Did the Mikrotik firewall block the open ports?

oatis · Sun Jan 05, 2025 12:03 am

Hello!
I have a problem with a Mikrotik hap ac2, more precisely with the firewall. I have a small web server that I run with ddns. I get the ddns from afraid.org. It updates normally, so I don't think there's a problem with that, but I can't open any ports on the firewall. The ports I want to open are specified in the nat settings, but they look closed from the outside. Everything worked so far. It showed up today, even though my IP has changed a few times. What could be causing this problem, because I have no idea what to try? There was an OS update from v6 to v7 a few days ago.
Another interesting thing is that I can establish a VPN connection with the server (a VPN server is also running on it), so I can get into my network, but from the outside this port also looks closed.

Sun Jan 05, 2025 12:05 am

Why do you think that anyone could help you without any details about your configuration settings?

patrikg · Sun Jan 05, 2025 12:20 am

Maybe your isp blocking your port ?

oatis · Sun Jan 05, 2025 12:27 am

Thanks for your reply.
What details should I show, how can I download from the router? Sorry, but I am still very new to mikrotik. This is my first mikrotik router.

I have been using a tp-link router with openwrt for months without any problems.

My server's address is rpi3.ordogh.hu

erlinden · Sun Jan 05, 2025 12:28 am

In terminal, execute:

/export file=anynameyoulike

This will produce a text file (rsc extension) containing most of the config.
Download it, edit it (remove serial and any other private info) and post here between code tags by using the </> button.

oatis · Sun Jan 05, 2025 12:44 am

# 2025-01-04 22:10:12 by RouterOS 7.16.2
# software id = XXXXXXXX
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXX
/interface bridge
add admin-mac=XXXXXXX:C7:45 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=hungary distance=indoors frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=wlan1_2.4G ssid=XXXXXXX \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eeeC country=hungary disabled=no distance=indoors frequency=\
    auto hide-ssid=yes installation=indoor mode=ap-bridge name=wlan2_5G ssid=\
    XXXXXXX wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full name=\
    ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_WAN name=pppoe-out1 \
    use-peer-dns=yes user=XXXXXXXX@t-XXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
    disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.40-192.168.1.120
add comment=openvpn name=vpn ranges=10.10.0.2-10.10.2.50
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=10.10.0.1 name=openvpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1_2.4G \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2_5G \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,sha256 certificate=server cipher=aes256-cbc,aes256-gcm \
    default-profile=openvpn enabled=yes port=1193 protocol=udp \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=12h update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1_WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    192.168.1.1,192.168.1.150,8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=ordogh.dnet.hu comment=ordogh.dnet.hu_ddns list=ordogh.dnet.hu
add address=ordogattila.dnet.hu comment=ordogattila.dnet.hu_ddns list=\
    ordogattila.dnet.hu
add address=ordogdavid.dnet.hu comment=ordogdavid.dnet.hu_ddns list=\
    ordogdavid.dnet.hu
/ip firewall filter
add action=accept chain=input comment="mikrotik ovpn" disabled=yes dst-port=\
    1193 protocol=tcp
add action=accept chain=input comment="mikrotik ovpn" dst-port=1193 protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
    src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=rpi4_webserver_udp dst-address-list=\
    ordogh.dnet.hu dst-port=80 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat comment=rpi4_ssh dst-address-list=\
    ordogh.dnet.hu dst-port=2223 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=2223
add action=dst-nat chain=dstnat comment=rpi4_ovpn_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=443 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=443
add action=dst-nat chain=dstnat comment=rpi4_samba1_tcp dst-port=445 \
    protocol=tcp to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba1_udp dst-port=445 \
    protocol=udp to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba2_tcp dst-port=137-139 \
    protocol=tcp to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=rpi4_samba2_udp dst-port=137-139 \
    protocol=udp to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=Rpi4_pop_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=995 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=995
add action=dst-nat chain=dstnat comment=rpi4_imap_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=994 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment="rpi4_imap_ssl X" disabled=yes \
    dst-port=994 in-interface-list=WAN protocol=udp to-addresses=\
    192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment=rpi4_smtp_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=465 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment="rpi4_smtp_ssl X" disabled=yes \
    dst-port=465 in-interface-list=WAN protocol=udp to-addresses=\
    192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment=rpi4_ispconfig dst-address-list=\
    ordogh.dnet.hu dst-port=9876 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=8080
add action=dst-nat chain=dstnat comment=rpi4_ispconfig disabled=yes dst-port=\
    9876 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 \
    to-ports=8080
add action=masquerade chain=srcnat comment="mikrotik ovpn"
add action=dst-nat chain=dstnat comment=rpi4_ftp dst-address-list=\
    ordogh.dnet.hu dst-port=21 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=21
add action=dst-nat chain=dstnat comment=rpi4_smtp dst-address-list=\
    ordogh.dnet.hu dst-port=25 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.50 to-ports=25
add action=dst-nat chain=dstnat comment=rpi4_smtp_2 dst-address-list=\
    ordogh.dnet.hu dst-port=587 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=587
add action=dst-nat chain=dstnat comment=rpi4_imap dst-address-list=\
    ordogh.dnet.hu dst-port=993 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=993
add action=dst-nat chain=dstnat comment=mikrotik_ovpn dst-address-list=\
    ordogh.dnet.hu dst-port=1193 in-interface-list=WAN protocol=tcp src-port=\
    "" to-addresses=192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=mikrotik_ovpn dst-address-list=\
    ordogh.dnet.hu dst-port=1193 in-interface-list=WAN protocol=udp src-port=\
    "" to-addresses=192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=rpi4_imap_2 dst-address-list=\
    ordogh.dnet.hu dst-port=143 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=143
add action=dst-nat chain=dstnat comment=rpi4_pop3 dst-address-list=\
    ordogh.dnet.hu dst-port=110 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=110
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.150 dst-address-list=ordogh.dnet.hu out-interface=bridge \
    src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Hairpin NAT2" dst-address-list=\
    ordogh.dnet.hu dst-address-type=local to-addresses=192.168.1.150
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add name=kid1
/ip service
set ssh port=2224
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=XXXXX profile=openvpn service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Budapest
/system clock manual
set dst-end="2024-01-01 00:00:00" dst-start="2024-01-01 00:00:00"
/system logging
add topics=ovpn
add disabled=yes topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=192.232.20.87
/system routerboard settings
set cpu-frequency=716MHz
/system scheduler
add interval=1m name=ordogh.dnet_ddns_refresh on-event=ordogh.dnet.hu_ddns \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=02:12:07
add interval=1h1m name=ordogattila.dnet_ddns_refresh on-event=\
    ordogattila.dnet.hu_ddns policy=ftp,read,write,test start-date=2024-10-29 \
    start-time=14:08:55
add interval=29m name=ordogdavid.dnet_ddns_refresh on-event=\
    ordogdavid.dnet.hu_ddns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=14:10:03
/system script
add dont-require-permissions=no name=ordogh.dnet.hu_ddns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afraid.org/dy\
    namic/update.php\XXXXXXXX""
add dont-require-permissions=no name=ordogattila.dnet.hu_ddns owner=admin \
    policy=ftp,read,write,test source="/tool fetch host=\"freedns.afraid.org\"\
    \_url=\"https://freedns.afraid.org/dynamic/update.php\XXXXXXXX\""
add dont-require-permissions=no name=ordogdavid.dnet.hu_ddns owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="/tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afra\
    id.org/dynamic/update.php\XXXXXXXXXX""
/tool graphing interface
add interface=ether1_WAN
add interface=ether2_LAN
add interface=ether3_LAN
add interface=ether4_LAN
add interface=ether5_LAN
add interface=wlan1_2.4G
add interface=wlan2_5G
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

erlinden · Sun Jan 05, 2025 12:56 am

Because of this rule, all incoming tcp traffic to port 443 is answered by the router:

add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

The input chain is used for traffic to the router, the forward chain for traffice between networks (like WAN and LAN).

Next this rule:

add action=dst-nat chain=dstnat comment=rpi4_webserver_udp dst-address-list=ordogh.dnet.hu dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=80

Does it work if you remove dst-address-list=ordogh.dnet.hu ?

Due to the open port on the input chain, below rule will probably not be hit.

add action=dst-nat chain=dstnat comment=rpi4_ssl dst-address-list=ordogh.dnet.hu dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=443

I would like to advice you to reconsider any open port. Every open port is a potential breach. Your choice offcourse.

oatis · Sun Jan 05, 2025 1:11 am

Ok, I disabled the first rule and removed the dst-address-list but nothing changed.

anav · Sun Jan 05, 2025 2:03 am

That is how MT works.
Any port forwarding will show up on scans but will have status as closed. ( NORMAL! )
Any port forwarding with also a source address or source address limitation on the dstnat config will be invisible on scans.

oatis · Sun Jan 05, 2025 2:10 am

Okay, but then how can I find out what happened? Why isn't it working? (The ports still seemed open a few days ago.)

anav · Sun Jan 05, 2025 3:59 am

Well I took a look at the config and your dstnat rules are all over the place.

If you are using a DYNDNS name to describe your WANIP, why not use mynetname from IP cloud.
In any case if using a DYNDNS name one does NOT also use in-interface-list=WAN ( one or the other )

a. in much of the dstnat rules you have both which is wrong.
b. in some you have neither which is wrong.

Also its not clear what the following represent. ???????
list=ordogattila.dnet.hu
list=ordogdavid.dnet.hu

Also your two hairpin nat rules are weird. Keep it simple.....
If you have a subnet that has a server and there are users in the same subnet accessing the server by its DOMAIN name or dyndns URL then its should be
add chain=srcnat action=masquerade comment="hairpin" src-address=serverSubnet dst-address=serverSubnet
{edit: thanks cat for the correction}

AS NOTED by another poster, if you have any servers behind the router on the LAN side, that have the same port as one of the services you are using on the Router Itself ( input chain ) you have conflict and you need to remove one of them.

mkx · Sun Jan 05, 2025 12:01 pm

Because of this rule, all incoming tcp traffic to port 443 is answered by the router:
Code: Select all
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
The input chain is used for traffic to the router, the forward chain for traffice between networks (like WAN and LAN).

Not completely true. DST-NAT (part of prerouting) comes before classification into input/forward, so if some destination packets match DST-NAT rule (e.g. due to some specific matching critera, like src-address or in-interface or something), then it'll get forwarded to (internal) server, the rest will indeed hit router itself.

Config by @OP doesn't seem to be very selective though ... assuming that router has single WAN IP address everything from WAN will end up being forwarded to LAN server, only some connections targeting router's LAN IP address(es) will be handled by router itself.

oatis · Sun Jan 05, 2025 12:19 pm

Thanks for your replay!

If you are using a DYNDNS name to describe your WANIP, why not use mynetname from IP cloud.

I've been using these ddns addresses for a very long time and have never had any problems with them.

In any case if using a DYNDNS name one does NOT also use in-interface-list=WAN ( one or the other )

I removed the in-interface-list=WAN entries, but no change so far.

b. in some you have neither which is wrong.

I only want to access those ports from lan, not for internet where I didn't make an entry, for example samba share. This is how it worked for me with openwrt.

Also its not clear what the following represent. ???????
list=ordogattila.dnet.hu
list=ordogdavid.dnet.hu

What exactly do you mean?
I have 3 ddns addresses and they all point to the same address for security reasons.

Also your two hairpin nat rules are weird.

I pieced together the hairpin rules from forums. Yes, I want to access my website and mail server from the LAN network, not just from the internet using my domain name.

add chain=dstnat action=masquerade comment="hairpin" src-address=serverSubnet dst-address=serverSubnet

So should I delete the two hairpin rules and insert the one you wrote?

oatis · Sun Jan 05, 2025 12:32 pm

Not completely true. DST-NAT (part of prerouting) comes before classification into input/forward, so if some destination packets match DST-NAT rule (e.g. due to some specific matching critera, like src-address or in-interface or something), then it'll get forwarded to (internal) server, the rest will indeed hit router itself.

So do I still need to enable this rule?

Unfortunately, it still doesn't work for now.

oatis · Sun Jan 05, 2025 3:08 pm

Also your two hairpin nat rules are weird. Keep it simple.....
If you have a subnet that has a server and there are users in the same subnet accessing the server by its DOMAIN name or dyndns URL then its should be
add chain=dstnat action=masquerade comment="hairpin" src-address=serverSubnet dst-address=serverSubnet

I got error: masquerade action must be in srcnat chain

TheCat12 · Sun Jan 05, 2025 3:12 pm

Typo of the poster, it should be srcnat

anav · Sun Jan 05, 2025 3:52 pm

Fixed thanks!
ALso this:
I only want to access those ports from lan, not for internet where I didn't make an entry, for example samba share.

You still need the same structure as the rest of the dstnat rules! If you want to limit to LAN only, then add a qualifier.
add chain=dstnat action=dst-nat dst-address-list=>>> dst-port=xxx protocol=yyy to-address=ipServer in-interface-list=LAN

oatis · Sun Jan 05, 2025 5:03 pm

I made some changes that you suggested, but it's still not working.
I also get an error when disconnect from VPN in the log : disconnected <poll error> and cannot reach anything.
The server's VPN is still working, and it seems that the samba share is also accessible on the server.

# 2025-01-05 15:51:27 by RouterOS 7.16.2
# software id = 
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=xxxxxxx auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=hungary distance=indoors frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=wlan1_2.4G ssid=xxxxx\
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eeeC country=hungary disabled=no distance=indoors frequency=\
    auto hide-ssid=yes installation=indoor mode=ap-bridge name=wlan2_5G ssid=\
    xxxxxx wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full name=\
    ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_WAN name=pppoe-out1 \
    use-peer-dns=yes user=xxx@t-xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
    disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.40-192.168.1.120
add comment=openvpn name=vpn ranges=10.10.0.2-10.10.2.50
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=10.10.0.1 name=openvpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1_2.4G \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2_5G \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,sha256 certificate=server cipher=aes256-cbc,aes256-gcm \
    default-profile=openvpn enabled=yes port=1193 protocol=udp \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=12h update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1_WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    192.168.1.1,192.168.1.150,8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=ordogh.dnet.hu comment=ordogh.dnet.hu_ddns list=ordogh.dnet.hu
add address=ordogattila.dnet.hu comment=ordogattila.dnet.hu_ddns list=\
    ordogattila.dnet.hu
add address=ordogdavid.dnet.hu comment=ordogdavid.dnet.hu_ddns list=\
    ordogdavid.dnet.hu
/ip firewall filter
add action=accept chain=input comment="mikrotik ovpn" disabled=yes dst-port=\
    1193 protocol=tcp
add action=accept chain=input comment="mikrotik ovpn" dst-port=1193 protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
    src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=rpi4_webserver_http_tcp \
    dst-address-list=ordogh.dnet.hu dst-port=80 protocol=tcp to-addresses=\
    192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat comment=rpi4_https_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=443 protocol=tcp to-addresses=192.168.1.150 \
    to-ports=443
add action=dst-nat chain=dstnat comment=rpi4_ssh dst-address-list=\
    ordogh.dnet.hu dst-port=2223 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=2223
add action=dst-nat chain=dstnat comment=rpi4_ovpn_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_samba1_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=445 in-interface-list=LAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba1_udp disabled=yes \
    dst-port=445 protocol=udp to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba2_tcp disabled=yes \
    dst-port=137-139 protocol=tcp to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=rpi4_samba2_udp dst-address-list=\
    ordogh.dnet.hu dst-port=137-139 in-interface-list=LAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=Rpi4_pop_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=995 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=995
add action=dst-nat chain=dstnat comment=rpi4_imap_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=994 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment="rpi4_imap_ssl X" disabled=yes \
    dst-port=994 in-interface-list=WAN protocol=udp to-addresses=\
    192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment=rpi4_smtp_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=465 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment="rpi4_smtp_ssl X" disabled=yes \
    dst-port=465 in-interface-list=WAN protocol=udp to-addresses=\
    192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment=rpi4_ispconfig dst-address-list=\
    ordogh.dnet.hu dst-port=9876 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=8080
add action=dst-nat chain=dstnat comment=rpi4_ispconfig disabled=yes dst-port=\
    9876 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 \
    to-ports=8080
add action=masquerade chain=srcnat comment="mikrotik ovpn"
add action=dst-nat chain=dstnat comment=rpi4_ftp dst-address-list=\
    ordogh.dnet.hu dst-port=21 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=21
add action=dst-nat chain=dstnat comment=rpi4_smtp dst-address-list=\
    ordogh.dnet.hu dst-port=25 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.50 to-ports=25
add action=dst-nat chain=dstnat comment=rpi4_smtp_2 dst-address-list=\
    ordogh.dnet.hu dst-port=587 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=587
add action=dst-nat chain=dstnat comment=rpi4_imap dst-address-list=\
    ordogh.dnet.hu dst-port=993 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=993
add action=dst-nat chain=dstnat comment=mikrotik_ovpn disabled=yes \
    dst-address-list=ordogh.dnet.hu dst-port=1193 protocol=tcp src-port="" \
    to-addresses=192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=mikrotik_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1193 in-interface-list=LAN protocol=udp src-port=\
    "" to-addresses=192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=rpi4_imap_2 dst-address-list=\
    ordogh.dnet.hu dst-port=143 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=143
add action=dst-nat chain=dstnat comment=rpi4_pop3 dst-address-list=\
    ordogh.dnet.hu dst-port=110 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=110
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=192.168.1.150 dst-address-list=ordogh.dnet.hu out-interface=\
    bridge src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Hairpin NAT2" disabled=yes \
    dst-address-list=ordogh.dnet.hu dst-address-type=local to-addresses=\
    192.168.1.150
add action=masquerade chain=srcnat comment="HAIRPIN NAT v2" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add name=kid1
/ip service
set ssh port=2224
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=xxxxx profile=openvpn service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Budapest
/system clock manual
set dst-end="2024-01-01 00:00:00" dst-start="2024-01-01 00:00:00"
/system logging
add topics=ovpn
add disabled=yes topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=192.232.20.87
/system routerboard settings
set cpu-frequency=716MHz
/system scheduler
add interval=1m name=ordogh.dnet_ddns_refresh on-event=ordogh.dnet.hu_ddns \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=02:12:07
add interval=1h1m name=ordogattila.dnet_ddns_refresh on-event=\
    ordogattila.dnet.hu_ddns policy=ftp,read,write,test start-date=2024-10-29 \
    start-time=14:08:55
add interval=29m name=ordogdavid.dnet_ddns_refresh on-event=\
    ordogdavid.dnet.hu_ddns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=14:10:03
/system script
add dont-require-permissions=no name=ordogh.dnet.hu_ddns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afraid.org/dy\
    namic/update.php\xxxxx""
add dont-require-permissions=no name=ordogattila.dnet.hu_ddns owner=admin \
    policy=ftp,read,write,test source="/tool fetch host=\"freedns.afraid.org\"\
    \_url=\"https://freedns.afraid.org/dynamic/update.php\xxxx""
add dont-require-permissions=no name=ordogdavid.dnet.hu_ddns owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="/tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afra\
    id.org/dynamic/update.php\xxxx""
/tool graphing interface
add interface=ether1_WAN
add interface=ether2_LAN
add interface=ether3_LAN
add interface=ether4_LAN
add interface=ether5_LAN
add interface=wlan1_2.4G
add interface=wlan2_5G
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

oatis · Sun Jan 05, 2025 8:59 pm

I don't know what happened, but now everything is available again. I'll have to investigate further.

