I am trying to access some devices on local network going through the WAN but this doesn't seem to work anymore. Previously on ros6 I was able to have this 2 rules that were taking care of this and it worked like a charm
Code: Select all
4 ;;; Camere Dahua internal
chain=srcnat action=masquerade protocol=tcp src-address=192.168.200.0/24 dst-address=192.168.200.4 out-interface=bridge-lan dst-port=5013
5 ;;; Camere Dahua internal
chain=dstnat action=dst-nat to-addresses=192.168.200.4 to-ports=5013 protocol=tcp in-interface=bridge-lan dst-port=5013Any chance someone could help me out on this please? It's driving me nuts from some time and I tried multiple things without success
Here it's my current running config
Code: Select all
# jun/20/2022 14:11:48 by RouterOS 7.1.1
# software id = WCPF-BHYF
#
# model = RB5009UG+S+
# serial number = EC190E454AB4
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch6 tx-power=10
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5300 name=ch60 tx-power=40
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=ch1 tx-power=20
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=ch11 tx-power=15
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5220 name=ch44 tx-power=20
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5180 name=ch36 tx-power=20
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5260 name=ch52 tx-power=40
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5500 name=ch100 tx-power=40
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5580 name=ch116 tx-power=40
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2427 name=ch4 tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2417 name=ch2 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2422 name=ch3 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=ch5 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch6 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2442 name=ch7 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2447 name=ch8 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=ch9 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=ch10 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=ch12 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=ch13 tx-power=15
/interface bridge
add name=bridge-guest
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-lan
set [ find default-name=ether3 ] name=eth3-lan
set [ find default-name=ether4 ] name=eth4-lan
set [ find default-name=ether5 ] name=eth5-lan
set [ find default-name=ether6 ] name=eth6-lan
set [ find default-name=ether7 ] name=eth7-lan
set [ find default-name=ether8 ] name=eth8-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1-wan keepalive-timeout=disabled name=digi user=xxxxxx
/caps-man interface
add disabled=no l2mtu=1600 mac-address=74:4D:28:DF:E9:42 master-interface=none name=cap1 radio-mac=74:4D:28:DF:E9:42 radio-name=744D28DFE942
add disabled=no l2mtu=1600 mac-address=6C:3B:6B:CC:01:01 master-interface=none name=cap2 radio-mac=6C:3B:6B:CC:01:01 radio-name=6C3B6BCC0101
/interface wireguard
add listen-port=51820 mtu=1420 name=Wireguard_wg0
/interface vlan
add interface=eth2-lan name=eth2-vlan-guest vlan-id=15
add interface=eth8-lan name=eth8-vlan-guest vlan-id=15
/caps-man datapath
add bridge=bridge-guest local-forwarding=yes name=SSD_guest_path vlan-id=15 vlan-mode=use-tag
add bridge=bridge-lan client-to-client-forwarding=yes local-forwarding=yes name=SSD_path
/caps-man rates
add basic=6Mbps name=gn_only_no_b_rates supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=SSD_sec
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=SSD_guest_sec
/caps-man configuration
add channel=ch6 country=romania datapath=SSD_path mode=ap name=SSD_2g4 rates=gn_only_no_b_rates security=SSD_sec ssid=SSD
add channel=ch60 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch60 security=SSD_sec ssid=SSD
add country=romania datapath=SSD_guest_path mode=ap name=SSD_guest_2g4 security=SSD_guest_sec ssid=SSD_guest
add channel=ch52 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch52 security=SSD_sec ssid=SSD
add channel=ch100 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch100 security=SSD_sec ssid=SSD
add channel=ch11 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch11 rates=gn_only_no_b_rates security=SSD_sec ssid=SSD
add channel=ch4 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch4 rates=gn_only_no_b_rates security=SSD_sec ssid=SSD
add channel=ch116 channel.band=2ghz-b country=romania datapath=SSD_path mode=ap name=SSD_5g_ch116 security=SSD_sec ssid=SSD
add channel.band=5ghz-n/ac .control-channel-width=20mhz .extension-channel=XXXX country=romania datapath.client-to-client-forwarding=yes \
.local-forwarding=yes name=cfg-5ghz-ac security=SSD_sec ssid=""
add channel.band=5ghz-onlyn .control-channel-width=20mhz .extension-channel=XX country=romania datapath.client-to-client-forwarding=yes \
.local-forwarding=yes name=cfg-5ghz-an security=SSD_sec ssid=""
add channel=ch10 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch10 security=SSD_sec ssid=SSD
