RouterOS - NAT problem (dst-nat)

tvagge · Sat Apr 20, 2019 11:17 pm

Hi guys,
The old router died, so I came up to the marvel that is called “RouterOS”. I try the last days to understand the principles and make things work as it was before the “meltdown”. So I have a critical situation here and I’m gonna try to be as analytical as I can be:

Mikrotik configuration so far is handling 2 WANs and 1 LAN interface:
WAN1 has 10.4.14.1 as gateway
WAN2 has 10.33.52.1 as gateway

IP addresses setup:
/ip address
add address=10.4.14.2/24 disabled=no interface="WAN1" network=10.4.14.0
add address=10.33.52.4/24 disabled=no interface="WAN2" network=10.33.52.0
add address=10.24.14.1/24 disabled=no interface=”LAN” network=10.24.14.0

The router has two basic tasks:

1. Route all traffic through WAN1, except one specific destination IP that its being routed through WAN2:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=10.5.147.11/32 gateway=10.33.52.1 scope=30 target-scope=10

This is working like a charm

2. The other task is to create a NAT. I need a server located inside LAN with IP 10.24.14.21 to be NATed with the public IP 10.33.52.242 at port 8080 but this must be done through WAN2 network.
The NAT configuration is the following:

/ip firewall nat
add action=dst-nat chain=dstnat comment="WAN2 to LAN" disabled=no dst-address=10.33.52.242 dst-port=8080 in-interface="WAN2" protocol=tcp to-addresses=10.24.14.21 to-ports=8080
add action=src-nat chain=srcnat comment="Route Server traffic via WAN2" disabled=no src-address=10.24.14.21 to-addresses=10.33.52.242
add action=masquerade chain=srcnat disabled=no src-address=10.24.14.0/24

This is NOT working. When I try to connect to the above public IP (10.33.52.242:8080) from another location (e.g home) it tries to connect but I get always a timeout error.
I would appreciate any help from you, I cant figure out where I’m doing wrong here.
Thanks in advance!

k6ccc · Sun Apr 21, 2019 3:30 am

First guess is that you did not open a hole in the firewall for your NAT. Unlike many consumer routers, RouterOS does not do that automatically.

anav · Sun Apr 21, 2019 4:43 am

The best thing to do is post your config and that way we can confirm what has been done and what is needed.

/export hide-sensitive file=yourconfig

That being said.....
I have a similar setup for my two wans
WAN1 primary WAN2 secondary, however I need WAN2 for my email traffic.

As for port forwarding you need two things.
a. A generic forward chain firewall to allowing incoming destination nat traffic.
b. A specific NAT rule for the server in question.

a. add action=accept chain=forward comment=\
" Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat in-interface=etherX (your WAN2)

b. add action=dst-nat chain=dstnat comment="Server For ?? dst-port=8080\
protocol=udp/tdp in-interface=etherX to-addresses=10.24.14.21

(I'm also assuming you have two source nat rules for your two WANs as well)

tvagge · Sun Apr 21, 2019 12:33 pm

Thank you guys for your snappy replies.

I would like to ask you in my posted configuration, did you notice any "flaws"?
I'll try to post the exported conf. as soon as I get back to the office

Sob · Sun Apr 21, 2019 7:07 pm

RouterOS uses routes from "/ip route" to decide where to send packets. It doesn't automatically send replies back the same way from where the request came. So you have incoming connection on WAN2, but default route uses WAN1, so response packets are sent there and of course it doesn't work. Solution is to mark connections based on incoming interface and then mark routing for responses, to make them use the correct WAN.

You can see the config at https://wiki.mikrotik.com/wiki/Manual:PCC (ignore two rules with per-connection-classifier, those are for load balancing, which the article is primarily about).

CZFan · Sun Apr 21, 2019 8:31 pm

RouterOS uses routes from "/ip route" to decide where to send packets. It doesn't automatically send replies back the same way from where the request came. So you have incoming connection on WAN2, but default route uses WAN1, so response packets are sent there and of course it doesn't work. Solution is to mark connections based on incoming interface and then mark routing for responses, to make them use the correct WAN.

You can see the config at https://wiki.mikrotik.com/wiki/Manual:PCC (ignore two rules with per-connection-classifier, those are for load balancing, which the article is primarily about).

