface=Print_LAN name=\
    Print_DHCP
add address-pool=VOIP_LAN_Pool disabled=no interface=VOIP_LAN name=VOIP_DHCP
add address-pool=PC_LAN_Pool disabled=no interface=PC_LAN name=PC_DHCP
add address-pool=Server_LAN_Pool disabled=no interface=Server_LAN name=\
    Server_DHCP
add address-pool=default-dhcp disabled=no interface=88_LAN name=defcon
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=LAN_Port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=Manage
/interface bridge vlan
add bridge=bridge tagged=bridge,LAN_Port untagged=ether3,ether4,ether5 \
    vlan-ids=88
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=5,10,20,30
/interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
    switch=switch1 vlan-id=0
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=88_LAN list=Manage
add interface=Server_LAN list=LAN
add interface=PC_LAN list=LAN
add interface=VOIP_LAN list=LAN
add interface=Print_LAN list=LAN
add interface=88_LAN list=LAN
/ip address
add address=10.1.10.1/24 interface=PC_LAN network=10.1.10.0
add address=192.168.20.1/24 interface=VOIP_LAN network=192.168.20.0
add address=172.16.30.1/24 interface=Print_LAN network=172.16.30.0
add address=10.1.5.1/24 interface=Server_LAN network=10.1.5.0
add address=192.168.88.1/24 comment=defconf interface=88_LAN network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.20.99 client-id=1:10:bd:18:ae:55:6e mac-address=\
    10:BD:18:AE:55:6E server=VOIP_DHCP
add address=172.16.30.50 client-id=1:9c:ae:d3:ea:85:56 mac-address=\
    9C:AE:D3:EA:85:56 server=Print_DHCP
add address=192.168.88.241 client-id=1:78:45:58:fd:d1:52 comment="ABC Uni1" \
    mac-address=78:45:58:FD:D1:52
add address=172.16.30.52 client-id=1:48:ba:4e:3a:4:38 mac-address=\
    48:BA:4E:3A:04:38 server=Print_DHCP
add address=192.168.20.98 client-id=1:a4:93:4c:fe:ef:b mac-address=\
    A4:93:4C:FE:EF:0B server=VOIP_DHCP
add address=192.168.20.97 client-id=1:a4:93:4c:fe:ee:f8 mac-address=\
    A4:93:4C:FE:EE:F8 server=VOIP_DHCP
add address=192.168.20.96 client-id=1:e8:ed:f3:6b:6:9c mac-address=\
    E8:ED:F3:6B:06:9C server=VOIP_DHCP
add address=192.168.20.95 client-id=1:e0:2f:6d:60:4c:6b mac-address=\
    E0:2F:6D:60:4C:6B server=VOIP_DHCP
add address=192.168.20.94 client-id=1:e0:2f:6d:60:4c:10 mac-address=\
    E0:2F:6D:60:4C:10 server=VOIP_DHCP
add address=192.168.20.93 client-id=1:e0:2f:6d:60:4b:e7 mac-address=\
    E0:2F:6D:60:4B:E7 server=VOIP_DHCP
add address=192.168.20.92 client-id=1:a4:93:4c:fe:f3:55 mac-address=\
    A4:93:4C:FE:F3:55 server=VOIP_DHCP
/ip dhcp-server network
add address=10.1.5.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    10.1.5.1 wins-server=10.199.6.6
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
    10.1.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related,new
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    10.1.10.0/24
add action=accept chain=forward dst-address=10.1.5.101 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=10.199.6.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    out-interface=PC_LAN src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    out-interface=Server_LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=tcp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=udp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=udp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 out-interface-list=LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=192.168.88.241 src-address=\
    10.1.10.0/24
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=9100 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3289 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=515 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3702 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=2968 \
    protocol=tcp src-address=172.16.30.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=2968 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=445 \
    protocol=tcp src-address=172.16.30.0/24
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat comment="VNC to PC" dst-address=\
    10.199.6.39 dst-port=5900 protocol=tcp to-addresses=10.1.10.11 to-ports=\
    5900
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5800 \
    protocol=tcp to-addresses=10.1.10.11 to-ports=5800
add action=dst-nat chain=dstnat comment="Rsync backup" dst-address=\
    10.199.6.39 dst-port=222 protocol=tcp to-addresses=10.1.5.101 to-ports=22
add action=dst-nat chain=dstnat comment="HTTP to WTS" dst-address=10.199.6.39 \
    dst-port=81 protocol=tcp to-addresses=10.1.5.100 to-ports=81
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=82 protocol=\
    tcp to-addresses=10.1.5.99 to-ports=81
add action=dst-nat chain=dstnat comment="RDP to Hyper-v Host" dst-address=\
    10.199.6.39 dst-port=3389 protocol=tcp to-addresses=10.1.5.91 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
    protocol=tcp to-addresses=10.1.5.101 to-ports=5101
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 10:06 pm

