I have strange problem, I'm not pro, so I think, it is problem in my configuration. I have enabled HNAT, because I want to access my services (owncloud, photo gallery, pihole, HomeAssitant, etc) from internet and local network. I have public static IP, and assigned my dns name to it.
When this rule is enabled, I can access my server from internet with public dns name, but not from my lan, because HNAT is not working if in-interface-list is specified.
Code: Select all
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=80
Code: Select all
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.2.5 to-ports=80
here is my config:
Code: Select all
# oct/28/2019 19:48:39 by RouterOS 6.45.6
# software id = FM9E-58T1
#
# model = RBD52G-5HacD2HnD
# serial number = 9EF709C73784
/ip firewall filter
add action=reject chain=forward comment="XIAOMI GW zakazna komunikacia" disabled=yes in-interface=bridge-home log=yes log-prefix=MIGW: out-interface=ether1-wan reject-with=icmp-network-unreachable src-address=192.168.2.114
add action=accept chain=input log-prefix=OSPF-NBMA src-address=172.31.255.0/24
add action=accept chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=reject chain=forward dst-address=192.168.2.0/24 reject-with=icmp-network-unreachable src-address=192.168.9.0/24
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="drop_fwd: "
add action=accept chain=forward comment="Guest wifi IP excluded from fasttrack for simple queue processing" connection-state=established,related src-address=192.168.9.0/24
add action=accept chain=forward comment="Guest wifi IP excluded from fasttrack for simple queue processing" connection-state=established,related dst-address=192.168.9.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="drop_invalid: "
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix="drop_input: "
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=EE:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix="masq wan:" out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface=l2tp-client-oriwin
add action=dst-nat chain=dstnat comment="NAT WWW" dst-port=80 in-interface-list=WAN log-prefix="NAT WWW:" protocol=tcp to-addresses=192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat comment=HomeAssistant dst-port=8123 log-prefix=NAT_HA: protocol=tcp to-addresses=192.168.2.5 to-ports=8123
add action=dst-nat chain=dstnat dst-port=22005 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=22
add action=dst-nat chain=dstnat comment="NginxProxy - ownCloud" dst-port=8001 protocol=tcp to-addresses=192.168.2.5 to-ports=8001
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN protocol=udp to-addresses=192.168.2.5 to-ports=53
add action=dst-nat chain=dstnat dst-port=18005 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=22007 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.7 to-ports=22
add action=masquerade chain=srcnat comment="NAT LOOPBACK, pre NAT pravidla neurcovat SRC interface" dst-address=192.168.2.0/24 log=yes log-prefix=NAT_LOOP: out-interface=bridge-home src-address=192.168.2.0/24