Hello,
I have following setup:
ISP Router <=> Mikrotik <=> LAN
ISP Router has public IP address 176.X.X.X and LAN 192.168.1.0/30 with 1:1 NAT (176.X.X.X <=> 192.168.1.1) and DMZ set for 192.168.1.2
Mikrotik is connected over ETH1 with ISP Router and get IP address 192.168.1.2/30 with gateway 192.168.1.1. EHT2-5 are connected to the LAN with IP 192.168.88.0/24
Internet is working fine, all workstations can access the internet, also L2TP VPN client from Mikrotik is connecting to other mikrotik router.
Now I'm trying to allow access to the NAS 192.168.88.12 on port 5001 from outside. I have created the following rule:
add action=dst-nat chain=dstnat dst-port=5001 protocol=tcp to-addresses=192.168.88.12 to-ports=5001
But this not seems to work, no packet is send through to the Mikrotik. Could you please help me to solve this problem?
Re: Port forwarding behind isp 1:1 nat
You need to post your config
/export hide-sensitive file=anynameyouwish
/export hide-sensitive file=anynameyouwish
Re: Port forwarding behind isp 1:1 nat
Here you are:
Code: Select all
# may/12/2020 08:33:05 by RouterOS 6.46.6
#
# model = 951G-2HnD
/interface bridge
add admin-mac=4C:5E:0C:A2:55:57 arp=proxy-arp auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=*C
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set default-profile=vpn enabled=yes max-mru=1500 max-mtu=1500 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set default-profile=vpn enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 wins-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=INVALID
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=gre protocol=gre
add action=accept chain=input comment=pptp dst-port=1723 protocol=tcp
add action=accept chain=input comment=l2tp dst-port=1701,500,4500 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN log=yes log-prefix=3333
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=2222
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix=1111
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5001 protocol=tcp to-addresses=192.168.88.12 to-ports=5001
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.12.0/23
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.12.0/23
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Mikrotik
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN-
-
gazingbazooka
Frequent Visitor
- Posts: 93
- Joined:
- Location: Toronto, Canada
Re: Port forwarding behind isp 1:1 nat
You have a double firewall though don't you? Why isn't the ISP router in Bridge mode? If I understand correctly you have a router plugged into a router. It seems that way from the IPs you're indicating. This will cause you headaches like this.
Re: Port forwarding behind isp 1:1 nat
According to ISP their router has set up DMZ, so everything should go through directly to my router. Unfortunately the ISP can't set it into bridge mode.
Re: Port forwarding behind isp 1:1 nat
I have discussed the issue with ISP and it the problem was on their side. Everything is working now. You can close the thread.