I am having issues with port forwarding. I know these logs have a LOT of unnecessary stuff, I've been messing around trying to get port forwarding to work.
My NAT rule packet counter goes up every time I send a ping check on it but there is never a response back.
Code: Select all
/interface bridge
add name=local
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 \
supplicant-identity=""
/ip pool
add name=dhcp_pool0 ranges=192.168.88.12-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge nat
add action=accept chain=srcnat disabled=yes
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether1
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=local interface=ether6
add bridge=local interface=ether3
add bridge=local interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=combo1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.3 gateway=192.168.88.1
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat disabled=yes \
dst-address=publicip dst-port=3245 protocol=tcp
add action=accept chain=forward connection-nat-state=dstnat disabled=yes \
dst-address=publicip dst-port=3245 protocol=udp
add action=accept chain=forward disabled=yes dst-port=3245 in-interface=\
combo1 protocol=tcp
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=accept chain=input disabled=yes dst-port=46698 protocol=tcp
add action=accept chain=input disabled=yes dst-port=46698 protocol=udp
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
new connection-type="" in-interface-list=listBridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=combo1 log=yes log-prefix=!NAT
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
new disabled=yes dst-address=publicip dst-port=443 \
in-interface-list=listBridge protocol=udp src-address=192.168.88.0/24
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
new disabled=yes dst-address=publicip dst-port=443 \
in-interface-list=listBridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.88.220 \
dst-port=443 protocol=tcp
add action=accept chain=forward disabled=yes dst-address=192.168.88.220 \
dst-port=443 in-interface=combo1 protocol=udp
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=combo1 \
protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=combo1 \
port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=combo1 port=22 \
protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
combo1
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=combo1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid
add action=accept chain=input comment=\
"Allow Established/Related/Untracked connections" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop everything else"
/ip firewall mangle
add action=passthrough chain=prerouting disabled=yes dst-port=3245 log=yes \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=combo1
add action=dst-nat chain=dstnat disabled=yes dst-address=publicip \
dst-port=443 in-interface=combo1 protocol=tcp to-addresses=192.168.88.220 \
to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=combo1 \
protocol=udp to-addresses=192.168.88.220 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=60665 protocol=udp \
to-addresses=192.168.88.220
add action=dst-nat chain=dstnat disabled=yes dst-address=oldpublicip \
dst-port=27765 protocol=tcp src-port="" to-addresses=192.168.88.230 \
to-ports=27765
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.230 \
out-interface=local protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=oldpublicip \
dst-port=25565 in-interface=combo1 protocol=udp to-addresses=\
192.168.88.232 to-ports=25565
add action=dst-nat chain=dstnat disabled=yes dst-port=1224 protocol=tcp \
to-addresses=192.168.88.220
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.220 \
dst-port=46698 protocol=tcp
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.220 \
dst-port=46698 protocol=udp
add action=dst-nat chain=dstnat disabled=yes dst-port=1224 protocol=udp \
to-addresses=192.168.88.220
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 protocol=udp \
to-addresses=192.168.88.220
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 protocol=tcp \
to-addresses=192.168.88.220
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add disabled=yes interface=ether1 type=internal
add disabled=yes interface=local type=internal
add disabled=yes interface=combo1 type=external
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge