Community discussions

MikroTik App
 
KRipe
just joined
Topic Author
Posts: 1
Joined: Wed Nov 02, 2022 10:55 am

Port forwarding behind the bridge

Sun Jan 15, 2023 6:01 pm

Good afternoon.
I need to exclude the device on ether3 from the bridge.
From the device which is present on ether3 there is port forwarding.
After excluding ether3 from the bridge, forwarding does not work..
Ping is also not working..
I have tried many ways. None of them worked..
Maybe there is an easy way to do it?

I would like to:
1)Remove ether3 from the bridge on the main microtic.
2)Have access to the device behind ether3 on port 999
3) Have access from the ether3 port on port 888 of the main microtic.
# jan/15/2023 19:09:18 by RouterOS 7.7rc3
# software id = GPKG-AKUI
#
# model = RBD53iG-5HacD2HnD
# serial number = HCW086ZEHRQ
/interface bridge
add admin-mac=18:FD:74:64:C2:4E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="WAN - KOSMOS 1000" mac-address=\
    00:15:5D:01:25:33
set [ find default-name=ether2 ] comment=LAN-MAIN
set [ find default-name=ether3 ] comment="WAN - A1"
set [ find default-name=ether4 ] comment="LAN - NEW SRV"
set [ find default-name=ether5 ] comment="LAN - FESHN" poe-out=off
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=1221.BY wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1300 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge security-profile=profile1 ssid=U+1F60E wireless-protocol=802.11
/ip pool
add name=10.100.100-POOL ranges=10.100.100.10-10.100.100.75
add name=192.168.0-POOL ranges=192.168.0.10-192.168.0.70
/ip dhcp-server
add address-pool=10.100.100-POOL disabled=yes interface=bridge lease-time=\
    1h10m name=defconf
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=ether3 out-interface=\
    ether3
add action=accept chain=forward disabled=yes in-interface=ether3 \
    out-interface=ether5
add action=drop chain=forward disabled=yes out-interface=ether3
add action=drop chain=forward disabled=yes in-interface=ether3
/interface bridge port
add bridge=bridge comment=LAN-MAIN interface=ether2
add bridge=bridge comment=WAN-A1 interface=ether3
add bridge=bridge comment="LAN-NEW SRV" interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers

/ip address
add address=192.168.0.1/24 comment="\D1\F2\E0\F0\FB\E9 lan" interface=bridge \
    network=192.168.0.0
add address=192.168.3.1/24 comment=\
    "\C4\CB\DF \D1\C5\D0\C2\C5\D0\C0 \D4\C5\D8\CD" interface=ether5 network=\
    192.168.3.0
add address=10.0.200.100/24 comment="\C4\CB\DF WG \CA\CB\C8\C5\CD\D2\CE\C2" \
    interface=wg1 network=10.0.200.0
add address=10.0.83.200/24 interface=wg1 network=10.0.83.0
add address=10.0.0.1/24 comment="\C4\CB\DF WG \CA\CB\C8\C5\CD\D2\CE\C2" \
    interface=wg1 network=10.0.0.0
add address=10.0.20.200/24 interface=wg1 network=10.0.20.0
add address=10.0.85.200/24 interface=wg1 network=10.0.85.0
add address=10.100.100.1/24 comment="\CD\EE\E2\FB\E9 lan" interface=bridge \
    network=10.100.100.0
add address=10.99.99.100/24 interface=wg1 network=10.99.99.0
add address=10.0.56.200/24 interface=wg1 network=10.0.56.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.100.100.0/24 comment=defconf dns-server=10.100.100.254,1.1.1.1 \
    gateway=10.100.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=178.124.211.86 list=BLOCK
/ip firewall filter
add action=drop chain=input comment="\D7\C5\D0\CD\DB\C9 \D1\CF\C8\D1\CE\CA" \
    in-interface=ether1 src-address-list=BLOCK
add action=accept chain=input comment="ALLOW 10.100.100.1 FROM WG" dst-port=\
    8291 in-interface=wg1 protocol=tcp
add action=accept chain=forward comment=003-MAP-USB dst-port=33000 \
    in-interface=ether5 out-interface=ether1 protocol=tcp
# in/out-interface matcher not possible when interface (ether3) is slave - use master instead (bridge)
add action=accept chain=forward comment="!!!!!!!!!!TEST 0.3" dst-port=\
    80,443,2267,2580,2579,5060,5061,8002,8111,8080 in-interface=ether3 \
    out-interface=bridge protocol=tcp
# in/out-interface matcher not possible when interface (ether3) is slave - use master instead (bridge)
add action=accept chain=forward comment="!!!!!!!!!!TEST 0.3" in-interface=\
    bridge out-interface=ether3 protocol=tcp src-port=\
    80,443,2267,2580,2579,5060,5061,8002,8111,8080
add action=drop chain=forward dst-port=!3389 in-interface=bridge \
    out-interface=ether5 protocol=tcp
add action=drop chain=forward in-interface=ether5 out-interface=bridge \
    protocol=tcp src-port=!3389
add action=accept chain=input dst-address=10.0.200.100 dst-port=8291 \
    in-interface=wg1 protocol=tcp
add action=accept chain=input comment="\CF\D0\DF\CC\CE\C9 RDP WHITELIST" \
    dst-port=8411 in-interface-list=WAN protocol=tcp src-address-list=\
    WHIITELIST
add action=accept chain=input comment=RDP-SERVER dst-address=10.100.100.197 \
    dst-port=3389 in-interface=wg1 protocol=tcp
add action=accept chain=input comment=RDP-SERVER dst-address=10.100.100.254 \
    dst-port=3389 in-interface=wg1 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="ALLOW-WG PORT" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=FORWARD-WG in-interface=wg1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    connection-state=established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQ-WAN ipsec-policy=out,none \
    out-interface=ether1
add action=masquerade chain=srcnat comment=MASQ-WG out-interface=wg1
add action=masquerade chain=srcnat comment=MASQ-BRIDGE ipsec-policy=out,none \
    out-interface=bridge
add action=dst-nat chain=dstnat comment=MAP-NOIP-VIEWER disabled=yes \
    dst-port=5681 in-interface-list=WAN protocol=tcp src-address-list=\
    Belarus_IP to-addresses=192.168.0.226
add action=dst-nat chain=dstnat comment=MAP-NALOG-SRV dst-port=1230,1330 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.56
add action=dst-nat chain=dstnat comment=003-MAP-USB dst-port=33000 protocol=\
    tcp src-address=91.149.134.190 to-addresses=10.100.100.197 to-ports=33000
add action=dst-nat chain=dstnat comment=003-MAP-USB disabled=yes dst-port=80 \
    protocol=tcp src-address=192.168.0.3 to-addresses=192.168.0.226
add action=accept chain=dstnat comment="OPEN-WG PORT" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=dst-nat chain=dstnat comment=MAP-PROX dst-port=28015,28016 \
    in-interface-list=WAN port="" protocol=udp to-addresses=192.168.0.14
add action=dst-nat chain=dstnat comment=MAP-PROX dst-port=\
    28015,28016,5555,6666,44405,44410,55901,55919 in-interface-list=WAN port=\
    "" protocol=tcp to-addresses=192.168.0.14
add action=dst-nat chain=dstnat comment=MAP-WEBDAV-NAS dst-port=5000 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.230
add action=dst-nat chain=dstnat comment=MAP-RD1-WHITELIST dst-port=8411 \
    in-interface-list=WAN protocol=tcp src-address-list=WHIITELIST \
    to-addresses=192.168.0.211 to-ports=3389
add action=dst-nat chain=dstnat comment=MAP-SITE-NAS dst-port=80,443 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.226
add action=dst-nat chain=dstnat comment=MAP-TORRENT-WG dst-port=9090 \
    in-interface=wg1 protocol=tcp to-addresses=10.100.100.197
add action=dst-nat chain=dstnat comment=MAP-SIP-CLEARYIP dst-port=\
    2267,2580,2579,5060,5061,8002 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.0.41
