PLEASE CONFIRM ASAP that you get a private IP address from the ISPs device.
If you get a public IP then you need to unplug your router immediately and perhaps netinstall it because you HAVE NO protection because you have NO firewall rules at all.
All traffic is permitted. Which means hackers have full access to your router and your LAN.
I am assuming you are working behind another router and the WANIP you get is something like 192.168.1.XX or something.
(1) Modify this rule
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether5 - WAN1"
(2) DST NAT Rule incorrect format. Dst-address is only used for static fixed WANIPs normally.......... and it set to the WANP........
Thus wrong
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-address=10.0.0.20 dst-port=5001 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.30
add action=dst-nat chain=dstnat dst-address=10.0.0.53 dst-port=80 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
add action=dst-nat chain=dstnat dst-address=10.0.0.53 dst-port=443 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
MODIFY TO.
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-port=5001 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.30
add action=dst-nat chain=dstnat dst-port=80 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
add action=dst-nat chain=dstnat dst-port=443 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
(3) MISSING DEFAULT FIREWALL RULES. At least put these in place for now .......
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface="Ether1 - LAN1"-list=LAN src-address=10.0.0.0/24
add action=drop chain=input comment="drop all else" { add this rule last!, has to go after the rule above, in order! }
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" src-address=10.0.0.0/24 out-interface="Ether5 - WAN1"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
If you get a public IP then you need to unplug your router immediately and perhaps netinstall it because you HAVE NO protection because you have NO firewall rules at all.
All traffic is permitted. Which means hackers have full access to your router and your LAN.
I am assuming you are working behind another router and the WANIP you get is something like 192.168.1.XX or something.
(1) Modify this rule
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether5 - WAN1"
(2) DST NAT Rule incorrect format. Dst-address is only used for static fixed WANIPs normally.......... and it set to the WANP........
Thus wrong
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-address=10.0.0.20 dst-port=5001 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.30
add action=dst-nat chain=dstnat dst-address=10.0.0.53 dst-port=80 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
add action=dst-nat chain=dstnat dst-address=10.0.0.53 dst-port=443 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
MODIFY TO.
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-port=5001 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.30
add action=dst-nat chain=dstnat dst-port=80 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
add action=dst-nat chain=dstnat dst-port=443 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
(3) MISSING DEFAULT FIREWALL RULES. At least put these in place for now .......
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface="Ether1 - LAN1"-list=LAN src-address=10.0.0.0/24
add action=drop chain=input comment="drop all else" { add this rule last!, has to go after the rule above, in order! }
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" src-address=10.0.0.0/24 out-interface="Ether5 - WAN1"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Statistics: Posted by anav — Tue Jan 02, 2024 12:31 am