How to allow traffic from outside WAN port on default RB750GR3

vort3x · Wed May 01, 2024 8:17 pm

I have very limited understanding of Mikrotik and RouterOS and have generally used 'out the box' setup with one or two limited modifications. I've decided to take it slower with my new Mikrotik Hex on my journey to set up a performant Fibre/LTE failover setup. Right now, I'm just learning how NAT and the firewall works - the router sits in my garage, and I need to access it from my general network while I play around with configuration.

Question:
How do I allow access to the webfig (or any ip on the Mikrotik network) from my laptop behind the WAN on my local network on the default config? I'm confused between src-nat and dst-nat and trying to learn the basic networking and routerOS concepts as I build up my configuration, so thank you for your help!

Network Context:
Network setup | Server (192.168.88.5) > Mikrotik(192.186.88.1) <- WAN port (eth1) -> TP-Link Deco (192.168.68.1) > MyLaptop(192.168.68.100)
Note |My TP-Link Router is also connected to my ISP via WAN fibre.

What I've tried:

set up a dst-nat from my normal router and wifi network (did not work) using. I got from working through https://help.mikrotik.com/docs/display/ROS/NAT
set up firewall filter rule to accept traffic from all ips on source network

Mikrotik Config:

# may/01/2024 18:57:52 by RouterOS 6.49.14
# software id = U54P-EGXI
#
# model = RB750Gr3
# serial number = HF2093JBZG0
/interface bridge
add admin-mac=78:9A:18:55:94:F7 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.68.0/24 list=remoteaccess
/ip firewall filter
add action=accept chain=forward disabled=yes dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="try allow tp-link home network linked to wan to access mikrotik interface" dst-address=192.168.68.102 dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess to-addresses=\
    192.168.88.1 to-ports=80
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

jaclaz · Wed May 01, 2024 11:01 pm

Your added rule is in forward chain, are you sure that it should not be in input chain?
Webfig is a service on the router ...
See:
viewtopic.php?t=172440

I don't think however that allowing "plain" access from WAN is a good idea, besides testing/getting familiar with RoS.
Some more experience members may want to suggest some more secure method (wireguard?)

vort3x · Fri May 03, 2024 1:00 pm

Thank you. This helped, I updated to input chain and enabled the rule. That made it work and I was able to access the webfig on the mikrotik from my deco network by going to 192.168.68.102:80 (the eth1 port leased ip for mikrotik on the wan port from the deco) and it nat'ed it succesfully to 192.168.88.1:80. However it randomly stopped working, and I'm not sure why. I've disabled and enabled and tried various things, but just can't seem to figure out why it would work and then stop, unless there was some configuration change, but the only two things I touched was the firewall filter rule and the dst-nat rule.

Here is my current config:

# may/03/2024 11:53:01 by RouterOS 6.49.14
# software id = U54P-EGXI
#
# model = RB750Gr3
# serial number = HF2093JBZG0
/interface bridge
add admin-mac=78:9A:18:55:94:F7 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.68.0/24 list="local deco network"
/ip firewall filter
add action=accept chain=input dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="try allow tp-link home network linked to wan to access mikrotik interface" dst-address=192.168.68.102 dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess to-addresses=\
    192.168.88.1 to-ports=80
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

vort3x · Fri May 03, 2024 1:13 pm

/ip firewall nat print stats

is showing that the dst-nat rule isn't being hit when I navigate to 192.168.68.102 as I would expect, would something be blocking this before it can run?

jaclaz · Sat May 04, 2024 2:31 pm

The only meaningful difference (beside the forward->input change) that I can see is:

/ip firewall address-list
add address=192.168.68.0/24 list=remoteaccess

vs. :

/ip firewall address-list
add address=192.168.68.0/24 list="local deco network"

But the nat/filter firewall rules are still for list=remoteaccess

vort3x · Sat May 04, 2024 4:00 pm

Thank you! This was actually the problem! Mikrotik does not pick up address lists names as objects, so because I'd renamed that address-list, the firewall filter rule

action=accept chain=input dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess

was no longer working! I updated the firewall rule to use the right new address-list name.

The only meaningful difference (beside the forward->input change) that I can see is:
Code: Select all
/ip firewall address-list
add address=192.168.68.0/24 list=remoteaccess
vs. :
Code: Select all
/ip firewall address-list
add address=192.168.68.0/24 list="local deco network"
But the nat/filter firewall rules are still for list=remoteaccess

jaclaz · Sat May 04, 2024 6:17 pm

Well, the device/RoS does what you are telling it to do, the issue is that in many cases it allows you things that shouldn't be done, and a tool or function that does something like a "global rename" does not exist.

So you can easily introduce a subtle mistake that causes anyway total disruption of a working setup.

A good idea is to export and save configurations while you are working on them and compare them with *any* text diff tool, for simple configurations like yours you can even use (as I did) a spreadsheet to compare changes between versions.

anav · Sat May 04, 2024 6:52 pm

Notepad ++ has the ability to compare two configs, very nice!!!

How to allow traffic from outside WAN port on default RB750GR3

How to allow traffic from outside WAN port on default RB750GR3

Re: How to allow traffic from outside WAN port on default RB750GR3

Re: How to allow traffic from outside WAN port on default RB750GR3

Re: How to allow traffic from outside WAN port on default RB750GR3

Re: How to allow traffic from outside WAN port on default RB750GR3

Re: How to allow traffic from outside WAN port on default RB750GR3

Re: How to allow traffic from outside WAN port on default RB750GR3

Re: How to allow traffic from outside WAN port on default RB750GR3

Who is online