If I may add / correct something here (See red text above) before there is a "Bug / problem" in Mikrotik again, that is how "IP Routing" works and how any router will handle IP Packets, not Mikrotik specific, you will get the same results with Cisco, Juniper, etc.

anav · Sun Apr 21, 2019 8:57 pm

Dont let IT big heads scare you. No clear need to mangle yet! ;-P

As far as these lines go
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=10.5.147.11/32 gateway=10.33.52.1 scope=30 target-scope=10

I would change them to something like this
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 target-scope=10
add disabled=no distance=10 dst-address=10.5.147.11/32 gateway=10.33.52.1 scope=30 target-scope=10

In this way you can add rules before after and in between (via distance).
For example my WAN1 has distance 5, my WAN2 has distance 10 but my WAN2 email routing has distance 1.

Sob · Sun Apr 21, 2019 9:26 pm

Don't let @anav fool you.

If the forwarded port on WAN2 should be accessible from anywhere, but you want use WAN1 by default, you need the marking, only one routing table won't be enough.

@CZFan: I didn't mean it as RouterOS-specific, just that someone can expect that this happens automatically.

Sob · Sun Apr 21, 2019 9:34 pm

Ok, one correction, you don't necessarily have to mark incoming connections if the server (10.24.14.21) is going to alway use WAN2, even for own outgoing connections. In that case you can use simpler:

/ip route
add dst-addres=0.0.0.0/0 gateway=10.33.52.1 routing-mark=wan2
/ip firewall mangle
add chain=prerouting src-address=10.24.14.21 action=mark-routing new-routing-mark=wan2

tvagge · Sun Apr 21, 2019 10:44 pm

Ok, one correction, you don't necessarily have to mark incoming connections if the server (10.24.14.21) is going to alway use WAN2, even for own outgoing connections. In that case you can use simpler:
Code: Select all
/ip route
add dst-addres=0.0.0.0/0 gateway=10.33.52.1 routing-mark=wan2
/ip firewall mangle
add chain=prerouting src-address=10.24.14.21 action=mark-routing new-routing-mark=wan2

Do you mean to replace my ip route settings with yours? Or like this?
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 target-scope=10
add dst-addres=0.0.0.0/0 gateway=10.33.52.1 routing-mark=wan2
add disabled=no distance=1 dst-address=10.5.147.11/32 gateway=10.33.52.1 scope=30 target-scope=10

and after that just add the mangle rule?
/ip firewall mangle
add chain=prerouting src-address=10.24.14.21 action=mark-routing new-routing-mark=wan2

Sob · Sun Apr 21, 2019 11:18 pm

Add my route to yours like you wrote. The routing-mark=wan2 parameters tells router that it's different routing table. And mangle rule instructs router to use it for selected packets.

tvagge · Mon Apr 22, 2019 3:40 pm

Guys, thank you for your feedback, I'm trying to implement all the settings and I'll get back to you

anav · Mon Apr 22, 2019 4:36 pm

Sob I will admit to meeting in the middle on this one, perhaps a little teensy weensy bit of mangling will do LOL.
I do have to ask though for my email traffic, why do I not need to mangle that traffic at all? I have at least two different IP addresses magically ( without mangling ;-p ) able to be routed to wan 2 for my email. Eagerly anticipating the answer whilst I eat the head of my chocolate bunny. (typical north american pagen easter ritual LOL)

Sob · Mon Apr 22, 2019 6:44 pm

If I remember correctly, you're dealing with outgoing email traffic, but this is about incoming traffic.

anav · Mon Apr 22, 2019 10:07 pm

If I remember correctly, you're dealing with outgoing email traffic, but this is about incoming traffic.

That is correct, but what about incoming emails???

In any case, if traffic coming in on WAN2, hits the server and then heads out, even though there is conn track, the router will stupidly send the return traffic out the primary WAN1 with the standard routing for primary and secondary wan (via distance). That is the part that is annoying, the router knows where it came from............
So what you are saying is that the easiest thing to do is simply route all traffic from the one IP to wan2 (mark such traffic and refer to it in IP routing)
(I like this for another reason, even if the incoming traffic to the server comes in on WAN1, it will still go out WAN2).

What is the purpose of preferred source then???

Or how bout this combo.............
/ip route
add distance=1 gateway=10.33.52.1 routing-mark=TEST
/ip route rule
add dst-address=0.0.0.0/0 interface=WAN2 src-address=10.24.14.21/32 \
table=TEST

Sob · Mon Apr 22, 2019 11:17 pm

Router knows where connection came from, but it can't know that you also want to send replies there. If you have two independent WAN interfaces (often from different ISPs), the obvious reaction is "and where else it should send them?!", but it's not the only possible scenario. You might as well have two (or more) interfaces and use asymmetric routing, where incoming traffic uses one and outgoing another. And it's perfectly valid too. But it must be supported by other ends too, so this most likely won't work:

(I like this for another reason, even if the incoming traffic to the server comes in on WAN1, it will still go out WAN2).