add action=dst-nat chain=dstnat comment=MAP-SERVICE.1221.BY dst-port=8989 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.61 to-ports=80
add action=dst-nat chain=dstnat comment=MAP-YOUTRACK dst-port=8888 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.217 to-ports=\
    8080
add action=dst-nat chain=dstnat comment=MAP-NOIP dst-port=5651 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.226
add action=dst-nat chain=dstnat comment=MAP-PROX dst-port=9000 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.100 to-ports=80
add action=dst-nat chain=dstnat comment=MAP-JIRA dst-port=5580 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.215 to-ports=\
    3389
add action=dst-nat chain=dstnat comment=MAP-PRTG dst-port=23560 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.226
add action=dst-nat chain=dstnat comment=MAP-WIN-REARM dst-port=9988 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.223 to-ports=1688
add action=dst-nat chain=dstnat comment=MAP-FTP/WWW-INTERNAL dst-address=\
    178.172.237.147 dst-port=21,20,69,990,80 in-interface-list=LAN protocol=\
    tcp to-addresses=192.168.0.226
add action=dst-nat chain=dstnat comment=MAP-FTP dst-port=21,20,69,990 \
    in-interface-list=WAN protocol=tcp to-addresses=10.100.100.197
add action=dst-nat chain=dstnat comment="MAP-NOD 4/5" dst-port=2221,221,79 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.223
add action=dst-nat chain=dstnat comment=MAP-RDP-FESHN-INTERNAL dst-address=\
    178.172.237.147 dst-port=8211 in-interface-list=LAN protocol=tcp \
    to-addresses=192.168.3.211 to-ports=3389
add action=dst-nat chain=dstnat comment=MAP-RDP-FESHN dst-port=8211 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.3.211 to-ports=3389
add action=dst-nat chain=dstnat comment=MAP-RDP-CL0 dst-port=8220 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.222 to-ports=3389
add action=dst-nat chain=dstnat comment=MAP-RDP-CL1 dst-port=8221 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.221 to-ports=3389
add action=dst-nat chain=dstnat comment=MAP-NOD-SERVER-MANAGER dst-port=2228 \
    in-interface-list=WAN protocol=tcp src-address-list=Belarus_IP \
    to-addresses=192.168.0.226 to-ports=2222
add action=dst-nat chain=dstnat comment=039-MAP-REVIT dst-port=8208 \
    in-interface=wg1 protocol=tcp to-addresses=194.158.213.50 to-ports=8208
add action=dst-nat chain=dstnat comment=000-MAP-FTP-ADMIN dst-port=5466 \
    in-interface=wg1 protocol=tcp to-addresses=10.100.100.197 to-ports=5466
add action=dst-nat chain=dstnat comment=039-MAP-REVIT-VS dst-port=8209 \
    in-interface=wg1 protocol=tcp to-addresses=194.158.213.50 to-ports=8197
add action=dst-nat chain=dstnat comment=039-MAP-REVIT dst-address=\
    192.168.0.41 dst-port=80 in-interface=wg1 protocol=tcp to-addresses=\
    192.168.0.41
add action=dst-nat chain=dstnat comment=039-MAP-1C dst-port=8392 \
    in-interface=wg1 protocol=tcp to-addresses=194.158.213.50 to-ports=8198
add action=dst-nat chain=dstnat comment=039-MAP-1C dst-port=8198 \
    in-interface=wg1 protocol=tcp to-addresses=194.158.213.50 to-ports=8198
add action=dst-nat chain=dstnat comment=012-MAP-RD1 dst-port=9121 \
    in-interface=wg1 protocol=tcp to-addresses=178.124.144.127 to-ports=8211
add action=dst-nat chain=dstnat comment=013-MAP-RD1 dst-port=9131 \
    in-interface=wg1 protocol=tcp to-addresses=213.184.251.87 to-ports=8211
add action=dst-nat chain=dstnat comment=013-MAP-RD4 dst-port=9134 \
    in-interface=wg1 protocol=tcp to-addresses=213.184.251.87 to-ports=8214
add action=dst-nat chain=dstnat comment=064-MAP-1C dst-port=8264 \
    in-interface=wg1 protocol=tcp to-addresses=93.85.82.73 to-ports=8197
add action=dst-nat chain=dstnat comment=024-MAP-1C dst-port=8242 \
    in-interface=wg1 protocol=tcp to-addresses=178.124.193.147 to-ports=8211
add action=dst-nat chain=dstnat comment=020-MAP-1C dst-port=8311 \
    in-interface=wg1 protocol=tcp to-addresses=86.57.154.220 to-ports=8211
add action=dst-nat chain=dstnat comment=020-MAP-IMNS dst-port=8312 \
    in-interface=wg1 protocol=tcp to-addresses=86.57.154.220 to-ports=8212
/ip route
add disabled=yes distance=1 dst-address=192.168.3.0/24 gateway=ether1 \
    pref-src=0.0.0.0 routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Poland
/system identity
set name=1221-HAP-3
/system package update
set channel=testing
/tool graphing interface
add store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
10x!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding behind the bridge

Sun Jan 15, 2023 10:02 pm

Not going to touch this POS.
If you want multiple subnets for different groups of LAN users then use VLANS...

THe port forwarding is the least of your problems, this config is freaking mess.



1. Identify the users/groupd of users an device.
2. Identify what traffic they are suppose to have and not have.
3. Identify any other components involved switches , access points etc.....
4. Identify the WAN information, type of connection how many etc.......... By your ethernet3 comment one is given the impression there is an other WAN.

Who is online

Users browsing this forum: No registered users and 37 guests