MikroTik

Posted: **Thu Dec 02, 2021 7:03 pm**

Hello everyone!
I am a total beginner with RouterOs devices and have only configured end user routers till now. So consider my mistake may be an obvious one.
What I am trying to achieve is forwarding external ports 80 and 443 to my internal host 192.168.88.7
However when I add the below rule nothing happens. No response if I send a get request to my external IP.

add action=dst-nat chain=dstnat in-interface=pppoe-out port=80 protocol=tcp \
    to-addresses=192.168.88.7 to-ports=80

However if I dont specifiy in-interface it will become a captive portal and forward ALL traffic to this host.

The part where i am most unshure if I did it right is sadly the firewalling part.
So my question is: Could you please look over my nat and firewalling configuration and point me towards the obvious please? (:
Thank You!

/interface bridge
add name=guests
add name=local
/interface ethernet
set [ find default-name=ether1 ] comment="DSL Modem"
set [ find default-name=ether2 ] comment="Legacy Uplink"
set [ find default-name=ether3 ] comment=Dockingstation
set [ find default-name=ether4 ] comment=PC
set [ find default-name=ether5 ] comment=TV
set [ find default-name=ether6 ] comment=Octoprint
set [ find default-name=ether7 ] comment=Homeassistant
set [ find default-name=ether8 ] comment=NAS
set [ find default-name=ether9 ] comment="Cable TV Receiver"
set [ find default-name=ether10 ] comment=CAPs
/interface vlan
add interface=ether1 name=vlan7 vlan-id=7
/caps-man configuration
add country=germany datapath.bridge=local name=cfg1 \
    security.authentication-types=wpa2-psk security.passphrase=\
    coollongpassword ssid=\
    WiFi-Main
add country=germany datapath.bridge=guests name=cfg2 \
    security.authentication-types=wpa2-psk security.passphrase=coollongpassword \
    ssid=WiFi-Guest
/interface pppoe-client
add add-default-route=yes comment="DSL Uplink" disabled=no interface=vlan7 \
    name=pppoe-out password=coolpassword user=userid@server.isp.tld
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.102-192.168.88.254
add name=dhcp_pool2 ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=guests name=dhcp2
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=local
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 \
    slave-configurations=cfg2
/interface bridge port
add bridge=local interface=ether2
add bridge=local disabled=yes interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=local interface=ether6
add bridge=local interface=ether7
add bridge=local interface=ether8
add bridge=local interface=ether9
add bridge=local interface=ether10
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.77.1/24 interface=guests network=192.168.77.0
/ip cloud
set ddns-update-interval=1m update-time=no
/ip dhcp-server network
add address=192.168.77.0/24 gateway=192.168.77.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set servers=91.217.137.37,194.36.144.87
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=drop chain=input comment="Block access from guest network" \
    dst-address=192.168.88.0/24 src-address=192.168.77.0/24
add action=drop chain=forward comment="Block access from guest network" \
    dst-address=192.168.88.0/24 src-address=192.168.77.0/24
add action=drop chain=input comment="Block access to guest network" \
    dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add action=drop chain=forward comment="Block access to guest network" \
    dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established in-interface=pppoe-out
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow local connections" in-interface=\
    !pppoe-out src-address=192.168.88.0/24
add action=accept chain=input comment="Allow HTTP" in-interface=pppoe-out port=\
    80 protocol=tcp
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out src-address=\
    192.168.77.0/24
add action=dst-nat chain=dstnat in-interface=pppoe-out port=80 protocol=tcp \
    to-addresses=192.168.88.7 to-ports=80
add action=dst-nat chain=dstnat in-interface=pppoe-out port=443 protocol=tcp \
    to-addresses=192.168.88.7 to-ports=443
/ip route
add distance=1 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24 port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set backlight-timeout=never default-screen=stat-slideshow time-interval=hour
/lcd pin
set pin-number=2634
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system scheduler
add interval=5m name=ddns on-event=" /tool fetch url=\"http://sync.afraid.org/u/\
    secreturl\r\
    \n4rL/\" mode=http output=none" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/01/2021 start-time=00:00:00
/tool bandwidth-server
set enabled=no

Posted: **Thu Dec 02, 2021 7:39 pm**

If attempting to reach your server from a PC on the same LAN(subnet) but using the WANIP or domain name of the router you are in a loopback situation often called hairpin NAT which is easily solved by putting in a simple masquerade source nat rule prior to the default one provided.
Two other things.
a. you need one generic allow dst-nat rule in your forward chain (already covered in default rules provided)
b. you need to ensure the dst-nat rules are formatted correctly especially for dynamic WANIPs.

