Wed Feb 08, 2023 2:04 am
Thanks, here's the config - I must apologise as I really have been fumbling my way through, I'm a measurements engineer and the extent of my networking knowledge is trying to make sure the IP settings are correct in a device (i.e. IP, netmask, gateway and DNS......)
I also have a stupid situation where I'm using the DHCP client on the Mikrotik ether1 interface to get an IP from the Sat terminal, which also has DHCP on, I'd obviously rather just set the mikrotik to use the fixed IP settings on that interface (ether1) of: 192.168.15.206, but I wasn't sure how to do that and I couldn't seem to figure it out. If I can set that up, then I would be able to disable DHCP on the satellite terminal - I've been running into problems of sometimes getting the wrong IP address from the sat terminal, so I none of my port forwards work then.
Firstly, the satellite terminal is configured as follows:
IP address: 192.168.15.1
DHCP range 192.168.15.206-192.168.15.206 :: I did this because the sat terminal is stupid and doesn't allow me to assign IP addreses to specific MAC addresses
No firewall (because it's stupid)
Port forwards:
8880 --> 192.168.15.206:8880
8822 --> 192.168.15.206:8822
8980 --> 192.168.15.206:80
8921 --> 192.168.15.206:21
That's pretty much it for the sat terminal, the rest is just BGAN configuration
Mikrotik config:
# feb/08/2023 10:48:05 by RouterOS 6.47.9
# software id = NXSX-DLR7
#
# model = RB952Ui-5ac2nD
# serial number = XXXX
/interface bridge
add admin-mac=X:X:X:X:X:X auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-8CB596 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-8CB595 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=X.X.X.X/24 comment= list=Whitelist
add address=X.X.X.X/24 comment= list=Whitelist
add address=X.X.X.X/24 comment= list=Whitelist
add address=X.X.X.X/23 comment= list=Whitelist
add address=X.X.X.X/29 comment= list=Whitelist
add address=192.168.15.1 list=Whitelist
add address=X.X.X.X/24 list=Whitelist
add address=192.168.88.0/24 list=Whitelist
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address-list=!Whitelist log=yes \
src-address-list=!Whitelist
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8880 protocol=tcp to-addresses=\
192.168.88.254 to-ports=80
add action=dst-nat chain=dstnat dst-port=8822 protocol=tcp to-addresses=\
192.168.88.254 to-ports=22
/system clock
set time-zone-name=Australia/Sydney
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN