I for some reason can't get port forwarding to work past the router. I can open any port to the router itself and that works when i test with a is my port open website. However when I port forward port 5060 to my VOIP server, it will not forward the port to the server. Any one see anything wrong with my config? I'm running the latest stable branch of OS6
Code: Select all
# aug/16/2022 11:04:12 by RouterOS 6.48.6
# model = RB2011iL
/interface bridge
auto-mac=no comment=defconf name=bridge
/interface gre
add local-address=209.111.111.111 name=gre-tunnel1 remote-address=72.111.111.111
/interface vlan
add interface=ether5 name="VLAN" vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256 hash-algorithm=sha256 name=CSGO nat-traversal=no
/ip ipsec peer
add address=172.16.0.29/32 local-address=172.16.0.30 name="County" profile=CSGO
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Flex
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=LEADS pfs-group=modp4096
/ip pool
add name=dhcp ranges=10.100.1.2-10.100.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=10.100.10.2-10.100.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface="VLAN" name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged="VLAN" vlan-ids=10
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.100.1.1/24 comment=defconf interface=bridge network=10.100.1.0
add address=10.100.10.1/24 interface="VLAN" network=10.100.10.0
add address=172.16.0.30/30 interface=gre-tunnel1 network=172.16.0.28
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.100.1.20 client-id=1:34:5a:6:d2:3e:9c mac-address=34:5A:06:D2:3E:9C server=defconf
add address=10.100.1.23 mac-address=00:25:90:63:93:65 server=defconf
add address=10.100.10.6 client-id=1:a8:93:4a:66:f1:cb mac-address=A8:93:4A:66:F1:CB server=dhcp1
/ip dhcp-server network
add address=10.100.1.0/24 comment=defconf gateway=10.100.1.1 netmask=24
add address=10.100.10.0/24 gateway=10.100.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.100.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=72.111.111.111 list=CCSO
add address=10.34.40.134 list=CCSO
add address=10.34.40.136 list=CCSO
/ip firewall filter
add action=accept chain=input dst-port=50,500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat dst-address=10.100.1.0/24 src-address=10.100.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface=ether1 protocol=udp \
to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP2 dst-port=5060 in-interface=ether1 protocol=tcp \
to-addresses=10.100.1.23 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP3 dst-port=10000-20000 in-interface=ether1 protocol=udp \
to-addresses=10.100.1.23 to-ports=10000-20000
/ip firewall service-port
set sip disabled=yes sip-direct-media=no
/ip ipsec identity
add peer="County"
/ip ipsec policy
add dst-address=172.16.0.29/32 peer="County" proposal=LEADS src-address=172.16.0.30/32
/ip service
set www disabled=yes
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN