Community discussions

MikroTik App
 
Shlizer
just joined
Topic Author
Posts: 5
Joined: Mon Feb 06, 2023 7:08 pm

Basic Homeassistant setup behind Mikrotic

Mon Feb 06, 2023 9:07 pm

Hi.
I'm struggling with my firewall NAT config to achieve what I've got in my mind. I got a little knowladge of networking, but I guess it's not enough.
I've got running homeassistant server running on my local network on static 192.168.13.246 and it's accessable over LAN (+hairpin is working well). So basically from local I can reach it with my public, local or aliased (homeassistant) over port 8123. That's great.
The problem is when I try to get there from outside of my local network - can't reach it at all and there isn't any package going through.

My current firewall NAT is looking like this:
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 
 1    chain=srcnat action=masquerade protocol=tcp src-address=192.168.13.0/24 dst-address=192.168.13.246 out-interface=bridge dst-port=8123 log=no log-prefix="" 
 2    chain=dstnat action=dst-nat to-addresses=192.168.13.246 to-ports=8123 protocol=tcp dst-address=!192.168.13.1 in-interface=bridge dst-port=8123 log=no log-prefix="" 
but I probably tired few dozens tweaks and for now I'm not sure if I understand what I am doing -.-
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic Homeassistant setup behind Mikrotic

Tue Feb 07, 2023 4:13 pm

/export file=anynameyouwish ( minus router serial number and any public WANIP info )
 
Shlizer
just joined
Topic Author
Posts: 5
Joined: Mon Feb 06, 2023 7:08 pm

Re: Basic Homeassistant setup behind Mikrotic

Wed Feb 08, 2023 1:45 am

That's what I've got. Strangely there was not one mention about my public IP o0
# feb/08/2023 00:36:43 by RouterOS 7.7
# software id = Z6H2-0GD9
#
# model = RBD52G-5HacD2HnD
# serial number = ???
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=Musztarda wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=Musztarda5G wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.13.10-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.13.1/24 comment=defconf interface=bridge network=\
    192.168.13.0
/ip arp
add address=192.168.13.246 interface=bridge mac-address=YY:YY:YY:YY:YY:YY
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.13.0/24 comment=defconf dns-server=192.168.13.1 gateway=\
    192.168.13.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.13.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.13.246 dst-port=8123 \
    out-interface=bridge protocol=tcp src-address=192.168.13.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.13.1 dst-port=8123 \
    in-interface=bridge protocol=tcp to-addresses=192.168.13.246 to-ports=\
    8123
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic Homeassistant setup behind Mikrotic  [SOLVED]

Wed Feb 08, 2023 5:28 am

(1) Change this rule
From:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


(2) Modify your source nat rules so they are like so..........
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.13.0/24 src-address=192.168.13.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN


(3) Finally change your DST NAT ADDRESS two options since its not clear.
A. if you have a fixed WANIP address (static), then:
add chain=dstnat action=dst-nat dst-address=WAN_fixed_IP dst-port=8123 protocol=tcp to-address=192.168.13.246

B. if you have a dynamic WANIP, can and does change, then:
add chain=dstnat action=dst-nat dst-address-list=MYWANIP dst-port=8123 protocol=tcp to-address=192.168.13.246

where the firewall address list called MYWANIP is
add ip-address=mynetnameIPCLOUD list=MYWANIP.

C. Another option for dynamic you could use but most prefer B...........
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.13.1 dst-port=8123 protocol=tcp to-address=192.168.13.246

but that only works with a one subnet Structure, if you have multiple subnets you would have to put them on a firewall address list.......
 
Shlizer
just joined
Topic Author
Posts: 5
Joined: Mon Feb 06, 2023 7:08 pm

Re: Basic Homeassistant setup behind Mikrotic

Wed Feb 08, 2023 12:24 pm

Still the same:
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.13.0/24 src-address=\
    192.168.13.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=8123 log=\
    yes log-prefix=---dst-nat protocol=tcp to-addresses=192.168.13.246
It looks ok from my local network, but outside service can't be reached =/
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Basic Homeassistant setup behind Mikrotic

Wed Feb 08, 2023 1:37 pm

Is your Mikrotik device behind another router?
 
Shlizer
just joined
Topic Author
Posts: 5
Joined: Mon Feb 06, 2023 7:08 pm

Re: Basic Homeassistant setup behind Mikrotic

Wed Feb 08, 2023 3:21 pm

Gosh, yea -.-
forgot about that trauma.. but AFAIK there is made port forwarding there or even DMZ set on Mikrotik IP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic Homeassistant setup behind Mikrotic

Wed Feb 08, 2023 4:10 pm

You didnt change your firewall rules as suggested, so I dont expect it to work.
If your not willing to try stuff to fix your problem why are you here ???

When and if you do and if still doesn't work then the issue is not MT, and ensure you have port forwarded correctly from the main router.
It should be port forwarded to the WANIP of the MT router ( its LANIP on the main router subnet ).

IF that doesnt fix it then there are still a few things to consider, is the ISP is blocking the traffic.

Perhaps also check the server, sometimes they have built in firewalls that can block traffic, or even the PC firewall if the server is behind a PC.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Basic Homeassistant setup behind Mikrotic

Wed Feb 08, 2023 7:10 pm

Gosh, yea -.-
forgot about that trauma.. but AFAIK there is made port forwarding there or even DMZ set on Mikrotik IP.
"AFAIK"?? Well, you'd better double check it then, just to rule it out.
 
Shlizer
just joined
Topic Author
Posts: 5
Joined: Mon Feb 06, 2023 7:08 pm

Re: Basic Homeassistant setup behind Mikrotic

Wed Feb 08, 2023 10:48 pm

You didnt change your firewall rules as suggested, so I dont expect it to work.
I'm not sure what do you mean.. I basically did what you suggested, just checked with diff checker:

(1) I disabled mentioned rule instead of deleting, yea - I didn't know it makes a difference, it still shouldn't apply, am I wrong? I also added three rules you wrote.
(2) all source nat rules are the same you wrote
(3) since I've got static IP from provider I did option A and added one dst rule feeding it with my WAN IP (and added logging, but I can't see how it will effect anything).

I don't know what I've missed there. Sorry if it looked like I just ignored your suggestion, but I don't know what I did wrong there =/
"AFAIK"?? Well, you'd better double check it then, just to rule it out.
Sorry I didn't clear it out - I was at work and didn't have access to my network (I should've clarify that). Router that is accessing Internet is from ISP, so it has limited functionality I can change, but after double checking I had my 8123 port forwarded and DMZ was set to my HA IP.

EDIT: I've figured it out. Thanks for that config and pointing out that there's another router in the middle. Turns out I just needed to point dst-address in dst-nat to my MT ip in subnet created by my ISP router.

Who is online

Users browsing this forum: No registered users and 37 guests