Community discussions

MikroTik App
 
Roukmoute
just joined
Topic Author
Posts: 2
Joined: Tue May 02, 2023 12:35 pm

Port forwarding problem - Need help for the configuration

Tue May 02, 2023 1:04 pm

Hello,

I am new to Mikrotik and I find it exciting with all the possibilities offered. Unfortunately, I am having difficulties with port forwarding despite having followed several tutorials, including this one: https://help.mikrotik.com/docs/display/ ... forwarding

If I try to implement the rule, I have no Internet access.

Let me explain my situation.

I have a domain name like
xyz.roukmoute.fr
, and the DNS record is configured via Gandi like this:
xyz 10800 IN A 80.XX.YYY.ZZ
I am using a Unraid server and a Docker CaddyV2 with the following port configuration:
172.18.0.5:443/TCP↔192.168.10.252:2443
172.18.0.5:80/TCP↔192.168.10.252:2080
The domain name configuration file on Caddy is configured as follows:
xyz.roukmoute.fr:443 {
encode gzip

    reverse_proxy DOCKER_CONTAINER_NAME:80 {
        header_up X-Real-IP {remote_host}
    }
}
I use a specific network for my Docker applications:
docker network ls
NETWORK ID NAME DRIVER SCOPE
b6cacf563d40 caddy bridge local
Here is also the configuration of my Mikrotik:
> export hide-sensitive 
# apr/30/2023 12:03:34 by RouterOS 7.7
# software id = 20XC-EDQ4
#
# model = CCR2004-1G-12S+2XS
# serial number = HDD086JPEZA
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=sfp-sfpplus10 ] name=sfp-sfpplus10-ORBI
set [ find default-name=sfp-sfpplus11 ] name=sfp-sfpplus11-ORANGE
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus12-FREE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=TO_FREEBOX
add disabled=no fib name=TO_ORANGE
/interface bridge port
add bridge=LAN interface=sfp-sfpplus1
add bridge=LAN interface=sfp-sfpplus10-ORBI
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
add address=192.168.11.2/24 interface=sfp-sfpplus11-ORANGE network=192.168.11.0
add address=192.168.12.2/24 interface=sfp-sfpplus12-FREE network=192.168.12.0
/ip arp
add address=192.168.10.252 interface=LAN mac-address=A0:D3:C1:1A:C3:F2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.1
/ip firewall address-list
add address=192.168.10.252 list=Unraid
add address=192.168.10.0/24 list=LAN_USERS
add address=192.168.11.0/24 list=WAN_SUBNET
add address=192.168.12.0/24 list=WAN_SUBNET
/ip firewall filter
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input dst-port=23 protocol=tcp src-port=""
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN_SUBNET
add action=mark-routing chain=prerouting new-routing-mark=TO_FREEBOX passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address-list=LAN_USERS src-address-type=!local
add action=mark-routing chain=prerouting new-routing-mark=TO_ORANGE passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address-list=LAN_USERS src-address-type=!local
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN_USERS
add action=dst-nat chain=dstnat disabled=yes dst-port=443 log=yes log-prefix=unraid.caddy protocol=tcp \
    to-addresses=192.168.10.252 to-ports=2443
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" \
    routing-table=TO_ORANGE scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" \
    routing-table=TO_ORANGE scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" \
    routing-table=TO_FREEBOX scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Paris
I would like to point out that this used to work with my old NETGEAR WiFi Router Nighthawk Pro Gaming (XR700) router, I would be glad to receive your advice on how to solve this problem.

Thanks in advance.
 
Roukmoute
just joined
Topic Author
Posts: 2
Joined: Tue May 02, 2023 12:35 pm

Re: Port forwarding problem - Need help for the configuration  [SOLVED]

Wed May 03, 2023 10:57 am

Ok it's finally good with this configuration, only one thing was missing "Dst. Address List":
> /export hide-sensitive 
# may/01/2023 09:54:49 by RouterOS 7.7
# software id = 20XC-EDQ4
#
# model = CCR2004-1G-12S+2XS
# serial number = HDD086JPEZA
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=sfp-sfpplus10 ] name=sfp-sfpplus10-ORBI
set [ find default-name=sfp-sfpplus11 ] name=sfp-sfpplus11-ORANGE
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus12-FREE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=TO_FREEBOX
add disabled=no fib name=TO_ORANGE
/interface bridge port
add bridge=LAN interface=sfp-sfpplus1
add bridge=LAN interface=sfp-sfpplus10-ORBI
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
add address=192.168.11.2/24 interface=sfp-sfpplus11-ORANGE network=192.168.11.0
add address=192.168.12.2/24 interface=sfp-sfpplus12-FREE network=192.168.12.0
/ip arp
add address=192.168.10.252 interface=LAN mac-address=A0:D3:C1:1A:C3:F2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.1
/ip firewall address-list
add address=192.168.10.252 list=Unraid
add address=192.168.10.0/24 list=LAN_USERS
add address=192.168.11.0/24 list=WAN_SUBNET
add address=192.168.12.0/24 list=WAN_SUBNET
/ip firewall filter
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input dst-port=23 protocol=tcp src-port=""
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN_SUBNET
add action=mark-routing chain=prerouting new-routing-mark=TO_FREEBOX passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address-list=LAN_USERS src-address-type=!local
add action=mark-routing chain=prerouting new-routing-mark=TO_ORANGE passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address-list=LAN_USERS src-address-type=!local
/ip firewall nat
add action=masquerade chain=srcnat comment="Connection Internet" src-address-list=LAN_USERS
add action=dst-nat chain=dstnat comment="Acc\E9s \E0 Caddy Serveur du Unraid" dst-address-list=WAN_SUBNET \
    dst-port=443 log=yes log-prefix=unraid.caddy protocol=tcp to-addresses=192.168.10.252 to-ports=2443
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" \
    routing-table=TO_ORANGE scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" \
    routing-table=TO_ORANGE scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" \
    routing-table=TO_FREEBOX scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.11.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Paris

Who is online

Users browsing this forum: jookraw, Wave and 41 guests