It was partially solved, there was an entry missing from one of the nat rules.


add action=masquerade chain=srcnat comment="Internet enable" out-interface=pppoe-out1 src-address=192.168.1.0/24

Solved I see my problem, but there is one more thing left. My router is banned on the server by fail2ban, because the source address is always the IP address of my router, not the real IP address from which the request comes. Although I have now put the router as an exception in the fail2ban filter,...

# 2025-01-15 16:21:04 by RouterOS 7.16.2 # software id = xxxxxxxxxx # # model = RBD52G-5HacD2HnD # serial number = xxxxxxxxxxxxx /interface bridge add name=bridge1 /interface wireless set [ find default-name=wlan1 ] name=wlan1_2,4G ssid=MikroTik set [ find default-name=wlan2 ] name=wlan2-5G ssid=Mi...

Hello! I still have a problem, but now I don't know what the cause of the error could be. I have reset the router several times and reconfigured it. Everything worked for two days, and now neither the web nor the mail server ports are accessible from the outside. The VPN is still accessible on the s...

The latest firmware is on the router. I haven't seen anything newer than that. There's only one admin on the router. Me. I think there might be some "junk" left in it. Can't I delete it here? By the way, the router was updated from the official repository. It seems like someone else has a ...

The hairpin rule also works. I see you have multiple VPN servers enabled, with what VPN server are you connected? To be able to access your local network, you should have an accept rule in the forward chain for this. Do you have access to the router itself (ping while VPN server is up)? There is onl...

The Mikrotik VPN connects, I can't find any errors in the log, but I can't access the LAN network devices, neither the Mikrotik nor the Samba share. (from Windows)
Port 25 hasn't worked since then.
I can check the hairpin rule later, and also whether the VPN works from Linux.

Ok, thank You! I modified the configuration file as you wrote. I also deleted the nat rules that were already deactivated. Could you take a look? # 2025-01-06 15:38:45 by RouterOS 7.16.2 # software id = xxxxxx # # model = RBD52G-5HacD2HnD # serial number = xxxxx /interface bridge add admin-mac=xxxxx...

So brand up wifi AP up top ( is it smart or dumb, brand/model ) Switch to far right ( managed??? brand/model ) -dumb, tp-link sg108 wifi bridge device bottom (brand/model) naostation loco 5ac wifi APs very bottome smart or dumb (brand/model) They are tp-link tl-wr 1043 routers, ap mode, dhcp off (d...

Sorry for the poor drawing, but that's all I had for now

Thanks for your replay! Here is my last config. Currently everything works except openvpn, it connects, but I can't reach the machines on the lan. ping doesn't work either. Port 25 is not available, so the mail server doesn't receive mail, I can only send it. I couldn't test the hairpin rule. # 2025...

I don't know what happened, but now everything is available again. I'll have to investigate further. However, there is still one problem. I can connect to the router remotely with the Mikrotik VPN, but I can't access the Samba share, the Mikrotik admin interface, and the admin interface of my other ...

I made some changes that you suggested, but it's still not working. I also get an error when disconnect from VPN in the log : disconnected <poll error> and cannot reach anything. The server's VPN is still working, and it seems that the samba share is also accessible on the server. # 2025-01-05 15:51...

Also your two hairpin nat rules are weird. Keep it simple..... If you have a subnet that has a server and there are users in the same subnet accessing the server by its DOMAIN name or dyndns URL then its should be add chain=dstnat action=masquerade comment="hairpin" src-address=serverSubn...

Not completely true. DST-NAT (part of prerouting) comes before classification into input/forward, so if some destination packets match DST-NAT rule (e.g. due to some specific matching critera, like src-address or in-interface or something), then it'll get forwarded to (internal) server, the rest wi...

Thanks for your replay! If you are using a DYNDNS name to describe your WANIP, why not use mynetname from IP cloud. I've been using these ddns addresses for a very long time and have never had any problems with them. In any case if using a DYNDNS name one does NOT also use in-interface-list=WAN ( on...

Okay, but then how can I find out what happened? Why isn't it working? (The ports still seemed open a few days ago.)

Ok, I disabled the first rule and removed the dst-address-list but nothing changed.

# 2025-01-04 22:10:12 by RouterOS 7.16.2 # software id = XXXXXXXX # # model = RBD52G-5HacD2HnD # serial number = XXXXXXXX /interface bridge add admin-mac=XXXXXXX:C7:45 auto-mac=no comment=defconf name=bridge \ port-cost-mode=short /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n ...

Thanks for your reply.
What details should I show, how can I download from the router? Sorry, but I am still very new to mikrotik. This is my first mikrotik router.

I have been using a tp-link router with openwrt for months without any problems.

My server's address is rpi3.ordogh.hu

Hello! I have a problem with a Mikrotik hap ac2, more precisely with the firewall. I have a small web server that I run with ddns. I get the ddns from afraid.org. It updates normally, so I don't think there's a problem with that, but I can't open any ports on the firewall. The ports I want to open a...