However, there is still one problem. I can connect to the router remotely with the Mikrotik VPN, but I can't access the Samba share, the Mikrotik admin interface, and the admin interface of my other routers. What could be causing this?

anav · Sun Jan 05, 2025 11:43 pm

post the latest config, so that one can investigate.

oatis · Mon Jan 06, 2025 12:08 am

Thanks for your replay!
Here is my last config.
Currently everything works except openvpn, it connects, but I can't reach the machines on the lan. ping doesn't work either.
Port 25 is not available, so the mail server doesn't receive mail, I can only send it.
I couldn't test the hairpin rule.

# 2025-01-05 22:52:39 by RouterOS 7.16.2
# software id = xxxxx
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxx
/interface bridge
add admin-mac=xxxxxxx7:45 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=hungary distance=indoors frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=wlan1_2.4G ssid=xxxxx \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eeeC country=hungary disabled=no distance=indoors frequency=\
    auto hide-ssid=yes installation=indoor mode=ap-bridge name=wlan2_5G ssid=\
    xxxxx wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full name=\
    ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_WAN name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
    disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.40-192.168.1.120
add comment=openvpn name=vpn ranges=10.10.0.2-10.10.0.50
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=10.10.0.1 name=openvpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1_2.4G \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2_5G \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,sha256 certificate=server cipher=aes256-cbc,aes256-gcm \
    default-profile=openvpn enabled=yes port=1193 protocol=udp \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=12h update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1_WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    192.168.1.1,192.168.1.150,8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=ordogh.dnet.hu comment=ordogh.dnet.hu_ddns list=ordogh.dnet.hu
add address=ordogattila.dnet.hu comment=ordogattila.dnet.hu_ddns list=\
    ordogattila.dnet.hu
add address=ordogdavid.dnet.hu comment=ordogdavid.dnet.hu_ddns list=\
    ordogdavid.dnet.hu
/ip firewall filter
add action=accept chain=input comment="mikrotik ovpn" disabled=yes dst-port=\
    1193 protocol=tcp
add action=accept chain=input comment="mikrotik ovpn" dst-port=1193 protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
    src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=rpi4_webserver_http_tcp \
    dst-address-list=ordogh.dnet.hu dst-port=80 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat comment=rpi4_https_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=443 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=443
add action=dst-nat chain=dstnat comment=rpi4_ssh dst-address-list=\
    ordogh.dnet.hu dst-port=2223 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=2223
add action=dst-nat chain=dstnat comment=rpi4_ovpn_tcp disabled=yes \
    dst-address-list=ordogh.dnet.hu dst-port=1194 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_samba1_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=445 in-interface-list=LAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba1_udp disabled=yes \
    dst-port=445 protocol=udp to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba2_tcp disabled=yes \
    dst-port=137-139 protocol=tcp to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=rpi4_samba2_udp dst-address-list=\
    ordogh.dnet.hu dst-port=137-139 in-interface-list=LAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=Rpi4_pop_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=995 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.150 to-ports=995
add action=dst-nat chain=dstnat comment=rpi4_imap_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=994 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment="rpi4_imap_ssl X" disabled=yes \
    dst-port=994 in-interface-list=WAN protocol=udp to-addresses=\
    192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment=rpi4_smtp_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=465 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment="rpi4_smtp_ssl X" disabled=yes \
    dst-port=465 in-interface-list=WAN protocol=udp to-addresses=\
    192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment=rpi4_ispconfig dst-address-list=\
    ordogh.dnet.hu dst-port=9876 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=8080
add action=dst-nat chain=dstnat comment=rpi4_ispconfig disabled=yes dst-port=\
    9876 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 \
    to-ports=8080
add action=masquerade chain=srcnat comment="mikrotik ovpn"
add action=dst-nat chain=dstnat comment=rpi4_ftp dst-address-list=\
    ordogh.dnet.hu dst-port=21 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=21
add action=dst-nat chain=dstnat comment=rpi4_smtp dst-address-list=\
    ordogh.dnet.hu dst-port=25 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.50 to-ports=25
add action=dst-nat chain=dstnat comment=rpi4_smtp_2 dst-address-list=\
    ordogh.dnet.hu dst-port=587 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=587
add action=dst-nat chain=dstnat comment=rpi4_imap dst-address-list=\
    ordogh.dnet.hu dst-port=993 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=993
add action=dst-nat chain=dstnat comment=mikrotik_ovpn dst-address-list=\
    ordogh.dnet.hu dst-port=1193 protocol=tcp src-port="" to-addresses=\
    192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=mikrotik_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1193 in-interface-list=WAN protocol=udp src-port=\
    "" to-addresses=192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=rpi4_imap_2 dst-address-list=\
    ordogh.dnet.hu dst-port=143 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=143
add action=dst-nat chain=dstnat comment=rpi4_pop3 dst-address-list=\
    ordogh.dnet.hu dst-port=110 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.150 to-ports=110
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=192.168.1.150 dst-address-list=ordogh.dnet.hu out-interface=\
    bridge src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Hairpin NAT2" disabled=yes \
    dst-address-list=ordogh.dnet.hu dst-address-type=local to-addresses=\
    192.168.1.150
add action=masquerade chain=srcnat comment="HAIRPIN NAT v2" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add name=kid1
/ip service
set ssh port=2224
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=xxxxx profile=openvpn service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Budapest
/system clock manual
set dst-end="2024-01-01 00:00:00" dst-start="2024-01-01 00:00:00"
/system logging
add topics=ovpn
add disabled=yes topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=192.232.20.87
/system routerboard settings
set cpu-frequency=716MHz
/system scheduler
add interval=1m name=ordogh.dnet_ddns_refresh on-event=ordogh.dnet.hu_ddns \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=02:12:07
add interval=1h1m name=ordogattila.dnet_ddns_refresh on-event=\
    ordogattila.dnet.hu_ddns policy=ftp,read,write,test start-date=2024-10-29 \
    start-time=14:08:55
add interval=29m name=ordogdavid.dnet_ddns_refresh on-event=\
    ordogdavid.dnet.hu_ddns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=14:10:03
/system script
add dont-require-permissions=no name=ordogh.dnet.hu_ddns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afraid.org/dy\
    namic/update.php\""
add dont-require-permissions=no name=ordogattila.dnet.hu_ddns owner=admin \
    policy=ftp,read,write,test source="/tool fetch host=\"freedns.afraid.org\"\
    \_url=\"https://freedns.afraid.org/dynamic/update.php\""
add dont-require-permissions=no name=ordogdavid.dnet.hu_ddns owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="/tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afra\
    id.org/dynamic/update.php\""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Mon Jan 06, 2025 12:42 am

