I need some help with a simple port forward. Please see the diagram below:
The ISP modem is configured as a bridge. R1 (Mikrotik CCR2004-16G-2S+) has ether16 as the WAN interface and is receiving a public IP on that. I can ping the public IP.
In VLAN 12, there is a client (10.2.12.10) listening on port 5001. In the internal networks, the client is reachable on this port. I configured port forwarding as explained in the Mikrotik docs, and I also read through some topics with other folks having issues, looking for inspiration. As far as I can tell, my config is correct. I must be missing something.
Could someone please provide some assistance?
Code: Select all
[admin@R1] > /export
# dec/20/2022 09:28:48 by RouterOS 7.5
# software id = EVY1-NYQ3
#
# model = CCR2004-16G-2S+
# serial number = XXXXXXXXXXX
/interface/list/export
/interface list
add name=WAN
add name=PRIV
add name=CAM
add name=GUEST
add name=WIFIMGT
add name=UNTRUSTED
/interface list member
add interface=vlan10-int list=PRIV
add interface=ether16 list=WAN
add interface=vlan12-int list=CAM
add interface=vlan20-int list=GUEST
add interface=vlan13-int list=WIFIMGT
add interface=vlan12-int list=UNTRUSTED
add interface=vlan13-int list=UNTRUSTED
add interface=vlan20-int list=UNTRUSTED
/ip address/export
/ip address
add address=10.2.10.254/24 interface=vlan10-int network=10.2.10.0
add address=10.2.12.254/24 interface=vlan12-int network=10.2.12.0
add address=10.2.20.1/24 interface=vlan20-int network=10.2.20.0
add address=10.2.13.254/24 interface=vlan13-int network=10.2.13.0
/ip firewall/export
/ip firewall address-list
add address=10.0.0.0/8 list=rfc1918
add address=172.16.0.0/12 list=rfc1918
add address=192.168.0.0/16 list=rfc1918
add address=0.0.0.0/0 list=any
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow any from vlan10-int to any" in-interface=vlan10-int
add action=accept chain=input comment="allow ICMP from vlan12-int to vlan12-gw" dst-address=10.2.12.254 in-interface=vlan12-int protocol=icmp
add action=accept chain=input comment="allow ICMP from vlan13-int to vlan13-gw" dst-address=10.2.13.254 in-interface=vlan13-int protocol=icmp
add action=accept chain=input comment="allow ICMP from vlan20-int to vlan20-gw" dst-address=10.2.20.1 in-interface=vlan20-int protocol=icmp
add action=accept chain=input comment="allow ICMP from WAN to WAN-interface" in-interface-list=WAN protocol=icmp
add action=accept chain=input in-interface=zerotier1
add action=drop chain=input comment="implicit deny"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface=zerotier1
add action=drop chain=forward comment="drop any from UNTRUSTED to rfc1918" dst-address-list=rfc1918 in-interface-list=UNTRUSTED
add action=accept chain=forward comment="accept any from UNTRUSTED to internet" dst-address-list=any in-interface-list=UNTRUSTED
add action=accept chain=forward comment="accept any from vlan10-int to any" dst-address-list=any in-interface=vlan10-int
add action=drop chain=forward comment="implicit deny"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=tcp to-addresses=10.2.12.10