Hello,

I've recently purchased MicroTik RB951G-2HnD. Unfortunately I'm having trouble accessing my server from internet(outside). The internet is connected to ethernet1(wan) and ethernet2 is connected to a switch(unmanaged). All the clients and the server are connected to the switch ports. The public ip is 5.160.39.58/29 which should be forwarded to 192.168.1.21/24 port 7020.
I have setup the nat in the firewall but doesn't work. Here is the config of the router:

# nov/27/2016 13:48:56 by RouterOS 6.37.2
# software id = 3QDX-7U8L
#
/interface bridge
add admin-mac=E4:8D:8C:45:60:33 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=\
192.168.1.0
add address=5.160.39.58/29 interface=ether1 network=5.160.39.56
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=77.104.106.2,8.8.8.8
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address-list=5.160.39.58 dst-port=7020 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.21 to-ports=7020
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.1.21 \
src-port=7020 to-addresses=5.160.39.58 to-ports=7020
/ip route
add distance=1 gateway=5.160.39.57
/system clock
set time-zone-name=Asia/Tehran
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge


Any help would be appreciated.
Thank you.

Remove this rule ...it is dropping traffic before DST NAT can be applied.

Notice that this rule is further down and allows for DST NAT traffic to pass the input filter.

Agree with Ty, the last filter rule is already dropping all that isn't NAT'd.

Also this bit: dst-address-list=5.160.39.58 from your NAT rules seems wrong:

Code: Select all

add action=dst-nat chain=dstnat dst-address-list=5.160.39.58 dst-port=7020 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.21 to-ports=7020

Is this actually the name of an address list? If not you need change this to: Even better, if you only have a single public IP you can remove the part of the rule as you can assume that any traffic that comes in ether1 is for that IP.

Hope that helps

It worked! Thanks. Of course I believe the problem was not just the firewall rule but also dst-address-list as "tslytsly" said, because bdfore I created this thread I tried removing all firewall drop rules and it didn't work. Right now all the drop rules are enabled including that "drop all from WAN" due to security reasons. After I created the NAT rules I created a firewall rule to forward the traffic for the specific port I wanted and put it higher than the drop rule. Now it works while still dropping all other incoming connections

Also remove It's not necessary because you are in 192.168.1.0/24 network

It worked! Thanks. Of course I believe the problem was not just the firewall rule but also dst-address-list as "tslytsly" said, because bdfore I created this thread I tried removing all firewall drop rules and it didn't work. Right now all the drop rules are enabled including that "drop all from WAN" due to security reasons. After I created the NAT rules I created a firewall rule to forward the traffic for the specific port I wanted and put it higher than the drop rule. Now it works while still dropping all other incoming connections

Great stuff.

Just as a tip, if you want to know for sure that something is a firewall misconfiguration you can select all the rules, click the X (not the minus!!!) and this will disable all firewall rules.
since the RouterOS firewall is a default accept firewall if it starts working you know it's one of your rules that's the problem.

....

Just don't forget to re-enable all the rules once you have tested!!