unfortunately, my brain just gave up on me, and i seek fresh braincells to figure this one out. Ive gone through several iteration of forums post trying this one, but with no luck.
Simple setup: Win10 running PRTG - Switch - MK - ISP1
- ISP2 (Disabled currently due to degradation)
all i want is to enable the webserver to be reachable remotely, to stop using a remote desktop utility to the WIN10 machine for basic monitoring, that i should be able to do , once i get the NAT part sorted out, and reach it from home.
thanks!!
Code: Select all
# nov/24/2022 09:30:07 by RouterOS 6.49.7
# software id = B2RC-819H
#
# model = RB2011UiAS
# serial number = x
/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=\
argentina datapath.client-to-client-forwarding=no \
datapath.local-forwarding=yes distance=indoors guard-interval=any \
keepalive-frames=enabled name=configuracion_barentz \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm security.group-key-update=1d ssid=Barentz
add channel.band=5ghz-a/n/ac channel.control-channel-width=20mhz country=\
argentina datapath.client-to-client-forwarding=no \
datapath.local-forwarding=yes distance=indoors guard-interval=any \
keepalive-frames=enabled name=configuration_barentz5 \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm security.group-key-update=1d ssid=Barentz
/interface bridge
add admin-mac=11:22:33:AA:BB:CC auto-mac=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="WAN1 - IPLAN" loop-protect=on \
loop-protect-disable-time=1m
set [ find default-name=ether2 ] comment="WAN2 - FIBERCORP" loop-protect=on
set [ find default-name=ether3 ] comment="WAN1 - IPLAN BKP"
set [ find default-name=ether4 ] comment="WAN2 - FIBERCORP"
set [ find default-name=ether5 ] comment="LAN - switch Trunk to TPLINK" \
loop-protect=on
/interface list
add name=WAN1
add name=LAN
add name=WAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.101.2-192.168.101.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge1 \
lease-time=1w name=dhcp1
/queue type
add kind=pcq name=DOWN pcq-classifier=dst-address
add kind=pcq name=UP pcq-classifier=src-address
/queue tree
add name="WAN1 DOWN" parent=global queue=default
add name="WAN1 UP" parent=ether1 queue=default
add name="WAN1 - WEB - rx" packet-mark=web-wan1 parent="WAN1 DOWN" priority=3 \
queue=DOWN
add name="WAN1 - WEB- tx" packet-mark=web parent="WAN1 UP" priority=3 queue=\
UP
add name="WAN1 - DNS - rx" packet-mark=dns-wan1 parent="WAN1 DOWN" priority=2 \
queue=DOWN
add name="WAN1 - DNS - tx" packet-mark=dns parent="WAN1 UP" priority=2 queue=\
UP
add name="WAN1 - ICMP -rx" packet-mark=icmp-wan1 parent="WAN1 DOWN" priority=\
1 queue=DOWN
add name="WAN1 - ICMP - tx" packet-mark=icmp parent="WAN1 UP" priority=1 \
queue=UP
add name="WAN1 - QUIC - rx" packet-mark=quic-wan1 parent="WAN1 DOWN" \
priority=5 queue=DOWN
add name="WAN1 - QUIC -tx" packet-mark=quic parent="WAN1 UP" priority=5 \
queue=UP
add name="WAN2 DOWN" parent=global queue=default
add name="WAN2 UP" parent=ether2 queue=default
add name="WAN2- DNS - rx" packet-mark=dns-wan2 parent="WAN2 DOWN" priority=2 \
queue=DOWN
add name="WAN2 - DNS -tx" packet-mark=dns parent="WAN2 UP" priority=2 queue=\
UP
add name="WAN2 - ICMP - rx" packet-mark=icmp-wan2 parent="WAN2 DOWN" \
priority=1 queue=DOWN
add name="WAN2 - ICMP -tx" packet-mark=icmp parent="WAN2 UP" priority=1 \
queue=UP
add name="WAN2 - QUIC - rx" packet-mark=quic-wan2 parent="WAN2 DOWN" \
priority=5 queue=DOWN
add name="WAN1 - QUIC - tx" packet-mark=quic parent="WAN2 UP" priority=5 \
queue=UP
add name="WAN2 - RESTO - rx" packet-mark=resto-wan2 parent="WAN2 DOWN" queue=\
DOWN
add name="WAN2 - RESTO - tx" packet-mark=resto parent="WAN2 UP" queue=UP
add name="WAN2 - WEB - rx" packet-mark=web-wan2 parent="WAN2 DOWN" priority=3 \
queue=DOWN
add name="WAN2 - WEB - tx" packet-mark=web parent="WAN2 UP" priority=3 queue=\
UP
add name="WAN1 - Resto -rx" packet-mark=resto-wan1 parent="WAN1 DOWN" queue=\
DOWN
add name="WAN1 - Resto - tx" packet-mark=resto parent="WAN1 UP" queue=UP
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
C2:42:26:B0:48:0D ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled comment=2.4 hw-supported-modes=gn \
master-configuration=configuracion_barentz
add action=create-dynamic-enabled comment=5 hw-supported-modes=ac \
master-configuration=configuration_barentz5
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all wan-interface-list=all
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN1
add interface=ether2 list=WAN2
/ip address
add address=192.168.101.1/24 comment="LAN SUBNET" interface=bridge1 network=\
192.168.101.0
add address=x.x.210.151/24 comment="IPLAN STATIC IP" interface=ether1 \
network=x.x.210.0
add address=x.x.190.35/24 comment="FIBERCORP STATIC IP" interface=ether2 \
network=x.x.190.0
/ip arp
add address=192.168.101.248 interface=bridge1 mac-address=18:FD:74:7C:49:60
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.101.249 client-id=1:dc:2c:6e:64:a0:54 lease-time=58w6d12h \
mac-address=DC:2C:6E:64:A0:54 server=dhcp1
add address=192.168.101.247 client-id=1:14:eb:b6:ce:de:ff mac-address=\
14:EB:B6:CE:DE:FF server=dhcp1
add address=192.168.101.248 client-id=1:dc:2c:6e:64:9f:32 lease-time=58w6d12h \
mac-address=DC:2C:6E:64:9F:32 server=dhcp1
add address=192.168.101.253 client-id=1:48:5b:39:a3:ed:a3 mac-address=\