Other routers?? Can you provide a network diagram to see what is in play!

oatis · Mon Jan 06, 2025 1:12 am

Sorry for the poor drawing, but that's all I had for now

anav · Mon Jan 06, 2025 2:34 am

So brand up wifi AP up top ( is it smart or dumb, brand/model )
Switch to far right ( managed??? brand/model )
wifi bridge device bottom (brand/model)
wifi APs very bottome smart or dumb (brand/model)

anav · Mon Jan 06, 2025 2:38 am

Hosting your own mail server is a very bad idea......I suspect that may the cause of people getting shut down by their ISPs abuse on port 25.
Port 25 is often used to spam email and ISPs shut it down.
Work arounds, dont attempt to be everything.
Have your mail server set to something else.................. some other ports higher up maybe>> I know my ISP provider uses other ones associated with encryption.

Depending if you have a public IP address you should be able to use the much easier WIreguard VPN on the router.

Your config looks decent as is....
-- if you added netmask setting manually remove it, normally doesnt show on config print.
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
192.168.1.1,192.168.1.150,8.8.8.8 gateway=192.168.1.1 netmask=24???

-- would get rid of your IP DNS STATIC entry!!

-- are all those ports required to be open on input chain for OVPN?? ( all the more reason to switch to wireguard )

-- would modify a default rule in forward chain to three better clearer rules!!
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add chain=forward action=accept comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat
add chain=forward action=drop comment="drop all else"

- wont repeat myself again... for dstnat rules you have either destination address or in-interface-list=WAN NOT BOTH!
typically for dynamic WAN IPs we in-interface-list=WAN
typically for static WAN IPs we use dst-address=WANIP.
However, when also accessing the Servers from the LAN ( via dyndns ) clearly in-interface-list=WAN is wrong,
so we mimic the fixed static IP method by using dst-address-list. As you have done, so this is the right approach!!
(if the servers are also on the same lan as users, in both cases static/dynamic we need to add hairpin srcnat rule)

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=rpi4_webserver_http_tcp \
dst-address-list=ordogh.dnet.hu dst-port=80 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat comment=rpi4_https_tcp dst-address-list=\
ordogh.dnet.hu dst-port=443 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=443
add action=dst-nat chain=dstnat comment=rpi4_ssh dst-address-list=\
ordogh.dnet.hu dst-port=2223 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=2223
add action=dst-nat chain=dstnat comment=rpi4_ovpn_tcp disabled=yes \
dst-address-list=ordogh.dnet.hu dst-port=1194 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_ovpn_udp dst-address-list=\
ordogh.dnet.hu dst-port=1194 in-interface-list=WAN protocol=udp \
to-addresses=192.168.1.150 to-ports=1194
add action=dst-nat chain=dstnat comment=rpi4_samba1_tcp dst-address-list=\ < -- Excellent use of in-interface-list to LIMIT to internal users !!
ordogh.dnet.hu dst-port=445 in-interface-list=LAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba1_udp disabled=yes \ < -- MISSING dst-address-list
dst-port=445 protocol=udp to-addresses=192.168.1.150 to-ports=445
add action=dst-nat chain=dstnat comment=rpi4_samba2_tcp disabled=yes \ < -- MISSING dst-address-list
dst-port=137-139 protocol=tcp to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=rpi4_samba2_udp dst-address-list=\ < -- Excellent use of in-interface-list to LIMIT to internal users !!
ordogh.dnet.hu dst-port=137-139 in-interface-list=LAN protocol=udp \
to-addresses=192.168.1.150 to-ports=137-139
add action=dst-nat chain=dstnat comment=Rpi4_pop_ssl dst-address-list=\
ordogh.dnet.hu dst-port=995 in-interface-list=WAN protocol=udp \
to-addresses=192.168.1.150 to-ports=995
add action=dst-nat chain=dstnat comment=rpi4_imap_ssl dst-address-list=\
ordogh.dnet.hu dst-port=994 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment="rpi4_imap_ssl X" disabled=yes \ < -- MISSING dst-address-list
dst-port=994 in-interface-list=WAN protocol=udp to-addresses=\
192.168.1.150 to-ports=994
add action=dst-nat chain=dstnat comment=rpi4_smtp_ssl dst-address-list=\
ordogh.dnet.hu dst-port=465 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment="rpi4_smtp_ssl X" disabled=yes \ < -- MISSING dst-address-list
dst-port=465 in-interface-list=WAN protocol=udp to-addresses=\
192.168.1.150 to-ports=465
add action=dst-nat chain=dstnat comment=rpi4_ispconfig dst-address-list=\
ordogh.dnet.hu dst-port=9876 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=8080
add action=dst-nat chain=dstnat comment=rpi4_ispconfig disabled=yes dst-port=\ < -- MISSING dst-address-list
9876 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 \
to-ports=8080
add action=masquerade chain=srcnat comment="mikrotik ovpn" < -- MISSING Qualifier which out-interface ???
add action=dst-nat chain=dstnat comment=rpi4_ftp dst-address-list=\
ordogh.dnet.hu dst-port=21 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=21
add action=dst-nat chain=dstnat comment=rpi4_smtp dst-address-list=\
ordogh.dnet.hu dst-port=25 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.50 to-ports=25
add action=dst-nat chain=dstnat comment=rpi4_smtp_2 dst-address-list=\
ordogh.dnet.hu dst-port=587 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=587
add action=dst-nat chain=dstnat comment=rpi4_imap dst-address-list=\
ordogh.dnet.hu dst-port=993 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=993
add action=dst-nat chain=dstnat comment=mikrotik_ovpn dst-address-list=\
ordogh.dnet.hu dst-port=1193 protocol=tcp src-port="" to-addresses=\
192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=mikrotik_ovpn_udp dst-address-list=\
ordogh.dnet.hu dst-port=1193 in-interface-list=WAN protocol=udp src-port=\
"" to-addresses=192.168.1.1 to-ports=1193
add action=dst-nat chain=dstnat comment=rpi4_imap_2 dst-address-list=\
ordogh.dnet.hu dst-port=143 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=143
add action=dst-nat chain=dstnat comment=rpi4_pop3 dst-address-list=\
ordogh.dnet.hu dst-port=110 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.150 to-ports=110
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \ < -- Remove this rule
dst-address=192.168.1.150 dst-address-list=ordogh.dnet.hu out-interface=\
bridge src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Hairpin NAT2" disabled=yes \ <-- Remove this rule
dst-address-list=ordogh.dnet.hu dst-address-type=local to-addresses=\
192.168.1.150
add action=masquerade chain=srcnat comment="HAIRPIN NAT v2" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24

Note: If the to-port is the same as dst-port, it can be removed.