/interface list
add name=WAN
add name=LAN
add name=MULLVAN-VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.200.150-192.168.200.200
add name=pool-guest ranges=50.0.0.2-50.0.0.100
add name=pool-vpn ranges=10.10.10.2-10.10.10.7
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge-lan name=dhcp-lan
add address-pool=pool-guest interface=bridge-guest name=dhcp-guest
/queue simple
add dst=digi max-limit=50M/50M name=guest_traffic queue=default/default target=50.0.0.0/24,2a02:2f09:3418:f303::/64 total-queue=default
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api
/caps-man manager
set enabled=yes package-path=/downloads/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-lan
/caps-man provisioning
add action=create-dynamic-enabled comment=2g4_802.11g_capable_radios hw-supported-modes=g identity-regexp=CAPac_Etaj master-configuration=SSD_2g4_ch11 \
name-format=prefix-identity name-prefix=2g4_ch11 slave-configurations=SSD_guest_2g4
add action=create-dynamic-enabled comment=5g_ch52_802.11ac_capable_radios hw-supported-modes=ac identity-regexp=CAPac_Parter master-configuration=\
SSD_5g_ch52 name-format=prefix-identity name-prefix=5g_ch52
add action=create-dynamic-enabled comment=5g_ch100_802.11ac_capable_radios hw-supported-modes=ac identity-regexp=CAPac_Etaj master-configuration=\
SSD_5g_ch100 name-format=prefix-identity name-prefix=5g_ch100
add action=create-dynamic-enabled comment=2g4_802.11g_capable_radios hw-supported-modes=g identity-regexp=CAPac_Parter master-configuration=SSD_2g4_ch4 \
name-format=prefix-identity name-prefix=2g4_ch4 slave-configurations=SSD_guest_2g4
add action=create-dynamic-enabled comment=5g_ch60_802.11ac_capable_radios disabled=yes identity-regexp=Mikrotik master-configuration=SSD_2g4_ch11 \
name-format=prefix-identity name-prefix=2g_ch11
add action=create-dynamic-enabled comment=5g_ch116_802.11ac_capable_radios hw-supported-modes=ac identity-regexp=CAPac_Parter master-configuration=\
SSD_5g_ch116 name-format=prefix-identity name-prefix=5g_ch116
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=SSD_5g_ch116 name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac master-configuration=cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled disabled=yes hw-supported-modes=an master-configuration=cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
add action=create-dynamic-enabled disabled=yes identity-regexp=HAP master-configuration=SSD_2g4_ch11
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=HAP master-configuration=SSD_2g4_ch4 name-format=prefix-identity name-prefix=\
2g4_ch4 slave-configurations=SSD_guest_2g4
/interface bridge port
add bridge=bridge-lan interface=eth2-lan
add bridge=bridge-lan interface=eth3-lan
add bridge=bridge-lan interface=eth4-lan
add bridge=bridge-lan interface=eth5-lan
add bridge=bridge-lan interface=eth6-lan
add bridge=bridge-lan interface=eth7-lan
add bridge=bridge-lan interface=eth8-lan
add bridge=bridge-guest interface=eth2-vlan-guest pvid=15
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add interface=eth1-wan list=LAN
add interface=eth2-lan list=LAN
add interface=eth3-lan list=LAN
add interface=eth4-lan list=LAN
add interface=eth5-lan list=LAN
add interface=eth6-lan list=LAN
add interface=eth7-lan list=LAN
add interface=eth8-lan list=LAN
add interface=digi list=WAN
add interface=eth1-wan list=WAN
add interface=bridge-lan list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.200.1/24 interface=eth2-lan network=192.168.200.0
add address=50.0.0.1/24 interface=bridge-guest network=50.0.0.0
add address=192.168.201.1/24 interface=Wireguard_wg0 network=192.168.201.0
/ip arp
add address=192.168.200.11 disabled=yes interface=bridge-lan mac-address=FF:FF:FF:FF:FF:FF
add address=192.168.200.25 disabled=yes interface=bridge-lan mac-address=68:A4:0E:1C:AB:7D
/ip dhcp-server lease
add address=192.168.200.31 client-id=1:70:85:c2:a7:d5:73 comment=RTX mac-address=70:85:C2:A7:D5:73 server=dhcp-lan
add address=192.168.200.4 comment=Dahua mac-address=3C:EF:8C:36:B4:D4 server=dhcp-lan
/ip dhcp-server network
add address=50.0.0.0/24 comment=dhcp-guest dns-server=50.0.0.1,8.8.8.8 gateway=50.0.0.1
add address=192.168.200.0/24 boot-file-name=netboot.xyz.kpxe comment=dhcp-lan dns-server=192.168.200.1 gateway=192.168.200.1 next-server=192.168.200.11
/ip dns
set allow-remote-requests=yes cache-size=6048KiB max-concurrent-queries=200 max-concurrent-tcp-sessions=40 servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.200.1 name=mikrotik.lan
add address=192.168.200.4 name=camere.lan
/ip firewall address-list
add address=192.168.200.0/24 comment=Management list=LANs
add address=test.no-ip.org list=WANs
/ip firewall filter
add action=accept chain=forward disabled=yes in-interface=bridge-lan out-interface=Wireguard_wg0
add action=drop chain=input comment="Drop telnet traffic" dst-port=23 in-interface=eth1-wan log=yes protocol=tcp
add action=drop chain=input comment="Drop Mikrotik Web Gui External" dst-port=80 in-interface=eth1-wan log=yes protocol=tcp