48:5B:39:A3:ED:A3 server=dhcp1
add address=192.168.101.246 lease-time=58w6d12h mac-address=DC:2C:6E:64:9E:27 \
server=dhcp1
add address=192.168.101.250 lease-time=58w6d12h mac-address=DC:2C:6E:64:9F:57 \
server=dhcp1
/ip dhcp-server network
add address=192.168.101.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=500 \
max-concurrent-tcp-sessions=100 max-udp-packet-size=512 \
query-server-timeout=1s servers=1.1.1.1,208.67.222.222
/ip firewall address-list
add address=192.168.101.0/24 list=LocalLan
add address=x.x.210.0/24 list=SubnetWAN1
add address=x.x.28.0/24 list=SubnetWAN2
add address=cloud.mikrotik.com list=Cloud
add address=cloud2.mikrotik.com list=Cloud2
/ip firewall filter
add action=accept chain=input comment="Clound MK" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Alow access Router from LAN" \
src-address-list=LocalLan
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow conn from LAN" \
connection-state=new in-interface=bridge1
add action=accept chain=forward comment="allow established" connection-state=\
established
add action=accept chain=forward comment="allow related" connection-state=\
related
add action=drop chain=forward comment="drop all fwd"
add action=accept chain=input comment="allow established to router" \
connection-state=established
add action=accept chain=input comment="allow related to router" \
connection-state=related
add action=drop chain=input comment="Dropp all to router"
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark Routing - WAN1" \
disabled=yes in-interface=ether1 new-connection-mark=isp1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp1 disabled=yes \
new-routing-mark=isp_1 passthrough=no
add action=mark-connection chain=prerouting comment="Mark Routing - WAN2" \
disabled=yes in-interface=ether2 new-connection-mark=isp2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp2 disabled=yes \
new-routing-mark=isp_2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark WEB" \
new-connection-mark=web port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=web in-interface=\
ether1 new-packet-mark=web-wan1 passthrough=no
add action=mark-packet chain=prerouting connection-mark=web in-interface=\
ether2 new-packet-mark=web-wan2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=web new-packet-mark=\
web passthrough=no
add action=mark-connection chain=prerouting comment="Mark DNS" \
new-connection-mark=dns port=53 protocol=udp
add action=mark-connection chain=prerouting new-connection-mark=dns port=53 \
protocol=tcp
add action=mark-packet chain=prerouting connection-mark=dns in-interface=\
ether1 new-packet-mark=dns-wan1 passthrough=no
add action=mark-packet chain=prerouting connection-mark=dns in-interface=\
ether2 new-packet-mark=dns-wan2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=dns new-packet-mark=\
dns passthrough=no
add action=mark-connection chain=prerouting comment="Mark ICMP" \
new-connection-mark=icmp protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp in-interface=\
ether1 new-packet-mark=icmp-wan1 passthrough=no protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp in-interface=\
ether2 new-packet-mark=icmp-wan2 passthrough=no protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=\
icmp passthrough=no protocol=icmp
add action=mark-connection chain=prerouting comment="Mark QUIC" \
new-connection-mark=quic port=443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=quic in-interface=\
ether1 new-packet-mark=quic-wan1 passthrough=no protocol=udp
add action=mark-packet chain=prerouting connection-mark=quic in-interface=\
ether2 new-packet-mark=quic-wan2 passthrough=no protocol=udp
add action=mark-packet chain=prerouting connection-mark=quic new-packet-mark=\
quic passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Mark RESTO" \
new-connection-mark=resto
add action=mark-packet chain=prerouting connection-mark=resto in-interface=\
ether1 new-packet-mark=resto-wan1 passthrough=no
add action=mark-packet chain=prerouting connection-mark=resto in-interface=\
ether2 new-packet-mark=resto-wan2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=resto \
new-packet-mark=resto passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade - WAN1" out-interface=\
ether1 src-address-type=""
add action=masquerade chain=srcnat comment="Masquerade - WAN2" out-interface=\
ether2
add action=masquerade chain=srcnat dst-address=192.168.101.0/24 src-address=\
192.168.101.0/24 to-addresses=192.168.101.253
add action=src-nat chain=srcnat out-interface-list=WAN1 to-addresses=\
x.x.210.151
add action=dst-nat chain=dstnat dst-address=x.x.210.151 dst-port=8445 \
protocol=tcp to-addresses=192.168.101.253
/ip route
add check-gateway=ping comment="RPD - IPLAN a OPENDNS" distance=1 gateway=\
208.67.222.222
add check-gateway=ping comment="RPD - FIBERCORP a SL" disabled=yes distance=2 \
gateway=1.1.1.1
add comment="Monitor - FCORP->SOFTLAYER" disabled=yes distance=1 dst-address=\
1.1.1.1/32 gateway=x.x.190.1 scope=10
add comment="Monitor - IPLAN->OPENDNS" distance=1 dst-address=\
208.67.222.222/32 gateway=x.x.210.1 scope=10
/lcd
set default-screen=informative-slideshow
/snmp
set enabled=yes trap-generators=interfaces
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=Barentz
/system logging