As I stated previously the only difference I can discern in the config (no visible errors) is your choice of DNS server

/ip dhcp-server network
add address=10.1.5.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
10.1.5.1 wins-server=10.199.6.6
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1

Suggesting just for giggles, change that to also 8.8.8.8 and see what happens?
Change it to 10.199.6.6 and see what happens?
Also curious, do PCs get an IP address and internet access when attached to ether3,4 or 5??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 10:09 pm

Why is this still in your config, it should have been removed!!!
Oh my bad I see its disabled, so no ill effects anyway.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 10:12 pm

Okay I have to ask, what brand model is the main router?
Do you have routes created on this router so that the active directory initiating traffic to the subnets behind the MT has routes (knows how to get there)??

Something like, if you want to reach 192.168.88.0/24 you need to go by way of 10.199.6.39 ???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding troubles

Wed Jul 13, 2022 10:17 pm

I still think this is a problem but you have to figure out how you added it because it didnt get there by itself!!
/interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
switch=switch1 vlan-id=0

Going through the switch menu (left hand side selection on winbox).
I see multiple tabs, Switch, Port, Port Isolation, Host, Vlan, and Rule.
Switch is just the name of the switch and type
Port looks like the default settings ether1 through X, Vlan mode disabled
Port Isolation looks like the default setting ether1-X, nothing showing in forward entry
Host Looks like mac addresses assigned to each interface, probably PCs that are connected on that particular interface.
Vlan completely blank
Rule completely blank

So nothing that corresponds directly to what you are seeing.
I wonder is that mac address the mac of ether2 or the switch its connected to via the trunk port?
 
barkingdoggy
just joined
Topic Author
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Port forwarding troubles

Wed Jul 13, 2022 11:53 pm

I got rid of 88_LAN et al. and things are working(?). Bridge DHCP is working again.
I updated the Trunk settings on the switch to add the Server_LAN. Server_LAN is working as it should.
Tomorrow I'll work on edits and improvements to the firewall. I don't know what the value-added is of 88_LAN. Is it worth it to try and get it working?

Thanks for you help.

