Answer the question
In order to leave comments, you need to log in
E
E
Evgeny Emelyanov2017-08-08 20:57:37
Evgeny Emelyanov, 2017-08-08 20:57:37
How to properly configure firewall on Mikrotik RB951Ui-2HnD?
Good evening, ambulance staff!)
Recently I took up setting up Mikrotik from scratch, I used to add forwarding, and now it's time to thoroughly get acquainted.
The task is such that it is necessary to implement a PPTP server and some port forwarding.
I started with PPTP, everything turned out great, adding to the standard configuration. Forwarding doesn't work at all.
I reset the device to factory settings and cleared the configuration. Further, according to the standard:
Changed the password
Renamed the ports more conveniently
Combined LAN ports into BRIDGE
Assigned WAN and BRIDGE addresses
Registered GATEWAY and DNS
... etc.
Removed prohibiting rules in the Firewall.
Based on the article https://habrahabr.ru/post/265387/ =))
Here is the export...
> /export
# aug/08/2017 23:36:19 by RouterOS 6.39.2
# software id = 4867-ASQG
#
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=ether2 ] name=LAN1
set [ find default-name=ether3 ] master-port=LAN1 name=LAN2
set [ find default-name=ether4 ] master-port=LAN1 name=LAN3
set [ find default-name=ether5 ] master-port=LAN1 name=LAN4
set [ find default-name=ether1 ] name=WAN
/interface bridge port
add bridge=LAN interface=LAN1
/ip address
add address=192.168.88.1/24 interface=LAN network=192.168.88.0
add address=123.123.123.123/29 interface=WAN network=123.123.123.120
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input protocol=igmp
add action=accept chain=input connection-state=new dst-port=3389 in-interface=LAN protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input connection-mark=allow_in connection-state=new dst-port=3389 in-interface=WAN protocol=tcp
add action=accept chain=input connection-state=established,related
add action=accept chain=output connection-state=!invalid
add action=accept chain=forward connection-state=established,new in-interface=LAN out-interface=WAN src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related dst-address=192.168.88.0/24 in-interface=WAN out-interface=LAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=3389 in-interface=WAN new-connection-mark=allow_in passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=3389 in-interface=WAN protocol=tcp to-addresses=192.168.88.2 to-ports=3389
/ip route
add distance=1 gateway=123.123.123.121
/system clock
set time-zone-name=Asia/Almaty
/system routerboard settings
set init-delay=0s
> /export
# aug/08/2017 23:36:19 by RouterOS 6.39.2
# software id = 4867-ASQG
#
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=ether2 ] name=LAN1
set [ find default-name=ether3 ] master-port=LAN1 name=LAN2
set [ find default-name=ether4 ] master-port=LAN1 name=LAN3
set [ find default-name=ether5 ] master-port=LAN1 name=LAN4
set [ find default-name=ether1 ] name=WAN
/interface bridge port
add bridge=LAN interface=LAN1
/ip address
add address=192.168.88.1/24 interface=LAN network=192.168.88.0
add address=123.123.123.123/29 interface=WAN network=123.123.123.120
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input protocol=igmp
add action=accept chain=input connection-state=new dst-port=3389 in-interface=LAN protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input connection-mark=allow_in connection-state=new dst-port=3389 in-interface=WAN protocol=tcp
add action=accept chain=input connection-state=established,related
add action=accept chain=output connection-state=!invalid
add action=accept chain=forward connection-state=established,new in-interface=LAN out-interface=WAN src-address=192.168.88.0/24
add action=accept chain=forward connection-state=established,related dst-address=192.168.88.0/24 in-interface=WAN out-interface=LAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=3389 in-interface=WAN new-connection-mark=allow_in passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=3389 in-interface=WAN protocol=tcp to-addresses=192.168.88.2 to-ports=3389
/ip route
add distance=1 gateway=123.123.123.121
/system clock
set time-zone-name=Asia/Almaty
/system routerboard settings
set init-delay=0s
4 answer(s)
@vdemon
@icCE
@adrian_bk
@configboy
V
Valentin Net, 2017-08-08 @vdemon
Why mark it for port forwarding?
Also, where are you getting it from? If from the Internet, then this rule is not very good - "add action=accept chain=input connection-state=new dst-port=3389 in-interface=LAN protocol=tcp src-address=192.168.88.0/24"
It states that incoming locale interface, but should be wan interface.
In the firewall, you just allow the connection to this port
- action=accept chain=forward dst-port=3389 in-interface=WAN protocol=tcp
And that's the traffic going through the router, not the incoming.
V
Vladimir Zhurkin, 2017-08-09 @icCE
To forward ports further into the network, a table in NAT is used.
Actions for this are better to use netmap, although no one forbids the use of dst-nat.
the simplest example of RDP forwarding
add action=netmap chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp \
to-addresses=192.168.88.10 to-ports=3389
Everything that gets into input ether 1 on port 3389 will be thrown on machine port 3389 192.168.88.10
V
Vadim, 2017-08-22 @adrian_bk
Here's how about port forwarding https://lantorg.com/article/probros-portov-na-mikrotik
E
Evgeny Emelyanov, 2017-08-22 @configboy
Thank you all! I coped with the task, and VPN and sip forwarding with RTP and NAT and switching to an external address from the local network
Similar questions
I
C
M
P
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question