I have two public IPs using PPPOe and I'm having a difficult time forwarding traffic from the second IP to my internal services. When I configured the connection I set a higher route distance for the second PPPOE connection since I don't want it to load balance or anything. This is just for email to come in and for the web server.
Port forwarding is working great if I do it for the first IP (public IP).
From what I have read on the internet, I kind of have the feeling I need to use Mangle rules, just don't know how. I have configure D-NAT rules setting the destination as the second public IP, but it is not working. I can't even PING the second public IP even tough it is allowed in the firewall.
Most of the firewall rules are the default ones since this Mikrotik router just replaced yesterday a different router from another vendor.
Bellow is my firewall config, maybe someone can clear things out for me. Thanks in advance.
Code: Select all
# 2024-01-23 12:23:16 by RouterOS 7.13.2
# software id = 7WQ9-KEY5
#
# model = RB5009UG+S+
# serial number = HEP0926CA13
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="Hairpin NAT Sophos Proxy" \
dst-address-list=!192.168.10.254 dst-address-type=local dst-port=80,443 \
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10
add action=dst-nat chain=dstnat comment="Sophos UTM9 Proxy" connection-mark=\
"" dst-address=PUBLIC_IP_01 dst-port=443,80,8080,8443 in-interface=\
RDS_PPOE_01 protocol=tcp to-addresses=192.168.10.10
add action=dst-nat chain=dstnat comment="qBittorrent on ROCLJVKRHV02" \
connection-mark="" dst-address=PUBLIC_IP_01 dst-port=50100 in-interface=\
RDS_PPOE_01 protocol=tcp to-addresses=192.168.10.4 to-ports=50100
add action=dst-nat chain=dstnat comment=OPNSense connection-mark="" \
dst-address=PUBLIC_IP_01 dst-port=8400,8600,8511 in-interface=RDS_PPOE_01 \
protocol=tcp to-addresses=192.168.10.61
add action=dst-nat chain=dstnat comment="SMTP on ROCLJVKRSMTP" \
connection-mark="" dst-address=PUBLIC_IP_02 dst-port=25,465,587 \
in-interface=RDS_PPOE_02 protocol=tcp to-addresses=192.168.10.55
add action=dst-nat chain=dstnat comment="VPS Blog" connection-mark="" \
dst-address=PUBLIC_IP_02 dst-port=80,443 in-interface=RDS_PPOE_02 log=yes \
protocol=tcp to-addresses=192.168.10.7
add action=src-nat chain=srcnat connection-mark="" dst-port=80,443 \
out-interface=RDS_PPOE_02 protocol=tcp src-address=192.168.10.7 \
to-addresses=PUBLIC_IP_02
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none