NEGATIVE, that is not required in the least!!!
Most times sourcenat is required if going out a third party VPN where they only accept one IP at their end!!!
(1) set this to NONE< known to cause issues
/interface detect-internet
set detect-interface-list=NONE
(2) You have RED entries which is not a good sign and points to a misconfiguration........
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
SUGGEST you failed to take the WAN port off the bridge maybe ether1 ????
(3) Is your dhcp-server disabled on purpose?
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=8h \
name=defconf
(4) You can put your wireguard rules in the input chain after the loopback rule in the order........... not essential but recommended.
(5) Since you are doing port forwarding suggest take this default rule and make it better --> clearer and more secure! With three rules!
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
(6) It would appear you are tryiing to port forward 3389 which is RDP ??
RDP is not a secure method for you to be hosting.
Suggest you can access the router remotely via Wireguard and then use RDP to reach a specific server and thus eliminating port forwarding an insecure protocol.
Just a heads up the TO address means to a server NOT to a subnet...... 10.0.0.0/24 is plain wrong!
Additionally the format for port forwardng is typically in-interface-list=WAN, (dynamic WANIP) or dst-address=actualWANIP (static wanip)
(7) If not using ipv6, DISABLE it and remove all firewall rules and associated lists.
Most times sourcenat is required if going out a third party VPN where they only accept one IP at their end!!!
(1) set this to NONE< known to cause issues
/interface detect-internet
set detect-interface-list=NONE
(2) You have RED entries which is not a good sign and points to a misconfiguration........
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
SUGGEST you failed to take the WAN port off the bridge maybe ether1 ????
(3) Is your dhcp-server disabled on purpose?
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=8h \
name=defconf
(4) You can put your wireguard rules in the input chain after the loopback rule in the order........... not essential but recommended.
(5) Since you are doing port forwarding suggest take this default rule and make it better --> clearer and more secure! With three rules!
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
(6) It would appear you are tryiing to port forward 3389 which is RDP ??
RDP is not a secure method for you to be hosting.
Suggest you can access the router remotely via Wireguard and then use RDP to reach a specific server and thus eliminating port forwarding an insecure protocol.
Just a heads up the TO address means to a server NOT to a subnet...... 10.0.0.0/24 is plain wrong!
Additionally the format for port forwardng is typically in-interface-list=WAN, (dynamic WANIP) or dst-address=actualWANIP (static wanip)
(7) If not using ipv6, DISABLE it and remove all firewall rules and associated lists.
Statistics: Posted by anav — Tue Mar 19, 2024 2:18 pm