I have a problem with a dst NAT. I work with MQTT protocol inside and ouside of my network and integrating alexa devices in my server. When I open dst.nat with "In interface:WAN" only work MQTT devices in my network and alexa deviecs and when i remove "In interface: WAN" only works MQTT devices (inside and outside of my network, but not alexa)
Other problem is that sometimes i lose internet conection and i don´t know if the problem is my router configuration or my isp conection. I have isp router in bridge mode.
Can you see my configuration please??
Thanks so much!!
Code: Select all
# model = RB4011iGS+
/interface bridge
add comment=Red_LAN_Cable name=LAN_Ppal
/interface ethernet
set [ find default-name=ether1 ] comment=Proveedor_ISP name=WAN
set [ find default-name=ether2 ] comment=Switch
/interface vlan
add interface=WAN name=MasMovil vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/ip pool
add name=Red_LAN_Ppal ranges=192.168.2.20-192.168.2.150
add name=Pool_VPN_Admin ranges=10.0.0.20-10.0.0.100
add name=Pool_VPN_User ranges=10.0.0.102-10.0.0.200
add name=Red_LAN_2 ranges=192.168.3.20-192.168.3.150
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool5 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=Red_LAN_Ppal disabled=no interface=LAN_Ppal name=Red_LAN_Ppal
/ppp profile
set *0 dns-server=8.8.8.8,8.8.4.4
add change-tcp-mss=yes local-address=10.0.0.1 name=PerfilAdmin remote-address=\
Pool_VPN_Admin use-encryption=yes
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=\
PerfilUser remote-address=Pool_VPN_User use-encryption=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=MonitoreoLM
/interface bridge port
add bridge=LAN_Ppal interface=ether2
add bridge=LAN_Ppal interface=ether5
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 comment=Red_LAN_Ppal interface=LAN_Ppal network=\
192.168.2.0
add address=192.168.3.1/24 comment=Red_LAN_2 interface=ether5 network=\
192.168.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=MasMovil
/ip dhcp-server lease
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" \
mac-address=B8:AC:6F:9D:62:D6 server=Red_LAN_Ppal
add address=192.168.2.225 client-id=1:cc:9e:a2:62:f2:cc comment="Alexa Yoga" \
mac-address=CC:9E:A2:62:F2:CC server=Red_LAN_Ppal
add address=192.168.2.222 comment="Alexa Estudio" mac-address=14:91:38:F3:DF:F0 \
server=Red_LAN_Ppal
add address=192.168.2.221 client-id=1:44:0:49:4d:e4:ab comment="Alexa Salon" \
mac-address=44:00:49:4D:E4:AB server=Red_LAN_Ppal
add address=192.168.2.224 client-id=1:5c:41:5a:93:bd:85 comment="Alexa Cocina" \
mac-address=5C:41:5A:93:BD:85 server=Red_LAN_Ppal
add address=192.168.2.13 client-id=1:44:85:0:30:1e:61 mac-address=\
44:85:00:30:1E:61 server=Red_LAN_Ppal
add address=192.168.2.12 client-id=1:a8:9c:ed:cd:f8:12 comment="Movil David" \
mac-address=A8:9C:ED:CD:F8:12 server=Red_LAN_Ppal
add address=192.168.2.231 comment="Xiaomi Vacuum" mac-address=40:31:3C:A2:E3:3B \
server=Red_LAN_Ppal
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.0.0.20-10.0.0.100 list=Src_Administradores
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.201 list=Dst_Servidores_Usuarios
add address=192.168.2.204 list=Dst_Servidores_Usuarios
add address=192.168.2.205 list=Dst_Servidores_Usuarios
add address=192.168.2.10-192.168.2.20 list=Src_Administradores
add address=10.10.0.200 list=Src_AdministracionClientes
add address=10.10.0.0/20 list=Dst_Clientes
add address=10.10.1.12 list=Src_Administradores
add address=10.10.1.13 list=Src_Administradores
add address=10.0.0.102-10.0.0.200 list=Src_Servidores_Usuarios
add address=192.168.2.108/31 disabled=yes list=Src_Red_LAN_interno
add address=192.168.2.10-192.168.2.255 list=Dst_Red_LAN
/ip firewall filter
add action=tarpit chain=input comment="##### Filtra IPs en Lista Negra #####" \
protocol=tcp src-address-list="BLACKLIST TARPIT"
add action=add-src-to-address-list address-list="BLACKLIST TARPIT" \
address-list-timeout=1m chain=input src-address-list=BLACKLIST
add action=drop chain=input log=yes log-prefix="DROP BlackList" \
src-address-list=BLACKLIST
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward comment=\
"##### Permite el trafico establecido y relacionado #####" \
connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="##### Filtra Paquetes Invalidos #####" \
connection-state=invalid log=yes log-prefix="DROP Invalid Packets"
add action=drop chain=input connection-state=invalid log=yes log-prefix=\
"DROP Invalid In Packets"
add action=accept chain=forward comment="##### Prermite trafico Forward #####" \
src-address-list=Src_Administradores
add action=accept chain=forward src-address-list=Src_Red_LAN
add action=accept chain=forward disabled=yes src-address-list=\
Src_Red_LAN_interno
add action=accept chain=forward disabled=yes dst-address-list=Dst_Red_LAN \
src-address-list=Src_Red_LAN_interno
add action=accept chain=forward dst-address-list=Dst_Servidores_Usuarios \
src-address-list=Src_Servidores_Usuarios
add action=accept chain=forward dst-address-list=Dst_Clientes src-address-list=\
Src_AdministracionClientes
add action=accept chain=input comment=\
