Ahoj, mohl by mi prosim nekdo poradit, co delam spatne. Chci jen jednoduse v mikrotiku presmerovat port 445 na pocitac 10.0.0.225 ve vnitrni siti, porty 443.
Kdyz jsem to nastavil, a zkusim se zvenku prihlasit na externi ip adresu:443, tak v logu vidim odmitnuti spojeni.
drop input: in:ether1 out:(unknown 0), connection-state:new src-mac cc:2d:e0:dc:0f:6c, proto TCP (SYN), 78.80.106.4:6661->10.107.1.196:443, len 60
adresa 78.80.106.4 je muj mobil docasne pridelena ip (asi vystupni brana operatora)
proc to ale pise, ze se to snazi pristoupit na 10.107.1.196, kdyz to ma byt presmerovano na 10.0.0.225 ?
Tady je vypis konfigurace firewallu:
# model = RB750Gr3
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=10.0.0.1-10.0.0.255 list=allowed_to_router
/ip firewall filter
add action=accept chain=forward dst-address=10.0.0.225 dst-port=443 \
in-interface=ether1 out-interface=bridgeLocal protocol=tcp src-address=\
0.0.0.0
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input log=yes log-prefix="5 drop"
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp src-address=0.0.0.0 \
to-addresses=10.0.0.225 to-ports=443
add action=masquerade chain=srcnat out-interface-list=WAN
diky