I am a relatively new for Mikrotik products, but has some clues/L2-L3 knowledge in the network management-working area.
Tried to search the Mikrotic DOCs and browsed some days for forum topics, without a solution.
Maybe the concern is in my head, but the know-how not in my mind, so i am not enough for the solution of my problem, and need some help to solve it.
So it has a chance that the solution is a much begginner, in that case please be patiente
I have a router (RB4011iGS+5HacQ2HnD), attached to it a Synology NAS (LACP), running web and sftp services, what i want publish on the internet.
LAN Access working perfect for them, regarding the HairPin NAT, if i try to access its, from phone - attached to the wifi, its working well.
The LAN endpoint - router WAN port - is DHCP, but Synology services gived me a DDNS name (not QuickConnect), what i can use and resolved in/with the router with firewall-address-list solution.
try to sniff here the adequate configuration lines, if not enough i will bring the neccessary lines
Code: Select all
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=********100-********200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge interface=bonding1
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=**********254/24 comment=defconf interface=bridge network=************
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server lease
add address=********99 client-id=******* mac-address=*********** server=defconf use-src-mac=yes
/ip dhcp-server network
add address=**********/24 comment=defconf dns-server=*********** gateway=************ netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=************ comment=defconf name=router.lan
/ip firewall address-list
add address=**********/24 list=Local_LAN
add address=************.synology.me list=GW_IP
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow all from LAN to WAN && allow Conn NAT state dstnat" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat connection-state=""
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="HAIRpin NAT" dst-address-list=Local_LAN out-interface-list=LAN src-address-list=Local_LAN
add action=dst-nat chain=dstnat comment="Public WWW access - DNAT to Synology" dst-address-list=GW_IP dst-port=XXXX protocol=tcp to-addresses=******** to-ports=XXXX
add action=dst-nat chain=dstnat comment="Public SFTP access - DNAT to Synology" dst-address-list=GW_IP dst-port=AAAA protocol=tcp to-addresses=******** to-ports=AAAA
add action=dst-nat chain=dstnat comment="access - DNAT to MacOS" dst-port=BBBB protocol=tcp to-addresses=******** to-ports=BBBB
add action=dst-nat chain=dstnat dst-port=BBBB protocol=udp to-addresses=******** to-ports=BBBB
Support is not on the top, 3 days ago no answer for the ticket...
Please help, best regards,
Ferenc