Wed Dec 07, 2022 3:40 pm
(1) Adjusted
/ip firewall filter
{Input chain}
[default rules]
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
[user rules]
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
{Forward chain}
[default rules]
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
[user rules]
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"
(2) Why do you have port 8291 forwarded??? Your other port forwarding rule is incomplete. ( dont need to ports if same as dst-ports )
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.2.2 \
dst-port=8291 protocol=tcp to-addresses=192.168.2.2
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port= ....\
protocol=tcp to-addresses=192.168.1.10 to-ports=
(3) If you only have one subnet and they will need to reach servers as well using the WANIP (and not LANIP direct) then you will need another source nat rule but you have provided no details on the router LAN structure......................... Also no visibility into interface list or members. In other words, complete config required (less router serial #)