Here's the current config:
# jul/13/2022 16:41:56 by RouterOS 6.49.6
# software id = BFI3-972K
#
# model = RB750Gr3
# serial number = D5030F24F9A6
/interface bridge
add admin-mac=DC:2C:6E:B7:2F:E7 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=LAN_Port
/interface vlan
add disabled=yes interface=bridge name=88_LAN vlan-id=88
add interface=LAN_Port name=PC_LAN vlan-id=10
add interface=LAN_Port name=Print_LAN vlan-id=30
add interface=LAN_Port name=Server_LAN vlan-id=5
add interface=LAN_Port name=VOIP_LAN vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=disabled
set 1 default-vlan-id=0 vlan-mode=disabled
set 2 default-vlan-id=0 vlan-mode=disabled
set 3 default-vlan-id=0 vlan-mode=disabled
set 4 default-vlan-id=0 vlan-mode=disabled
set 5 default-vlan-id=0 vlan-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Printer_LAN_Pool ranges=172.16.30.50-172.16.30.99
add name=VOIP_LAN_Pool ranges=192.168.20.50-192.168.20.99
add name=PC_LAN_Pool ranges=10.1.10.50-10.1.10.99
add name=Server_LAN_Pool ranges=10.1.5.50-10.1.5.59
/ip dhcp-server
add address-pool=Printer_LAN_Pool disabled=no interface=Print_LAN name=\
    Print_DHCP
add address-pool=VOIP_LAN_Pool disabled=no interface=VOIP_LAN name=VOIP_DHCP
add address-pool=PC_LAN_Pool disabled=no interface=PC_LAN name=PC_DHCP
add address-pool=Server_LAN_Pool disabled=no interface=Server_LAN name=\
    Server_DHCP
add address-pool=default-dhcp disabled=no interface=88_LAN name=defcon
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=LAN_Port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge disabled=yes tagged=bridge,LAN_Port untagged=\
    ether3,ether4,ether5 vlan-ids=88
add bridge=bridge tagged=bridge,LAN_Port vlan-ids=5,10,20,30
/interface ethernet switch host
add mac-address=B8:CA:3A:91:3A:85 ports=LAN_Port share-vlan-learned=no \
    switch=switch1 vlan-id=0
/interface list member
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=88_LAN list=Manage
add interface=Server_LAN list=LAN
add interface=PC_LAN list=LAN
add interface=VOIP_LAN list=LAN
add interface=Print_LAN list=LAN
add disabled=yes interface=88_LAN list=LAN
/ip address
add address=10.1.10.1/24 interface=PC_LAN network=10.1.10.0
add address=192.168.20.1/24 interface=VOIP_LAN network=192.168.20.0
add address=172.16.30.1/24 interface=Print_LAN network=172.16.30.0
add address=10.1.5.1/24 interface=Server_LAN network=10.1.5.0
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.20.99 client-id=1:10:bd:18:ae:55:6e mac-address=\
    10:BD:18:AE:55:6E server=VOIP_DHCP
add address=172.16.30.50 client-id=1:9c:ae:d3:ea:85:56 mac-address=\
    9C:AE:D3:EA:85:56 server=Print_DHCP
add address=192.168.88.241 client-id=1:78:45:58:fd:d1:52 comment="ABC Uni1" \
    mac-address=78:45:58:FD:D1:52
add address=172.16.30.52 client-id=1:48:ba:4e:3a:4:38 mac-address=\
    48:BA:4E:3A:04:38 server=Print_DHCP
add address=192.168.20.98 client-id=1:a4:93:4c:fe:ef:b mac-address=\
    A4:93:4C:FE:EF:0B server=VOIP_DHCP
add address=192.168.20.97 client-id=1:a4:93:4c:fe:ee:f8 mac-address=\
    A4:93:4C:FE:EE:F8 server=VOIP_DHCP
add address=192.168.20.96 client-id=1:e8:ed:f3:6b:6:9c mac-address=\
    E8:ED:F3:6B:06:9C server=VOIP_DHCP
add address=192.168.20.95 client-id=1:e0:2f:6d:60:4c:6b mac-address=\
    E0:2F:6D:60:4C:6B server=VOIP_DHCP
add address=192.168.20.94 client-id=1:e0:2f:6d:60:4c:10 mac-address=\
    E0:2F:6D:60:4C:10 server=VOIP_DHCP
add address=192.168.20.93 client-id=1:e0:2f:6d:60:4b:e7 mac-address=\
    E0:2F:6D:60:4B:E7 server=VOIP_DHCP
add address=192.168.20.92 client-id=1:a4:93:4c:fe:f3:55 mac-address=\
    A4:93:4C:FE:F3:55 server=VOIP_DHCP
add address=10.1.5.50 client-id=1:0:11:32:7:8c:64 mac-address=\
    00:11:32:07:8C:64 server=Server_DHCP
/ip dhcp-server network
add address=10.1.5.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    10.1.5.1 wins-server=10.199.6.6
add address=10.1.10.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    10.1.10.1 wins-server=10.199.6.6
add address=172.16.30.0/24 dns-server=10.199.6.6 domain=ABC.local gateway=\
    172.16.30.1 wins-server=10.199.6.6
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
    192.168.88.0/24
add action=accept chain=input dst-port=80 protocol=tcp src-address=\
    10.1.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related,new
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    10.1.10.0/24
add action=accept chain=forward dst-address=10.1.5.50 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=10.199.6.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    out-interface=PC_LAN src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    out-interface=Server_LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=10.1.5.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=tcp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 dst-port=20-65535 out-interface-list=LAN \
    protocol=udp src-address=10.199.6.6
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=10.199.6.6 dst-port=20-65535 in-interface-list=LAN \
    out-interface-list=LAN protocol=udp src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related,new \
    dst-address=192.168.88.0/24 out-interface-list=LAN src-address=10.199.6.6
add action=accept chain=forward dst-address=192.168.88.241 src-address=\
    10.1.10.0/24
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=9100 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=161 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3289 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=515 \
    protocol=tcp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=3702 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=2968 \
    protocol=tcp src-address=172.16.30.0/24
add action=accept chain=forward dst-address=172.16.30.0/24 dst-port=2968 \
    protocol=udp src-address=10.1.10.0/24
add action=accept chain=forward dst-address=10.1.10.0/24 dst-port=445 \
    protocol=tcp src-address=172.16.30.0/24
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat comment="VNC to GIS PC" dst-address=\
    10.199.6.39 dst-port=5900 protocol=tcp to-addresses=10.1.10.11 to-ports=\
    5900
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5800 \
    protocol=tcp to-addresses=10.1.10.11 to-ports=5800
add action=dst-nat chain=dstnat comment="Rsync backup" dst-address=\
    10.199.6.39 dst-port=222 protocol=tcp to-addresses=10.1.5.101 to-ports=22
add action=dst-nat chain=dstnat comment="HTTP to WTS" dst-address=10.199.6.39 \
    dst-port=81 protocol=tcp to-addresses=10.1.5.100 to-ports=81
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=82 protocol=\
    tcp to-addresses=10.1.5.99 to-ports=81
add action=dst-nat chain=dstnat comment="RDP to Hyper-V Host" dst-address=\
    10.199.6.39 dst-port=3389 protocol=tcp to-addresses=10.1.5.91 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=10.199.6.39 dst-port=5101 \
    protocol=tcp to-addresses=10.1.5.50 to-ports=5101
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: 0xAA55, cmmike, EmuAGR, Nullcaller, raiod, TheCat12 and 60 guests