"##### Prermite trafico Input ##### - Conexiones PPTP" dst-port=1723 \
protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_Temporal \
address-list-timeout=1m chain=input comment=\
"##### Prermite trafico Input ##### - TocToc" dst-port=5000 protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_NAS \
address-list-timeout=1d chain=input dst-port=7000 protocol=tcp \
src-address-list=Src_TocToc_Temporal
add action=add-src-to-address-list address-list=Src_TocToc_LM_NAS \
address-list-timeout=5d chain=input dst-port=8000 protocol=tcp \
src-address-list=Src_TocToc_Temporal
add action=accept chain=input comment=\
"##### Prermite trafico Input ##### - Conexiones L2TP" dst-port=\
1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="##### Prermite trafico Input ##### " \
src-address-list=Src_Administradores
add action=accept chain=input comment=\
"##### Prermite trafico Input ##### Para comunicacion SNMP" dst-port=161 \
protocol=udp src-address=192.168.2.205
add action=drop chain=input comment="##### BLOQUEO POR DEFECTO #####" \
log-prefix="INPUT DROP"
add action=drop chain=forward connection-nat-state=!dstnat in-interface=WAN \
log=yes log-prefix="FORWARD DROP"
/ip firewall nat
add action=dst-nat chain=dstnat comment="CONTROL TOUCH" dst-port=2199 log=yes \
log-prefix="Conexion CT" protocol=tcp to-addresses=192.168.2.204 to-ports=\
2199
add action=dst-nat chain=dstnat comment="xxx Conexion Web (IMP. Dst type adress \
local para que funcionen las paginas con puerto 80)" dst-address-type=local \
dst-port=80 log=yes log-prefix="Conexi\F3n_Web" protocol=tcp to-addresses=\
192.168.2.202 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 log=yes \
log-prefix="Conexion Web" protocol=tcp to-addresses=192.168.2.202 to-ports=\
443
add action=dst-nat chain=dstnat comment="xxx Nextcloud" disabled=yes dst-port=\
52300 protocol=tcp to-addresses=192.168.2.202 to-ports=52300
add action=dst-nat chain=dstnat comment=\
"MQTT - Si pongo In Interface (WAN) no funciona MQTT de aitas" dst-port=\
1883 log-prefix="Conexion MQTT" protocol=tcp to-addresses=192.168.2.205 \
to-ports=1883
add action=dst-nat chain=dstnat comment="Conexion NAS" dst-port=52151 log=yes \
log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS \
to-addresses=192.168.2.201 to-ports=52151
add action=dst-nat chain=dstnat comment="xxx Conexion NAS" disabled=yes \
dst-port=52151 log=yes log-prefix="Conexion NAS" protocol=tcp to-addresses=\
192.168.2.201 to-ports=52151
add action=dst-nat chain=dstnat comment="xxx Conexion Plex" dst-port=32400 log=\
yes log-prefix="Conexion Plex" protocol=tcp to-addresses=192.168.2.201 \
to-ports=32400
add action=dst-nat chain=dstnat comment="Conexion LM" dst-port=52200 log=yes \
log-prefix="Conexi\EF\BF\BDn NAS" protocol=tcp src-address-list=\
Src_TocToc_LM_NAS to-addresses=192.168.2.205 to-ports=80
add action=dst-nat chain=dstnat comment="Conexion LM" dst-port=52201 log=yes \
log-prefix="Conexi\EF\BF\BDn NAS" protocol=tcp src-address-list=\
Src_TocToc_LM_NAS to-addresses=192.168.2.245 to-ports=80
add action=dst-nat chain=dstnat comment="Juego Android" disabled=yes dst-port=\
43210 log=yes log-prefix="Juego Android" protocol=udp to-addresses=\
192.168.2.12 to-ports=43210
add action=dst-nat chain=dstnat comment="xxx Conexion LM Cliente 2" disabled=\
yes dst-port=52002 log-prefix=PROBANDO protocol=tcp to-addresses=\
10.10.1.201 to-ports=80
add action=dst-nat chain=dstnat comment="xxx Conexion LM Cliente 1" disabled=\
yes dst-port=52001 log=yes log-prefix=PROBANDO protocol=tcp to-addresses=\
10.10.1.200 to-ports=80
add action=masquerade chain=srcnat comment="Para hacer LoopBack y que no se romp\
a la consxion si accedemos desde dentro" dst-address=192.168.2.201 \
dst-port=52151 out-interface=LAN_Ppal protocol=tcp src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.205 dst-port=80 \
out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.12
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=80 \
out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=443 \
out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="Loopback para pruebas con MQTT" \
disabled=yes dst-address=192.168.2.201 dst-port=1883 out-interface=LAN_Ppal \
protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="Enmascarar hacia internet VPN" \
disabled=yes dst-port="" out-interface=WAN protocol=tcp src-address-list=\
Src_Administradores
add action=dst-nat chain=dstnat comment="Conexion NAS" dst-port=52150 log=yes \
log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS \
to-addresses=192.168.2.201 to-ports=52150
add action=masquerade chain=srcnat out-interface=MasMovil
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add comment="Ruta Hacia Red Txirrita" distance=1 dst-address=10.10.1.0/24 \
gateway=10.10.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add name=David profile=PerfilAdmin
add name=Usuario profile=PerfilUser
add local-address=10.10.0.1 name=Txirrita remote-address=10.10.1.1 service=pptp
add local-address=10.10.0.1 name=AdministradorClientes remote-address=\
10.10.0.200 service=pptp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system logging
add topics=pptp,debug