All explained here!
viewtopic.php?t=179343

Posted: **Thu Dec 02, 2021 7:48 pm**

Why is your IP Route affiliated to one of your LAN subnets???
/ip route
add distance=1 gateway=192.168.88.

/ip pool
add name=dhcp_pool0 ranges=192.168.88.102-192.168.88.254
add name=dhcp_pool2 ranges=192.168.77.2-192.168.77.254

I suspect the IP route is automatically provided by your selections in the PPPOE client settings and
thus not sure why you created this additional route? or what its purpose is?

Posted: **Thu Dec 02, 2021 8:13 pm**

In terms of your firewall rules,,,,,,,, how did you get there from the basic defaults.....
I suspect too much youtube.

Clearly you do not understand firewall rules and should have stayed with the defaults and asked questions first.
Ex. Basic, input chain is for traffic to and fro the router itself Wan to Router and LAN to router, however you are attempting to use the input chain for LAN to LAN traffic, which should be in the forward chain. I see that you copied the rule into both chains so at least 1/2 right.

Another strange one is this:
add action=accept chain=input comment="Allow HTTP" in-interface=pppoe-out port=\
80 protocol=tcp

Basically allowing port 80 from anyone both internet to the router on port 80 ???????????? purpose?
I suspect you think this is necessary for port forwarding but port forwarding is from the WAN to the LAN and not to the router!!

On the last two rules of the input chain, I like the last rule........... Which basically says drop all other WAN to router and LAN to router traffic. Good!
The rule before that says block all traffic that is not from the LOCAL LAN. Is this really what you want?? How do the guests get DNS services from the router for example. Also, intuitively you can see that the drop all rule already covers all other traffic (wan to router for example) so there is some unnecessary duplication.
I think what you want is admin access to the router and the rest of the LAN users only need access to specific ROUTER services!
add action=accept chain=input comment="Allow local connections" in-interface=\
!pppoe-out src-address=192.168.88.0/24
add action=drop chain=input comment="Drop everything else"

NOTE the drop all rule you use at the end of the input chain, should be used at the end of the forward chain as well, makes life easier for you on the forward chain.
Automatically you can remove the two rules blocking the local and guest networks from each other!!! One will have to add the ability to access the internet (LAN to WAN rules) and a generic firewall rule to allow port forwarding if required.

FROM

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=drop chain=input comment="Block access from guest network" \
    dst-address=192.168.88.0/24 src-address=192.168.77.0/24
add action=drop chain=forward comment="Block access from guest network" \
    dst-address=192.168.88.0/24 src-address=192.168.77.0/24
add action=drop chain=input comment="Block access to guest network" \
    dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add action=drop chain=forward comment="Block access to guest network" \
    dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established in-interface=pppoe-out
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow local connections" in-interface=\
    !pppoe-out src-address=192.168.88.0/24
add action=accept chain=input comment="Allow HTTP" in-interface=pppoe-out port=\
    80 protocol=tcp
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out src-address=\
    192.168.77.0/24
add action=dst-nat chain=dstnat in-interface=pppoe-out port=80 protocol=tcp \
    to-addresses=192.168.88.7 to-ports=80
add action=dst-nat chain=dstnat in-interface=pppoe-out port=443 protocol=tcp \
    to-addresses=192.168.88.7 to-ports=443

TO
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow local admin connections" in-interface=local
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {assumes LAN interface includes members 'local' and 'guest'}
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop everything else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN (assuming you have interface list and members setup - dont see it on your config ???)
add action=drop chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else"

NAT RULES<
Do not need separate rules for each LAN subnet. The ports need to be detailed as DESTINATION PORTS. To ports not required if same as destination ports.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out
add action=dst-nat chain=dstnat in-interface=pppoe-out dst-port=80 protocol=tcp \
to-addresses=192.168.88.7
add action=dst-nat chain=dstnat in-interface=pppoe-out dst-port=443 protocol=tcp \
to-addresses=192.168.88.7

You will need to modify the NAT section as per the first post (link to hairpin nat), but will let you figure that out after reading!!!

Posted: **Thu Dec 02, 2021 9:40 pm**

This is my port forwarding and it works too, lol.

add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820

Posted: **Thu Dec 02, 2021 10:08 pm**

Whats your point? or in other terms....
How is that helpful?

MikroTik

Help forwarding ports

Help forwarding ports

Re: Help forwarding ports

Re: Help forwarding ports

Re: Help forwarding ports

Re: Help forwarding ports

Re: Help forwarding ports