I just got a RB750Gr3 to replace my ISP router. I have looked through the tutorials on Youtube, the Mikrotik wiki, and this forum to see how to set it up like I wanted. Things are pretty smooth until it comes to port forwarding. I am trying to open port 80 and 443 so that I can access my Raspberry Pi webserver from outside my network.
It is very weird that I can access the webserver through the URL without any problems, both inside the network and outside the network (using mobile data). But when I try to verify using certbot, there is always a connection problem. I also used a port checker service like canyouseeme.org and it shows that port 80 is opened 50% of the time (first click opened, second click timed out, etc.).
Could anyone give my config a quick look to see if I made any mistakes at all. Thank you for your time.
Note: I have manually removed some sensitive information from the config
Code: Select all
/interface bridge
add add-dhcp-option82=yes admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no \
dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-pppoe
set [ find default-name=ether2 ] name=ether2-switch
set [ find default-name=ether3 ] name=ether3-eap
set [ find default-name=ether4 ] name=ether4-camera
set [ find default-name=ether5 ] name=ether5-spare
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-pppoe name=pppoe-c1 \
use-peer-dns=yes user=abcxyz
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-vpn
/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan11-vpn vlan-id=11
add interface=bridge name=vlan20-iot vlan-id=20
add interface=bridge name=vlan30-guest vlan-id=30
/interface ethernet switch
set 0 name=switch
/interface list
add name=WAN
add name=LAN
add name=MGNT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-bridge ranges=10.0.0.2-10.0.0.254
add name=pool-vlan10 ranges=10.0.10.2-10.0.10.254
add name=pool-vlan11 ranges=10.0.11.2-10.0.11.254
add name=pool-vlan20 ranges=10.0.20.2-10.0.20.254
add name=pool-vlan30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=pool-vlan10 interface=vlan10-private lease-time=2h name=\
dhcp-vlan10
add address-pool=pool-vlan11 interface=vlan11-vpn lease-time=2h name=\
dhcp-vlan11
add address-pool=pool-vlan20 interface=vlan20-iot lease-time=2h name=\
dhcp-vlan20
add address-pool=pool-vlan30 interface=vlan30-guest lease-time=2h name=\
dhcp-vlan30
add address-pool=pool-bridge interface=bridge lease-time=2h name=dhcp-bridge
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to-vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-switch
add bridge=bridge comment=defconf interface=ether3-eap
add bridge=bridge comment=defconf interface=ether4-camera
add bridge=bridge comment=defconf interface=ether5-spare
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=pppoe-c1 list=WAN
add interface=vlan10-private list=LAN
add interface=vlan11-vpn list=LAN
add interface=vlan20-iot list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan10-private list=MGNT
add interface=bridge list=MGNT
add interface=bridge list=LAN
add interface=vlan11-vpn list=MGNT
/interface wireguard peers
# A valid wireguard peer here
/ip address
add address=10.0.0.1/24 interface=bridge network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.11.1/24 interface=vlan11-vpn network=10.0.11.0
add address=10.0.20.1/24 interface=vlan20-iot network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-guest network=10.0.30.0
add address=10.5.0.2/24 interface=wg-vpn network=10.5.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=10.0.0.2,1.1.1.1,1.0.0.1 gateway=\
10.0.10.1
add address=10.0.11.0/24 dns-server=10.0.0.2,1.1.1.1,1.0.0.1 gateway=\
10.0.11.1
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes cache-size=64KiB servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.0.0.2 list=DNS
add address=10.0.0.0/16 list=LAN_IP
add address=abcxyz.sn.mynetname.net list=WAN_IP
# add VN_IPs here
/ip firewall filter
add action=drop chain=input comment="Input: Drop non-SYN TCP" \
connection-state=new protocol=tcp tcp-flags=!syn
add action=accept chain=input comment="Input: Accept established, related" \
connection-state=established,related
add action=drop chain=input comment="Input: Drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Input: Accept ICMP" protocol=icmp
add action=accept chain=input comment="Input: Accept MGNT to Router" \
in-interface-list=MGNT
add action=drop chain=input comment="Input: Drop All Else"
add action=drop chain=forward comment="Forward: Drop non-SYN TCP" \
connection-state=new protocol=tcp tcp-flags=!syn
add action=fasttrack-connection chain=forward comment=\
"Forward: Fasttrack established, related" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"Forward: Accept established, related" connection-state=\
established,related
add action=drop chain=forward comment="Foward: Drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Forward: Allow bridge to everywhere" \
in-interface=bridge
add action=accept chain=forward comment="Forward: Allow vlan10 to everywhere" \
in-interface=vlan10-private
add action=accept chain=forward comment="Forward: Allow vlan11 to everywhere" \
in-interface=vlan11-vpn
add action=accept chain=forward comment="Forward: Allow vlan20 to WAN" \
in-interface=vlan20-iot out-interface-list=WAN
add action=drop chain=forward comment="Forward: Drop vlan20 to anywhere else" \
in-interface=vlan20-iot out-interface-list=!WAN
add action=accept chain=forward comment="Forward: Allow vlan30 to WAN" \
in-interface=vlan30-guest out-interface-list=WAN
add action=drop chain=forward comment="Forward: Drop vlan30 to anywhere else" \
in-interface=vlan30-guest out-interface-list=!WAN
add action=accept chain=forward comment="Forward: Allow Port Forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Forward: Drop all else"
/ip firewall mangle
add action=jump chain=prerouting comment=\
"Route traffic from VLAN 11 to VPN (except local IPs)" dst-address-list=\
!LAN_IP in-interface=vlan11-vpn jump-target=vpn-chain
add action=mark-routing chain=vpn-chain comment=\
"Route traffic from VLAN 11 to VPN (except VN IPs)" dst-address-list=\
!VN_IPs in-interface=vlan11-vpn new-routing-mark=to-vpn passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=\
LAN_IP src-address-list=LAN_IP
add action=masquerade chain=srcnat comment="VNPT Internet connection" \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="Wireguard VPN connection" \
out-interface=wg-vpn
add action=dst-nat chain=dstnat comment=\
"PF: Web | IP: 10.0.0.2 | From: 80 | To: 80 | TCP" dst-address-list=\
WAN_IP dst-port=80 protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
"PF: Web | IP: 10.0.0.2 | From: 443 | To: 443 | TCP" dst-address-list=\
WAN_IP dst-port=443 protocol=tcp to-addresses=10.0.0.2 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wg-vpn routing-table=to-vpn \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN