I am geting a bit nut with my firewall rules. My WAN connection is a PPPoE connection with a dynamic IP, the DynDNS works fine.
The local networks I use:
192.168.50.0/24 - only modem in
192.168.51.0/24 - main LAN
- Mikrotik Router 192.168.51.254
- Web-Server 192.168.51.230
192.168.53.0/24 - guest LAN
10.100.10.0/24 - OVPN dial in
The firewall looks like this:
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Input kaputte Pakete Drop " connection-state=invalid
add action=drop chain=forward comment="Forward kaputte Pakete Drop\
\n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=input comment="Input related OK" connection-state=related
add action=accept chain=input comment="Input established OK" connection-state=established
add action=accept chain=forward comment="Forward related OK" connection-state=related
add action=accept chain=forward comment="Forward established OK" connection-state=established
add action=accept chain=input comment="Input aus privaten LAN OK" in-interface=private-lan-bridge
add action=accept chain=forward comment="Forward aus privaten LAN OK" in-interface=private-lan-bridge
add action=accept chain=forward comment="Forward Modem LAN auf Server" dst-address=192.168.51.230 src-address=192.168.50.0/24
add action=accept chain=Input comment="Input Modem LAN auf Server" dst-address=192.168.51.230 src-address=192.168.50.0/24
add action=accept chain=input comment="Input aus OVPN LAN OK" src-address=10.100.10.0/24
add action=accept chain=forward comment="Forward aus OVPN LAN OK" src-address=10.100.10.0/24
add action=accept chain=forward comment="Forward Gast-Lan -> Internet" in-interface=gast-lan-bridge out-interface=PPPoE-Telekom
add action=accept chain=input comment="DNS/NTP-Zugriff Gast-LAN" dst-address=192.168.51.254 dst-port=53,123 in-interface=gast-lan-bridge protocol=udp
add action=accept chain=forward comment="Webserver-Zugriff aus Gast-LAN" dst-address=192.168.51.230 dst-port=80,443 in-interface=gast-lan-bridge protocol=tcp
add action=accept chain=input comment=OpenVPN dst-address=192.168.51.254 dst-port=1194 in-interface=PPPoE-Telekom protocol=tcp
add action=accept chain=forward comment=Webserver dst-port=80,443 in-interface=PPPoE-Telekom protocol=tcp
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
add action=drop chain=forward log=yes log-prefix=DROP
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-Telekom src-address=192.168.51.0/24
add action=masquerade chain=srcnat comment="Maskierung Gast-LAN" out-interface=PPPoE-Telekom src-address=192.168.53.0/24
add action=masquerade chain=srcnat comment="Maskierung VPN Netz" src-address=10.100.10.0/24
add action=masquerade chain=srcnat comment="Hairpin Web-Server" dst-address=192.168.51.230 dst-port=80,443 log=yes log-prefix="APA-MASQ: " out-interface=\
private-lan-bridge protocol=tcp src-address=192.168.51.0/24
add action=dst-nat chain=dstnat comment="Port-forwarding HTTPS zum Server" dst-address=!192.168.51.254 dst-port=443 in-interface=PPPoE-Telekom log-prefix=\
"APACHE443: " protocol=tcp to-addresses=192.168.51.230 to-ports=443
add action=dst-nat chain=dstnat comment="Port-forwarding HTTP zum Server" dst-address=!192.168.51.254 dst-port=80 in-interface=PPPoE-Telekom log-prefix="APACHE80: " \
protocol=tcp to-addresses=192.168.51.230 to-ports=80
add action=dst-nat chain=dstnat comment="Port-forwarding OVPN" dst-port=1194 in-interface=PPPoE-Telekom protocol=tcp to-addresses=192.168.51.254 to-ports=1194
Code: Select all
add action=accept chain=forward comment=Webserver dst-port=80,443 in-interface=PPPoE-Telekom protocol=tcp
Beside that the Hairpin doesn't work at all. I end up on the routers webinterface and not on my webserver 192.168.51.230. I followed the mikrotik wiki: https://wiki.mikrotik.com/wiki/Hairpin_NAT
Does anyone has a hint for me?
Thanx!
Holger