- modify item in bold below to none.
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

oatis · Mon Jan 06, 2025 9:41 am

So brand up wifi AP up top ( is it smart or dumb, brand/model )

Switch to far right ( managed??? brand/model ) -dumb, tp-link sg108
wifi bridge device bottom (brand/model) naostation loco 5ac
wifi APs very bottome smart or dumb (brand/model) They are tp-link tl-wr 1043 routers, ap mode, dhcp off (ddwrt/openwrt firmware)
wifi ap near server tp-link re700X (dhcp off, original fw)

Port 25 is often used to spam email and ISPs shut it down.
Work arounds, dont attempt to be everything.
Have your mail server set to something else.................. some other ports higher up maybe>>

You are absolutely right. I haven't been able to get it to work on a different port yet. I haven't found a solution. Currently, Google Forward is forwarding emails on this port. Fortunately, it still worked with the old router that I replaced.

add action=masquerade chain=srcnat comment="mikrotik ovpn" < -- MISSING Qualifier which out-interface ???

Out interface LAN? This right?

Note: If the to-port is the same as dst-port, it can be removed.

Only dst-port can be removed?

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What is this used for? Is it for a terminal?

anav · Mon Jan 06, 2025 4:06 pm

masquerade rule already exists above with out-interface-list=WAN.
You do not need another masquerade rule is the point, unless you have a specific VPN outgoing that needs to be masqueraded.

ONLY the to-port can be removed if same as dst-port. ( the dst-port is mandatory LOL, the router reads the dst-port on incoming traffic and compares to dstnat rules.

Clue, mac-winbox........... access to the config through mac address but through winbox, this is encrypted and can be used, the plan mac address access should be set to NONE, not secure.

oatis · Mon Jan 06, 2025 4:47 pm

Ok, thank You!
I modified the configuration file as you wrote. I also deleted the nat rules that were already deactivated. Could you take a look?

# 2025-01-06 15:38:45 by RouterOS 7.16.2
# software id = xxxxxx
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=hungary distance=indoors frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=wlan1_2.4G ssid=xxxxx \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eeeC country=hungary disabled=no distance=indoors frequency=\
    auto hide-ssid=yes installation=indoor mode=ap-bridge name=wlan2_5G ssid=\
    xxxxx wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full name=\
    ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_WAN name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
    disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.40-192.168.1.120
add comment=openvpn name=vpn ranges=10.10.0.2-10.10.0.50
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1h name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=10.10.0.1 name=openvpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1_2.4G \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2_5G \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,sha256 certificate=server cipher=aes256-cbc,aes256-gcm \
    default-profile=openvpn enabled=yes port=1193 protocol=udp \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=12h update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1_WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=ordogh.dnet.hu comment=ordogh.dnet.hu_ddns list=ordogh.dnet.hu
add address=ordogattila.dnet.hu comment=ordogattila.dnet.hu_ddns list=\
    ordogattila.dnet.hu
add address=ordogdavid.dnet.hu comment=ordogdavid.dnet.hu_ddns list=\
    ordogdavid.dnet.hu
/ip firewall filter
add action=accept chain=input comment="mikrotik ovpn" dst-port=1193 protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=rpi4_webserver_http_tcp \
    dst-address-list=ordogh.dnet.hu dst-port=80 protocol=tcp to-addresses=\
    192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_https_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=443 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ssh dst-address-list=\
    ordogh.dnet.hu dst-port=2223 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_samba1_tcp dst-port=445 \
    in-interface-list=LAN protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_samba2_udp dst-port=137-139 \
    in-interface-list=LAN protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=Rpi4_pop_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=995 protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_imap_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=994 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_smtp_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=465 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ispconfig dst-address-list=\
    ordogh.dnet.hu dst-port=9876 protocol=tcp to-addresses=192.168.1.150 \
    to-ports=8080
add action=dst-nat chain=dstnat comment=rpi4_ftp dst-address-list=\
    ordogh.dnet.hu dst-port=21 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_smtp dst-address-list=\
    ordogh.dnet.hu dst-port=25 protocol=tcp to-addresses=192.168.1.50
add action=dst-nat chain=dstnat comment=rpi4_smtp_2 dst-address-list=\
    ordogh.dnet.hu dst-port=587 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_imap dst-address-list=\
    ordogh.dnet.hu dst-port=993 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=mikrotik_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1193 protocol=udp src-port="" to-addresses=\
    192.168.1.1
add action=dst-nat chain=dstnat comment=rpi4_imap_2 dst-address-list=\
    ordogh.dnet.hu dst-port=143 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_pop3 dst-address-list=\
    ordogh.dnet.hu dst-port=110 protocol=tcp to-addresses=192.168.1.150
add action=masquerade chain=srcnat comment="HAIRPIN NAT v2" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add name=kid1
/ip service
set ssh port=2224
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=xxxxx profile=openvpn service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Budapest
/system clock manual
set dst-end="2024-01-01 00:00:00" dst-start="2024-01-01 00:00:00"
/system logging
add topics=ovpn
add disabled=yes topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=192.232.20.87
/system routerboard settings
set cpu-frequency=716MHz
/system scheduler
add interval=1m name=ordogh.dnet_ddns_refresh on-event=ordogh.dnet.hu_ddns \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=02:12:07
add interval=1h1m name=ordogattila.dnet_ddns_refresh on-event=\
    ordogattila.dnet.hu_ddns policy=ftp,read,write,test start-date=2024-10-29 \
    start-time=14:08:55
add interval=29m name=ordogdavid.dnet_ddns_refresh on-event=\
    ordogdavid.dnet.hu_ddns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=14:10:03
/system script
add dont-require-permissions=no name=ordogh.dnet.hu_ddns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afraid.org/dy\
    namic/update.php\xxxxxxx""
add dont-require-permissions=no name=ordogattila.dnet.hu_ddns owner=admin \
    policy=ftp,read,write,test source="/tool fetch host=\"freedns.afraid.org\"\
    \_url=\"https://freedns.afraid.org/dynamic/update.php\xxxxxx""
add dont-require-permissions=no name=ordogdavid.dnet.hu_ddns owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="/tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afra\
    id.org/dynamic/update.php\xxxxxx""
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Mon Jan 06, 2025 5:03 pm