And yes, routing rule can be used too, if it's static config where server uses only WAN2. But if you'd want server accessible from both WANs, it wouldn't work.

CZFan · Tue Apr 23, 2019 4:22 am

@Anav, IIRC, you are using an email client with mail server hosted our side your network.
Then the client will send mails out, either directly to your hosted mail server or alternative Skype server.
The mail coming in, is being "pulled" by the mail client, so connection is into initiated from inside, so will only need a route rule for mail, no mangle required there

tvagge · Tue Apr 23, 2019 9:26 am

OK, good news, everything is up and working.
As reviewing the whole thing, the scenario was:

Mikrotik router is handling 2 WANs and 1 LAN interface:
WAN1 has 10.4.14.1 as gateway
WAN2 has 10.33.52.1 as gateway

The router has two basic tasks:
1. Route all traffic through WAN1, except one specific destination IP that its being routed through WAN2.
2. The other task is to create a NAT. A server located inside LAN with IP 10.24.14.21 needs to be NATed with the public IP 10.33.52.242 at port 8080 but this must be done through WAN2 network.

I'm posting the final configuration. I'm pretty sure that some lines can be removed, so if you can help me with that I would be grateful:

        Line 1: /interface ethernet
	Line 2: set 0 arp=enabled auto-negotiation=yes cable-settings=default \
	Line 3:     disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
	Line 4:     mtu=1500 name=LAN speed=100Mbps
	Line 5: set 1 arp=enabled auto-negotiation=yes cable-settings=default \
	Line 6:     disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
	Line 7:     mtu=1500 name=WAN1 speed=100Mbps
	Line 8: set 2 arp=enabled auto-negotiation=yes cable-settings=default \
	Line 9:     disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
	Line 10:     mtu=1500 name=WAN2 speed=100Mbps
 
	Line 12: /ip address
	Line 13: add address=10.24.14.1/24 disabled=no interface=LAN network=10.24.14.0
	Line 14: add address=10.4.14.2/24 disabled=no interface=WAN1 network=10.4.14.0
	Line 15: add address=10.33.52.242/24 disabled=no interface=WAN2 network=10.33.52.0
 
	Line 17: /ip firewall filter
	Line 18: add action=accept chain=input disabled=no dst-address=10.33.52.242 dst-port=\
	Line 19:     8080 in-interface=WAN2 protocol=tcp
	Line 20: add action=accept chain=output disabled=no out-interface=WAN2 protocol=tcp \
	Line 21:     src-address=10.24.14.21 src-port=8080
	Line 22: add action=accept chain=input disabled=yes dst-address=10.33.52.9 dst-port=80 \
	Line 23:     in-interface=WAN2 protocol=tcp
	Line 24: add action=drop chain=input disabled=no in-interface=WAN2
 
	Line 26: /ip firewall mangle
	Line 29: add action=mark-connection chain=prerouting disabled=no in-interface=WAN1 \
	Line 30:     new-connection-mark=WAN1_connection passthrough=yes
	Line 31: add action=mark-connection chain=prerouting disabled=no in-interface=WAN2 \
	Line 32:     new-connection-mark=WAN2_connection passthrough=yes
	Line 33: add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
	Line 34:     disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
	Line 35: add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
	Line 36:     disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
	Line 37: add action=mark-routing chain=output connection-mark=WAN2_connection \
	Line 38:     disabled=no new-routing-mark=to_WAN2 passthrough=yes
 
	Line 40: /ip firewall nat
	Line 41: add action=masquerade chain=srcnat disabled=no src-address=10.24.14.0/24
	Line 42: add action=masquerade chain=srcnat disabled=no out-interface=WAN2
	Line 43: add action=masquerade chain=srcnat disabled=no out-interface=WAN1
	Line 50: add action=dst-nat chain=dstnat disabled=no dst-address=10.33.52.242 \
	Line 51:     dst-port=8080 in-interface=WAN1 protocol=tcp to-addresses=10.24.14.21 \
	Line 52:     to-ports=8080
	Line 53: add action=dst-nat chain=dstnat disabled=no dst-address=10.33.52.242 \
	Line 54:     dst-port=8080 in-interface=WAN2 protocol=tcp to-addresses=10.24.14.21 \
	Line 55:     to-ports=8080
 
	Line 57: /ip route
	Line 60: add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.33.52.1 \
	Line 61:     routing-mark=to_WAN2 scope=30 target-scope=10
	Line 62: add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 \
	Line 63:     target-scope=10
	Line 64: add comment=IRIS disabled=no distance=1 dst-address=10.5.14.0/24 gateway=\
	Line 65:     10.33.52.1 scope=30 target-scope=10

Here are some questions that need clarification:

Q.1
Line 15:
Do I need to set the specific IP (meaning the .242), because the public address that needs to be NATed is 10.33.52.242, or that's irrelevant? E.g can I set 10.33.52.4/24 with no impact?

