I have Cable modem from ISP connected to Mikrotik router on WAN interface, NAS is connecte on one of LAN ports
my config is:
NAT:
Code: Select all
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no
log-prefix=""
1 chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=21
protocol=tcp dst-address-list=MY_PUBLIC_IP in-interface=ether1-gateway
dst-port=21 log=no log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=192.168.88.112
to-ports=5000-5001 protocol=tcp dst-port=5000-5001 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=445
protocol=tcp dst-port=445 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=445
protocol=udp dst-port=445 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=137-139
protocol=tcp dst-port=137-139 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=137-139
protocol=udp dst-port=137-139 log=no log-prefix="" MY FILTER RULES:
Code: Select all
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 ;;; accepting icmp
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; accept establilished & related
chain=input action=accept connection-state=established,related
log=no log-prefix=""
3 X ;;; dropping anything coming from externaly
chain=input action=drop in-interface=ether1-gateway log=no
log-prefix=""
4 ;;; default configuration
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""
5 ;;; dropping invalid forward
chain=forward action=drop connection-state=invalid log=no
log-prefix=""
6 ;;; forward estabilished and related
chain=forward action=accept connection-state=established,related
log=no log-prefix="
7 ;;; accepting forward dst-nat externally and dropping non dst nat conns
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1-gateway log=no
log-prefix=""
RESULT: Accessing from SMB://MYPUBLIC IP does not work
FTP does the handshake but directory listing times out, so in at the end does not work
1. How NAT rules interfere with filter rules? What is superseding what?
2. Can I have chain input dropped to ether-gw (WAN interface) and allowed only one host by MAC?
THANKS TO ALLLLLLLL!!!
