I suspect that my initial rb5009 firewall rules or nat is ignoring the requests since it's setup to ignore anything not coming from the LAN. I'm not really sure how to make the exception for 80 and 443 and have it sent to the raspberry pi where traefik can pick it up. I've read through a lot of forum posts, the mikrotik docs on firewall and nat, and a ton of google results but it made me overwhelmed and confused. I'm an application developer, not much of a network or infrastructure guy. Any advice is greatly appreciated.
ip/firewall/filter:
Code: Select all
[admin@MikroTik] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Code: Select all
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 X chain=dstnat action=dst-nat to-addresses=192.168.88.107 protocol=udp src-address=!192.168.88.107
dst-address=!192.168.88.107 dst-port=53 log=no log-prefix=""
2 X chain=dstnat action=dst-nat to-addresses=192.168.88.107 protocol=tcp src-address=!192.168.88.107
dst-address=!192.168.88.107 dst-port=53 log=no log-prefix=""
3 X chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.107
dst-port=53 log=no log-prefix=""
4 X chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.107
dst-port=53 log=no log-prefix=""