Seems okay on a quick look. what is not currently working???

oatis · Mon Jan 06, 2025 5:13 pm

The Mikrotik VPN connects, I can't find any errors in the log, but I can't access the LAN network devices, neither the Mikrotik nor the Samba share. (from Windows)
Port 25 hasn't worked since then.
I can check the hairpin rule later, and also whether the VPN works from Linux.

erlinden · Mon Jan 06, 2025 5:19 pm

I see you have multiple VPN servers enabled, with what VPN server are you connected?
To be able to access your local network, you should have an accept rule in the forward chain for this.
Do you have access to the router itself (ping while VPN server is up)?

Any asterisk in an export is an indication that there is something wrong. Perhaps an old interface that has been removed?

/ppp profile
add local-address=10.10.0.1 name=openvpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

oatis · Mon Jan 06, 2025 7:45 pm

The hairpin rule also works.

I see you have multiple VPN servers enabled, with what VPN server are you connected?
To be able to access your local network, you should have an accept rule in the forward chain for this.
Do you have access to the router itself (ping while VPN server is up)?

There is only one vpn server on the mikrotik. Actually there are two, one on the mikrotik and the other running on the server.
When the vpn on the mikrotik is connected, I can't ping anything in the LAN network.

local-address=192.168.89.1

This address is completely unknown to me, I've never had a subnet with such an address. Not even a vpn! There was an operating system update from version 6 to version 7 about 12 days ago, maybe that messed something up? Although everything worked for 4-5 days afterwards.

I found that profiles, there are 2. I cannot remove them.

anav · Mon Jan 06, 2025 9:10 pm

Maybe there are two admins??? So you have an unknown VPN on your router??
I would disconnect from the internet and netinstall the latest firmware to be on the safe side.

oatis · Mon Jan 06, 2025 9:40 pm

The latest firmware is on the router. I haven't seen anything newer than that. There's only one admin on the router. Me. I think there might be some "junk" left in it. Can't I delete it here?
By the way, the router was updated from the official repository.

It seems like someone else has a similar profile.
viewtopic.php?t=167071

Newer development:
Under win10 I can ping 10.10.0.1 and 192.168.1.1, but nothing else
Under android I can only ping 10.10.0.1, but nothing else.
Under Linux I can only connect, but there is no response to the ping.

Under win 10 I can only connect by putting "compat-mode 2.4.0" in the ovpn file

oatis · Wed Jan 15, 2025 5:31 pm

Hello!
I still have a problem, but now I don't know what the cause of the error could be. I have reset the router several times and reconfigured it. Everything worked for two days, and now neither the web nor the mail server ports are accessible from the outside. The VPN is still accessible on the server and the router, and I can also reach the router from the outside with winbox using the domain. The dynamic dns is also updated continuously.
Attached are the firewall settings. Although I don't know if that's the problem at all...
If anyone has any ideas as to what might be causing this, please share them with me!
Thank you!

/ip firewall filter
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="mikrotik ovpn" dst-port=1193 protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
    8291 protocol=tcp
add action=accept chain=input comment="vpn in-server binding" \
    in-interface-list=ovpn-clients-group
add action=accept chain=forward comment="vpn in-server binding2" \
    in-interface-list=ovpn-clients-group
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="drop all else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet enable" out-interface=\
    pppoe-out1
add action=masquerade chain=srcnat comment="mikrotik vpn "
add action=dst-nat chain=dstnat comment=rpi4_smtp dst-address-list=\
    ordogh.dnet.hu dst-port=25 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_webserver_http_tcp \
    dst-address-list=ordogh.dnet.hu dst-port=80 protocol=tcp to-addresses=\
    192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_https_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=443 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ssh dst-address-list=\
    ordogh.dnet.hu dst-port=2223 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_samba1_tcp dst-port=445 \
    in-interface-list=LAN protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_samba2_udp dst-port=137-139 \
    in-interface-list=LAN protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=Rpi4_pop_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=995 protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_imap_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=994 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_smtp_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=465 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ispconfig dst-address-list=\
    ordogh.dnet.hu dst-port=9876 protocol=tcp to-addresses=192.168.1.150 \
    to-ports=8080
add action=dst-nat chain=dstnat comment=rpi4_ftp dst-address-list=\
    ordogh.dnet.hu dst-port=21 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_smtp_2 dst-address-list=\
    ordogh.dnet.hu dst-port=587 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_imap dst-address-list=\
    ordogh.dnet.hu dst-port=993 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=mikrotik_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1193 protocol=udp src-port="" to-addresses=\
    192.168.1.1
add action=dst-nat chain=dstnat comment=rpi4_imap_2 dst-address-list=\
    ordogh.dnet.hu dst-port=143 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_pop3 dst-address-list=\
    ordogh.dnet.hu dst-port=110 protocol=tcp to-addresses=192.168.1.150
add action=masquerade chain=srcnat comment="HAIRPIN NAT v2" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24

anav · Wed Jan 15, 2025 5:58 pm

I dont bother looking at snippets....

