Question:
How do I allow access to the webfig (or any ip on the Mikrotik network) from my laptop behind the WAN on my local network on the default config? I'm confused between src-nat and dst-nat and trying to learn the basic networking and routerOS concepts as I build up my configuration, so thank you for your help!
Network Context:
Network setup | Server (192.168.88.5) > Mikrotik(192.186.88.1) <- WAN port (eth1) -> TP-Link Deco (192.168.68.1) > MyLaptop(192.168.68.100)
Note |My TP-Link Router is also connected to my ISP via WAN fibre.
What I've tried:
- set up a dst-nat from my normal router and wifi network (did not work) using. I got from working through https://help.mikrotik.com/docs/display/ROS/NAT
- set up firewall filter rule to accept traffic from all ips on source network
Code: Select all
# may/01/2024 18:57:52 by RouterOS 6.49.14
# software id = U54P-EGXI
#
# model = RB750Gr3
# serial number = HF2093JBZG0
/interface bridge
add admin-mac=78:9A:18:55:94:F7 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.68.0/24 list=remoteaccess
/ip firewall filter
add action=accept chain=forward disabled=yes dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="try allow tp-link home network linked to wan to access mikrotik interface" dst-address=192.168.68.102 dst-port=80 in-interface=ether1 protocol=tcp src-address-list=remoteaccess to-addresses=\
192.168.88.1 to-ports=80
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN