i transfered my working configuration from an RB751g to a RB3011 but i cannot make port forward working anymore.
I have already looked in forum in topics as viewtopic.php?t=187596 but this seemed as another case.
Let me describe the issue i am facing.
In front of mikrotik RB3011 there is a provider's speedport router with lan on 192.168.1.1 while Mikrotik's WAN port is 192.168.1.251 and lan ethernet bridge 192.168.10.1.
In first router (speedport) there is a port forward rule to mikrotik WAN ip 192.168.1.251 and in Mikrotik firewall there is the following configuration :
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=!bridgeLAN
.....
add action=dst-nat chain=dstnat dst-port=1433 log=yes protocol=tcp \ to-addresses=192.168.10.10 to-ports=1433
Code: Select all
14:22:39 firewall,info dstnat: in:bridgeWAN out:(unknown 0), connection-state:new src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.1.251:1433, len 60
14:22:39 firewall,info IN FROM WAN forward: in:bridgeWAN out:bridgeLAN, connection-state:new,dnat src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.10.10:1433, NAT 198.199.98.246:39689->(192.168.1.251:1433->192.168.10.10:1433), len 60
14:22:40 firewall,info dstnat: in:bridgeWAN out:(unknown 0), connection-state:new src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.1.251:1433, len 60
14:22:40 firewall,info IN FROM WAN forward: in:bridgeWAN out:bridgeLAN, connection-state:new,dnat src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39689->192.168.10.10:1433, NAT 198.199.98.246:39689->(192.168.1.251:1433->192.168.10.10:1433), len 60
14:22:40 firewall,info dstnat: in:bridgeWAN out:(unknown 0), connection-state:new src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39693->192.168.1.251:1433, len 60
14:22:40 firewall,info IN FROM WAN forward: in:bridgeWAN out:bridgeLAN, connection-state:new,dnat src-mac 0c:73:29:b5:fe:80, proto TCP (SYN), 198.199.98.246:39693->192.168.10.10:1433, NAT 198.199.98.246:39693->(192.168.1.251:1433->192.168.10.10:1433), len 60
Could somebody help on this ?
edit:added full configuration
Code: Select all
# may/15/2023 14:08:15 by RouterOS 7.9
# software id = ----
#
# model = RB3011UiAS
# serial number = ----------
/interface bridge
add arp=proxy-arp name=bridgeLAN
add name=bridgeWAN
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:0C:42:E6:98:A3
set [ find default-name=ether2 ] mac-address=00:0C:42:E6:98:A4
set [ find default-name=ether3 ] mac-address=00:0C:42:E6:98:A5
set [ find default-name=ether4 ] mac-address=00:0C:42:E6:98:A6
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full loop-protect=on mac-address=\
00:0C:42:E6:98:A7 rx-flow-control=auto tx-flow-control=auto
/disk
set disk1 slot=disk1 type=hardware
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolDHCP ranges=192.168.10.200-192.168.10.229
add name=ovpnPool ranges=192.168.10.230-192.168.10.239
/ip dhcp-server
add address-pool=poolDHCP authoritative=after-2sec-delay interface=bridgeLAN \
lease-time=10m name=server1
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.10.1 name=ovpnProfile only-one=no remote-address=\
ovpnPool use-ipv6=no
add local-address=192.168.10.1 name=ovpnTOM only-one=yes remote-address=\
192.168.10.227
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridgeWAN ingress-filtering=no interface=ether1
add bridge=bridgeLAN ingress-filtering=no interface=ether2
add bridge=bridgeLAN ingress-filtering=no interface=ether3
add bridge=bridgeLAN ingress-filtering=no interface=ether4
add bridge=bridgeLAN ingress-filtering=no interface=ether5
add bridge=bridgeLAN interface=ether6
add bridge=bridgeLAN interface=ether7
add bridge=bridgeLAN interface=ether8
add bridge=bridgeLAN interface=ether9
add bridge=bridgeLAN interface=ether10
add bridge=bridgeLAN interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512,null certificate=server-certificate cipher=\
blowfish128,aes128-cbc,aes192-cbc,aes256-cbc,aes128-gcm enabled=yes \
protocol=udp
/ip address
add address=192.168.10.1/24 interface=bridgeLAN network=192.168.10.0
add address=192.168.1.251/24 interface=bridgeWAN network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\
192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