add action=drop chain=input comment="Drop Mikrotik WINBOX from External" dst-port=8291 in-interface=eth1-wan log=yes log-prefix=WINBOX protocol=tcp
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 in-interface=digi protocol=udp
add action=accept chain=forward src-address=192.168.201.0/24
add action=accept chain=forward dst-address=192.168.201.0/24
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 in-interface=eth1-wan protocol=tcp
add action=drop chain=input comment=SSH dst-port=4040 in-interface=eth1-wan log=yes protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment=openvpn dst-port=443 in-interface=eth1-wan protocol=tcp
add action=reject chain=input comment="drop access to mikrotik on guest network" dst-address=50.0.0.1 in-interface=bridge-guest reject-with=\
icmp-network-unreachable
add action=accept chain=forward comment="no fasttrack for guest traffic upload" connection-state=established,related src-address=50.0.0.0/24
add action=accept chain=forward comment="no fasttrack for guest traffic download" connection-state=established,related dst-address=50.0.0.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=reject chain=forward comment="drop guest traffic" in-interface=bridge-guest out-interface=bridge-lan reject-with=icmp-network-unreachable
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface-list=WAN
add action=reject chain=input comment="drop guest traffic to router" dst-address=192.168.200.0/24 in-interface=bridge-guest reject-with=\
icmp-network-unreachable
add action=accept chain=input comment=WINBOX disabled=yes dst-port=8291 log=yes protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT" dst-address-list=WANs new-connection-mark="Hairpin NAT" \
passthrough=yes src-address-list=LANs
add action=mark-routing chain=prerouting comment=Mullvad disabled=yes passthrough=no src-address=192.168.200.9
add action=log chain=prerouting comment="Logging for wireguard" disabled=yes dst-address=192.168.200.0/24 src-address=192.168.201.3
add action=log chain=forward comment="Logging for wireguard" disabled=yes dst-address=192.168.200.0/24 src-address=192.168.201.3
add action=log chain=postrouting comment="Logging for wireguard" disabled=yes dst-address=192.168.200.0/24 src-address=192.168.201.3
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT"
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Camere Dahua internal" dst-address=192.168.200.4 dst-port=5013 out-interface=bridge-lan protocol=tcp \
src-address=192.168.200.0/24
add action=dst-nat chain=dstnat comment="Camere Dahua internal" dst-port=5013 in-interface=bridge-lan protocol=tcp to-addresses=192.168.200.4 to-ports=\
5013
add action=dst-nat chain=dstnat comment="Camere Dahua" dst-port=5013 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.4 to-ports=5013
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="proxy dns" disabled=yes dst-port=53 protocol=tcp to-ports=53
/ip route
add disabled=yes distance=1 gateway=eth1-wan
add comment="Wireguard range" disabled=yes distance=1 dst-address=192.168.201.0/24 gateway=bridge-lan pref-src=192.168.200.1 routing-table=main scope=\
10 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=192.168.200.0/24 disabled=yes
set ftp address=192.168.200.0/24
set www address=192.168.200.0/24
set ssh address=192.168.200.0/24 port=4040
set api address=192.168.200.0/24
set api-ssl disabled=yes
/ipv6 address
add address=::2ec8:1bff:feff:d5ea eui-64=yes from-pool=myipv6 interface=bridge-lan
add address=::2ec8:1bff:feff:d5ea eui-64=yes from-pool=myipv6 interface=bridge-guest
/ipv6 dhcp-client
add interface=digi pool-name=myipv6 request=prefix
/ipv6 firewall filter
add action=drop chain=input comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment=openvpn dst-port=443 in-interface=eth1-wan protocol=tcp
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface=!bridge-lan
add action=drop chain=forward disabled=yes in-interface=bridge-lan src-address=2a02:1810:480c:4600:70f4:5102:9fab:c901/128
add action=reject chain=forward comment="reject guest to lan traffic" in-interface=bridge-guest out-interface=bridge-lan reject-with=\
icmp-address-unreachable
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/snmp
set contact=Sami enabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=Mikrotik_router
/system logging
add disabled=yes topics=!ssh
add disabled=yes topics=wireless
add disabled=yes topics=dhcp
add disabled=yes topics=debug
add disabled=yes topics=dns
add topics=script
add disabled=yes topics=dhcp
add disabled=yes topics=ovpn
add disabled=yes topics=!snmp
add action=GMAIL topics=critical,!ovpn
add action=GMAIL disabled=yes prefix="<addr 7" topics=pppoe
add action=YAHOO topics=critical,!ovpn
/system ntp client
set enabled=yes
/system ntp client servers
add address=ro.pool.ntp.org
/system routerboard settings
set cpu-frequency=auto
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add
add interface=eth1-wan
/tool sniffer
set file-limit=100000KiB file-name=cameras_local.pcap filter-interface=all filter-ip-address=192.168.200.4/32 memory-limit=10000KiB