oatis · Wed Jan 15, 2025 8:04 pm

# 2025-01-15 16:21:04 by RouterOS 7.16.2
# software id = xxxxxxxxxx
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxxxxxx
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] name=wlan1_2,4G ssid=MikroTik
set [ find default-name=wlan2 ] name=wlan2-5G ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
set [ find default-name=ether2 ] name=ether2_lan
set [ find default-name=ether3 ] name=ether3_lan
set [ find default-name=ether4 ] name=ether4_lan
set [ find default-name=ether5 ] name=ether5_lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_wan max-mtu=1492 name=\
    pppoe-out1 use-peer-dns=yes user=xxxxxxxxxxx
/interface list
add name=LAN
add name=WAN
add comment="openvpn kliens lista" name=ovpn-clients-group
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.40-192.168.1.120
add comment=openvpn name=openvpn_pool ranges=10.10.0.2-10.10.0.64
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 lease-time=1h name=dhcp1
/ppp profile
add comment="ez nincs haszn\C3\A1lva!!!!" dns-server=10.10.0.1,8.8.8.8 \
    local-address=10.10.0.1 name=openvpn_profil remote-address=openvpn_pool
add dns-server=10.10.0.1,8.8.8.8 interface-list=ovpn-clients-group \
    local-address=10.10.0.1 name="ovpn_binding profil" remote-address=\
    openvpn_pool
/interface bridge port
add bridge=bridge1 interface=ether2_lan
add bridge=bridge1 interface=ether3_lan
add bridge=bridge1 interface=ether4_lan
add bridge=bridge1 interface=ether5_lan
add bridge=bridge1 interface=wlan1_2,4G
add bridge=bridge1 interface=wlan2-5G
/interface list member
add interface=bridge1 list=LAN
add interface=ether1_wan list=WAN
/interface ovpn-server server
set auth=sha1,sha256,sha512 certificate=server cipher=aes256-cbc,aes256-gcm \
    default-profile=openvpn_profil enabled=yes port=1193 protocol=udp \
    push-routes="192.168.64.0 255.255.255.0 10.10.0.1,192.168.1.0 255.255.255.\
    0 10.10.0.1,192.168.0.0 255.255.255.0 10.10.0.1" \
    require-client-certificate=yes
/ip address
add address=192.168.1.1/24 comment=gw interface=bridge1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall address-list
add address=ordogh.dnet.hu comment=ordogh.dnet.hu_ddns list=ordogh.dnet.hu
add address=ordogattila.dnet.hu comment=ordogattila.dnet.hu_ddns list=\
    ordogattila.dnet.hu
add address=ordogdavid.dnet.hu comment=ordogdavid.dnet.hu_ddns list=\
    ordogdavid.dnet.hu
/ip firewall filter
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="mikrotik ovpn" dst-port=1193 protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
    8291 protocol=tcp
add action=accept chain=input comment="vpn in-server binding" \
    in-interface-list=ovpn-clients-group
add action=accept chain=forward comment="vpn in-server binding2" \
    in-interface-list=ovpn-clients-group
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="drop all else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet enable" out-interface=\
    pppoe-out1
add action=masquerade chain=srcnat comment="mikrotik vpn "
add action=dst-nat chain=dstnat comment=rpi4_smtp dst-address-list=\
    ordogh.dnet.hu dst-port=25 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_webserver_http_tcp \
    dst-address-list=ordogh.dnet.hu dst-port=80 protocol=tcp to-addresses=\
    192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_https_tcp dst-address-list=\
    ordogh.dnet.hu dst-port=443 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ssh dst-address-list=\
    ordogh.dnet.hu dst-port=2223 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1194 protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_samba1_tcp dst-port=445 \
    in-interface-list=LAN protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_samba2_udp dst-port=137-139 \
    in-interface-list=LAN protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=Rpi4_pop_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=995 protocol=udp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_imap_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=994 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_smtp_ssl dst-address-list=\
    ordogh.dnet.hu dst-port=465 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_ispconfig dst-address-list=\
    ordogh.dnet.hu dst-port=9876 protocol=tcp to-addresses=192.168.1.150 \
    to-ports=8080
add action=dst-nat chain=dstnat comment=rpi4_ftp dst-address-list=\
    ordogh.dnet.hu dst-port=21 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_smtp_2 dst-address-list=\
    ordogh.dnet.hu dst-port=587 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_imap dst-address-list=\
    ordogh.dnet.hu dst-port=993 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=mikrotik_ovpn_udp dst-address-list=\
    ordogh.dnet.hu dst-port=1193 protocol=udp src-port="" to-addresses=\
    192.168.1.1
add action=dst-nat chain=dstnat comment=rpi4_imap_2 dst-address-list=\
    ordogh.dnet.hu dst-port=143 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment=rpi4_pop3 dst-address-list=\
    ordogh.dnet.hu dst-port=110 protocol=tcp to-addresses=192.168.1.150
add action=masquerade chain=srcnat comment="HAIRPIN NAT v2" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2224
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=xxxxxxxxxxxx profile="ovpn_binding profil" service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Budapest
/system logging
add topics=ovpn
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.hu.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=7m name=ordogh.dnet_ddns_refresh on-event=ordogh.dnet.hu_ddns \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=02:12:07
add interval=1h2m name=ordogattila.dnet_ddns_refresh on-event=\
    ordogattila.dnet.hu_ddns policy=ftp,read,write,test start-date=2024-10-29 \
    start-time=14:08:55
add interval=29m name=ordogdavid.dnet_ddns_refresh on-event=\
    ordogdavid.dnet.hu_ddns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-10-29 start-time=14:10:03
/system script
add dont-require-permissions=no name=ordogh.dnet.hu_ddns owner=admin policy=\
    ftp,read,write,test source="/tool fetch host=\"freedns.afraid.org\" url=\"\
    https://freedns.afraid.org/dynamic/update.php\xxxxxxxxxxxx""
add dont-require-permissions=no name=ordogattila.dnet.hu_ddns owner=admin \
    policy=ftp,read,write,test source="/tool fetch host=\"freedns.afraid.org\"\
    \_url=\"https://freedns.afraid.org/dynamic/update.php\xxxxxxxxxxxxxxxxxxx""
add dont-require-permissions=no name=ordogdavid.dnet.hu_ddns owner=admin \
    policy=ftp,read,write,test source="/tool fetch host=\"freedns.afraid.org\"\
    \_url=\"https://freedns.afraid.org/dynamic/update.php\xxxxxxxxxxxxxxxxxx""

oatis · Mon Jan 20, 2025 10:05 am

Solved I see my problem, but there is one more thing left. My router is banned on the server by fail2ban, because the source address is always the IP address of my router, not the real IP address from which the request comes. Although I have now put the router as an exception in the fail2ban filter, this is a bad solution in the long run.

postfix/smtpd[23006]: warning: unknown[192.168.1.1]: SASL LOGIN authentication failed: ************
postfix/smtpd[23006]: disconnect from unknown[192.168.1.1] ehlo=1 auth=0/1 quit=1 commands=2/3

What settings are possible for this, maybe a firewall rule or something else?

oatis · Mon Jan 20, 2025 2:36 pm

It was partially solved, there was an entry missing from one of the nat rules.

add action=masquerade chain=srcnat comment="Internet enable" out-interface=pppoe-out1 src-address=192.168.1.0/24

Did the Mikrotik firewall block the open ports?

Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?

Re: Did the Mikrotik firewall block the open ports?