208.67.222.222,208.67.220.220,192.168.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add chain=input comment="Accept established and related packets" \
connection-state=established,related
add chain=forward comment="Accept established and related packets" \
connection-state=established,related
add action=accept chain=input comment="ACCEPT OpenVPN TCP" dst-port=1194 \
in-interface=bridgeWAN log=yes log-prefix=I-A-VPN protocol=tcp
add action=accept chain=input comment="ACCEPT OpenVPN TCP" dst-port=1194 \
in-interface=bridgeWAN log=yes log-prefix=I-A-VPN protocol=udp
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid log=yes log-prefix=I-D-INVALID
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid log=yes log-prefix=F-D-INVALID
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
dst-address-type=multicast log=yes log-prefix=I-D-IGMP
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local log=yes log-prefix="I-D-NOT LOCAL"
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=bridgeWAN \
log=yes log-prefix=F-D-!DST-NAT
add action=drop chain=forward comment="Drom Forwards From Internal LAN 155" \
connection-state=new in-interface=bridgeLAN log=yes log-prefix=\
"DROP FWD 155:" src-address=10.155.155.0/24
add action=accept chain=input comment=\
"Accept all connections from local network" connection-state=new \
in-interface=bridgeLAN log-prefix=I-A-LOC src-address=192.168.10.0/24
add action=accept chain=forward comment="Accept Forwards From Internal LAN" \
connection-state=new in-interface=bridgeLAN log-prefix=F-A-LOC \
src-address=192.168.10.0/24
add action=drop chain=forward comment=ALL in-interface=bridgeWAN log=yes \
log-prefix="IN FROM WAN"
add action=drop chain=input comment="Default WLAN Drop" in-interface=\
bridgeWAN log=yes log-prefix="WLAN IN DROP" protocol=tcp
add action=drop chain=input comment="Default WLAN Drop" in-interface=\
bridgeWAN log=yes log-prefix="WLAN IN DROP" protocol=udp
add action=accept chain=input comment=ALL log=yes log-prefix=I-A-LAST
add action=accept chain=forward comment=ALL log=yes log-prefix=F-A-LAST
/ip firewall nat
add action=masquerade chain=srcnat out-interface=!bridgeLAN
add action=dst-nat chain=dstnat disabled=yes dst-port=59010 log=yes protocol=\
tcp to-addresses=192.168.10.10 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59020 protocol=tcp \
to-addresses=192.168.10.20 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59030 protocol=tcp \
to-addresses=192.168.10.30 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59107 protocol=tcp \
to-addresses=192.168.10.107 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59108 protocol=tcp \
to-addresses=192.168.10.108 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=59118 protocol=tcp \
to-addresses=192.168.10.118 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-port=33010 protocol=tcp \
to-addresses=192.168.10.10 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=33020 protocol=tcp \
to-addresses=192.168.10.20 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=33030 protocol=tcp \
to-addresses=192.168.10.30 to-ports=3389
add action=dst-nat chain=dstnat dst-port=1433 log=yes protocol=tcp \
to-addresses=192.168.10.10 to-ports=1433
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp address=192.168.10.0/24
set www address=192.168.10.0/24
set ssh address=192.168.10.0/24 port=4022
set winbox address=192.168.10.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set default-screen=interfaces read-only-mode=yes time-interval=hour
/lcd interface
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
add interface=bridgeLAN
add interface=bridgeWAN
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=bridgeLAN,bridgeWAN
/ppp secret
add name=ovpnUser profile=ovpnProfile service=ovpn
add name=ovpnTom profile=ovpnTOM service=ovpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=____VPN
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=0.gr.pool.ntp.org
add address=3.gr.pool.ntp.org
add address=2.gr.pool.ntp.org
add address=1.gr.pool.ntp.org
add address=pool.ntp.org
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool graphing interface
add interface=bridgeLAN
add interface=bridgeWAN