Q.2
Lines 17-24:
The firewall rules are mandatory, or are there for security reasons?

Q.3
In the /ip firewall mangle section, I mangled almost everything! I guess that lines:
Line 29: add action=mark-connection chain=prerouting disabled=no in-interface=WAN1 \
Line 30: new-connection-mark=WAN1_connection passthrough=yes
Line 33: add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
Line 34: disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
are not needed?

Q.4
In the /ip firewall nat section, are all the rules needed here?

Q.5
Lines 60-61:
Do I have to set the distance in a higher value than the distance in line 62?

Thank you all for your support!

anav · Tue Apr 23, 2019 4:36 pm

I dont see red very well LOL.
Best if you use standard format
/export hide-sensitive file=yourconfig

I see issues in both firewall filter and nat rules.

Sob · Tue Apr 23, 2019 5:45 pm

1) It should be the address you have for WAN2 (what you got from ISP). Or do you have more?

2) Most of your firewall filter is nonsense. If you forward port 8080 inside, it won't ever go in input chain (17-18). Then 20-21 also doesn't look like anything that could ever happen, 22-23 is for address that router doesn't have, so it should be useless too. The only sort of useful is 24 which blocks access to router from WAN2, i.e. protecting its services like WinBox, but as it is now also effectively blocks all router's own communication on WAN2.

3) You can live without them.

4) You don't need 41, because anything from that network will go out via WAN1, so 43 will do same job. And 50-52 is probably useless, because when 10.33.52.242 is on WAN2, nothing to this address will come from WAN1. Assuming you have two independent WANs.

5) No, it's the only rule in routing table to_WAN2, it doesn't mix with others in default routing table, so distance here is useless.

anav · Tue Apr 23, 2019 7:24 pm

Concur, best thing to do is post your entire config........
Not sure where some of those rules came from but as stated questionable......

CZFan · Wed Apr 24, 2019 1:38 am

...
Then the client will send mails out, either directly to your hosted mail server or alternative Skype server.
...

Suppose to be SMTP Server, Apple IOS auto correct

tvagge · Wed Apr 24, 2019 11:50 am

I dont see red very well LOL.
Best if you use standard format
/export hide-sensitive file=yourconfig

I see issues in both firewall filter and nat rules.

Ugh! Sorry for red colors... edited that already....
I'm posting the entire configuration. The only "active" sections (mine settings) are:

/interface ethernet

/ip address

/ip firewall filter

/ip firewall mangle

/ip firewall nat

/ip route

All the rest have the default values.
Here's the exported config:

# apr/24/2019 11:34:26 
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default \
    disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
    mac-address=18:D6:C7:02:43:EC mtu=1500 name=LAN speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default \
    disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
    mac-address=18:D6:C7:03:A1:AE mtu=1500 name=WAN1 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes cable-settings=default \
    disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
    mac-address=10:7B:44:53:1A:DB mtu=1500 name=WAN2 speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough \
    group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled mode=none name=default \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
    cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
    split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
    shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=serial0 parity=none \
    stop-bits=1
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default \
    remote-ipv6-prefix-pool=none use-compression=default use-encryption=\
    default use-ipv6=yes use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default \
    remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes \
    use-ipv6=yes use-mpls=default use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no \
    ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
    no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=\
    ospf-in metric-bgp=auto metric-connected=20 metric-default=1 \
    metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \
    out-filter=ospf-out redistribute-bgp=no redistribute-connected=no \
    redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/routing ospf-v3 instance
set [ find default=yes ] disabled=no distribute-default=never metric-bgp=auto \
    metric-connected=20 metric-default=1 metric-other-ospf=auto metric-rip=20 \
    metric-static=20 name=default redistribute-bgp=no redistribute-connected=\
    no redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0
/routing ospf-v3 area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-protocol=MD5 \
    encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=:: remote-port=514 src-address=0.0.0.0 \
    syslog-facility=daemon syslog-severity=auto target=remote
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin paypal-accept-pending=no \
    paypal-allowed=no paypal-secure-response=no permissions=owner \
    signup-allowed=no time-zone=-00:00
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api" skin=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
    default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:E9:C3:CB:10:CD \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.24.14.1/24 disabled=no interface=LAN network=10.24.14.0
add address=10.4.14.2/24 disabled=no interface=WAN1 network=10.4.14.0
add address=10.33.52.242/24 disabled=no interface=WAN2 network=10.33.52.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=""
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input disabled=no dst-address=10.33.52.242 dst-port=\
    8080 in-interface=WAN2 protocol=tcp
add action=accept chain=output disabled=no out-interface=WAN2 protocol=tcp \
    src-address=10.24.14.21 src-port=8080
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no in-interface=WAN1 \
    new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting disabled=no in-interface=WAN2 \
    new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
    disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
    disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_connection \
    disabled=no new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.24.14.0/24
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=dst-nat chain=dstnat disabled=no dst-address=10.33.52.242 \
    dst-port=8080 in-interface=WAN1 protocol=tcp to-addresses=10.24.14.21 \
    to-ports=8080
add action=dst-nat chain=dstnat disabled=no dst-address=10.33.52.242 \
    dst-port=8080 in-interface=WAN2 protocol=tcp to-addresses=10.24.14.21 \
    to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set LAN disabled=no
set WAN1 disabled=no
set WAN2 disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
    600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
    0.0.0.0
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.33.52.1 \
    routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 \
    target-scope=10
add comment=IRIS disabled=no distance=1 dst-address=10.5.14.0/24 gateway=\
    10.33.52.1 scope=30 target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
    max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=yes disabled=\
    no hop-limit=unspecified interface=all managed-address-configuration=no \
    mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m \
    ra-lifetime=30m reachable-time=unspecified retransmit-interval=\
    unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
    lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
    use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set LAN queue=ethernet-default
set WAN1 queue=ethernet-default
set WAN2 queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
    multiplier=5
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing pim
set switch-to-spt=yes switch-to-spt-bytes=0 switch-to-spt-interval=1m40s
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/routing ripng
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
    trap-target="" trap-version=1
/system clock
set time-zone-name=Europe/Helsinki
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find vcno=1 ] channel=0 disabled=no term=linux
set [ find vcno=2 ] channel=0 disabled=no term=linux
set [ find vcno=3 ] channel=0 disabled=no term=linux
set [ find vcno=4 ] channel=0 disabled=no term=linux
set [ find vcno=5 ] channel=0 disabled=no term=linux
set [ find vcno=6 ] channel=0 disabled=no term=linux
set [ find vcno=7 ] channel=0 disabled=no term=linux
set [ find vcno=8 ] channel=0 disabled=no term=linux
/system console screen
set blank-interval=10min line-count=25
/system gps
set channel=0 enabled=no set-system-time=no
/system hardware
set multi-cpu=yes
/system health
set state-after-reboot=enabled
/system identity
set name=MikroTik
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WAN2 disabled=yes display-time=5s
set WAN1 disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system ntp server
set broadcast=no broadcast-addresses="" enabled=no manycast=yes multicast=no
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
/system resource irq rps
set LAN disabled=no
set WAN1 disabled=no
set WAN2 disabled=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
    none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=\
    "" filter-mac-address="" filter-mac-protocol="" filter-port="" \
    filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes \
    only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no

I'm very new to the Mikrotik ecosystem, so please forgive any obvious by you misconfigurations. I know for sure that this configuration does the job I need.The scenario is described in previous posts. But I would like to clear all the unnecessary commands, so it can be more understandable....
I would be grateful if you help me with that...

Sob · Fri Apr 26, 2019 5:33 am

That's a rather verbose export. Did you do it intentionally, or do you have ancient RouterOS where verbose export was default? It would be especially bad, since your firewall allows everything. On the upside, it would be so old that the most ugly vulnerability didn't exist yet.

kayesar99955 · Mon Feb 17, 2020 11:27 am

hi
I want to create a PPPoE server but I have a poor concept about firewall so I want to set firewall rules for my users. so I need some standard firewall rules for PPPoE server.
My network is: LAN:10.10.11.0/24 WAN: 192.168.2.2/24 .

Thanks

CZFan · Mon Feb 17, 2020 3:56 pm

hi
I want to create a PPPoE server but I have a poor concept about firewall so I want to set firewall rules for my users. so I need some standard firewall rules for PPPoE server.
...

https://wiki.mikrotik.com/wiki/Manual:TOC
Alternatively
https://mikrotik.com/consultants

anav · Mon Feb 17, 2020 3:56 pm

Start a new thread then.............

kayesar99955 · Tue Feb 18, 2020 7:54 am

"CZFan" hello I have seen those manue on the site, that's is why I didnot ask for this link.
Just I want to have spasific rules for given network. because I am new in mikrotik.

RouterOS - NAT problem (dst-nat)

RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)

Re: RouterOS - NAT problem (dst-nat)