Thanks a lot, jaclaz!Only as a note...
I originally suggested to have ether8 as 192.168.88.1/24 (assuming that you would have changed the same range set on the bridge to your local LAN one).
BUT what you implemented (accidentally) was 192.168.88.1/32 (i.e. network 192.168.88.1).
Anav correctly (to resolve the conflict on 192.168.88.1) suggested 192.168.65.1/30.
After that, I feel ready for my final step: port forwarding for my servers. Nothing special, just nginx, Home Assistant, and Docker.
However, I ran into an issue! I decided to follow the video guide from the official MikroTik YouTube channel and created the rules like this:
Code:
/ip firewall natadd action=dst-nat chain=dstnat dst-port=443 \protocol=tcp to-addresses=192.168.1.201 to-ports=443After a bit of research on the forum, I found this solution:
Code:
/ip firewall natadd action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=443 \protocol=tcp to-addresses=192.168.1.201 to-ports=443Web browsing was restored, but I was no longer able to access the server!
Then, based on another reply to the forum, I read that I should add this:
Code:
/ip firewall natadd action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=443 \protocol=tcp to-addresses=192.168.1.201 to-ports=443add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \dst-address-type=!local src-address=192.168.1.0/24 src-address-type=\!localI’d like to kindly ask if this approach is safe and how it actually works because, honestly, I don’t fully understand it.
Below is the complete configuration.
Thanks a lot!
Regards,
Joe
Code:
# 2024-12-30 17:45:20 by RouterOS 7.16.2# software id = KW******## model = RB5009UG+S+# serial number = HFE0*****/interface bridgeadd admin-mac=78:9A:18:****** auto-mac=no name=bridge/interface wireguardadd listen-port=51820 mtu=1420 name=wireguard1/interface vlanadd interface=ether1 name=vlan1_Vodafone vlan-id=1036/interface pppoe-clientadd add-default-route=yes disabled=no interface=vlan1_Vodafone name=\ pppoe-out1 user=vodafoneadsl/interface listadd comment=defconf name=WANadd comment=defconf name=LANadd comment=defconf name=MGMT/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=default-dhcp ranges=192.168.1.60-192.168.1.99/ip dhcp-serveradd address-pool=default-dhcp interface=bridge name=Main-DHCP-LAN/disk settingsset auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes/interface bridge portadd bridge=bridge interface=ether2add bridge=bridge interface=ether3add bridge=bridge interface=ether4add bridge=bridge interface=ether5add bridge=bridge interface=ether6add bridge=bridge interface=ether7add bridge=bridge interface=sfp-sfpplus1/ip neighbor discovery-settingsset discover-interface-list=LAN/interface list memberadd interface=bridge list=LANadd interface=pppoe-out1 list=WANadd interface=ether8 list=LANadd interface=ether8 list=MGMT/interface wireguard peersadd allowed-address=192.168.100.2/29 comment="Cellulare Joe" interface=\ wireguard1 name=peer1 public-key=\ "tzpQ734pFsIS75SX************************************"/ip addressadd address=192.168.1.1/24 interface=bridge network=192.168.1.0add address=192.168.88.1/30 interface=ether8 network=192.168.88.0add address=192.168.100.1/29 comment="network vpn 6 adresses" interface=\ wireguard1 network=192.168.100.0/ip dhcp-clientadd disabled=yes interface=ether1/ip dhcp-server networkadd address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\ 192.168.1.1/ip dnsset allow-remote-requests=yes servers=1.1.1.1,1.0.0.1/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lan type=A/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment=Wiregard dst-port=51820 protocol=udpadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment=winbox dst-port=8291 in-interface-list=\ !WAN protocol=tcpadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \ out-interface-list=WANadd action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=444 \ protocol=tcp to-addresses=192.168.1.32 to-ports=443add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=80 \ protocol=tcp to-addresses=192.168.1.201 to-ports=80add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=443 \ protocol=tcp to-addresses=192.168.1.201 to-ports=443add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=81 \ protocol=tcp to-addresses=192.168.1.201 to-ports=81add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \ dst-address-type=!local src-address=192.168.1.0/24 src-address-type=\ !local/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" \ dst-port=33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/system clockset time-zone-name=Europe/Rome/system noteset show-at-login=no/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANStatistics: Posted by Joez — Mon Dec 30, 2024 7:21 pm