Mikrotik RB951G-2HnD on Spark Fibre

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Mikrotik RB951G-2HnD on Spark Fibre

1 | 2

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1620447 31-Aug-2016 21:21

You basically just need to replace my references to VLAN10 - UFB with "pppoe-out1"

At the end of the day though you REALLY need to understand what you're actually doing. RouterOS has a steep learning curve and isn't a product if you want a simple router. It's very easy to make your system highly insecure if you're not careful.

mattyb

254 posts

Ultimate Geek
+1 received by user: 19

#1686738 12-Dec-2016 21:58

Trying to setup port forwarding on the Mikrotik router now... but must be missing something simple. Shouldn't this work?

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=8790 in-interface=ether1
protocol=tcp to-addresses=192.168.88.5 to-ports=8790

Not sure if the 'masquerade' action should be there or not - I'm still learning RouterOS.

Many thanks in advance.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#1686952 13-Dec-2016 10:47

Use winbox to check the counters on that rule, it should be increasing as connection attempts are made. Also check that your deny rules are not increasing at the same time. Turn on logging at least temporarily for the relevant rules if required. Does the application your forwarding the data to only require tcp and not also udp?

Edit - Is ether1 your wan interface where the DHCP client is sitting?

You're not on Atlantis anymore, Duncan Idaho.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1687014 13-Dec-2016 11:59

If you're using PPPoE (which I assume you are based on your masquerade rule for outbound) then the rule needs to use that - ether1 is not your main interface.

mattyb

254 posts

Ultimate Geek
+1 received by user: 19

#1694035 22-Dec-2016 21:18

Ok, I've changed it to the following and still no luck:

add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=8790 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.5 to-ports=8790

Btw, I'm using www.canyouseeme.org to check if the port is open.

Below are my filter rules in case that helps diagnose, and also see my interface list earlier in this thread:

/ip firewall filter
add action=accept chain=input comment="allow icmp wan" \
protocol=icmp
add action=accept chain=input comment="allow winbox wan" \
dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"allow established,related" connection-state=\
established,related
add action=add-src-to-address-list address-list=port_scanner \
address-list-timeout=1w chain=input comment="port scanner de\
tector & add port to port scanner blacklist for 7 days" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn_flooder \
address-list-timeout=30m chain=input comment="syn flood dete\
ctor & add to syn flood blacklist for 30mins" \
connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment=\
"drop from port scan blacklist" src-address-list=\
port_scanner
add action=drop chain=input comment=\
"drop from syn flood blacklist" src-address-list=\
syn_flooder
add action=drop chain=input comment="drop all from wan" \
in-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment=\
"defcon: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"allow established,related" connection-state=\
established,related
add action=drop chain=forward comment="drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"drop all from wan not DSTNATed" connection-nat-state=\
dstnat connection-state=new in-interface=pppoe-out1

mattyb

254 posts

Ultimate Geek
+1 received by user: 19

#1700493 9-Jan-2017 12:28

BUMP

Also, I'm thinking of switching to Bigpipe for UFB and using this router. Anyone know if they have good support people there that could help me with RouterOS? (rather than annoy people on this forum with my stupid questions)

Many thanks in advance.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1700494 9-Jan-2017 12:31

mattyb:

BUMP

Also, I'm thinking of switching to Bigpipe for UFB and using this router. Anyone know if they have good support people there that could help me with RouterOS? (rather than annoy people on this forum with my stupid questions)

Many thanks in advance.

Yes they have good support and no they won't help you with RouterOS. You followed my Mikrotik guide? Other than that I think we've given you as much help as we possibly can I'm afraid. If you invest in a Mikrotik router you need to read the Wiki etc and be prepared to learn as they're not easy routers to configure.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

1 | 2