Decent!
Observations
(1) One doesnt make port forwarding rules in the forward chain thus get rid of this.... The only thing that should be in the forward chain is one rule allowing dstnat.
All port forwarding details are put in the dstnat chain rules. Also its in the wrong order if it was to be in the forward chain.....
add action=accept chain=forward dst-address=10.39.44.92 dst-port=30814 \
protocol=tcp
If I am mistaken as to the purpose of this rule please explain its purpose. Open ended rules are rarely a good idea ( should have both source and destination type settings )
(2) Order within a chain is critical, but its also very smart to organize chain rules together for easy reading to spot errors etc................
(3) I see you have a hairpin SourceNat Rule which tells me you have users on the same subnet as your server and you want them to use the dyndns name vice the direct LANIP address of the server.
(4) I'm assuming your WANIP is not fixed/static and is thus dynamic and if so, the link to port forwarding should be read again.
Also you need to reread it as your DST NAT port forwarding rule is also incorrect.
(5) mac-server by itself is not a secure access method and thus should be set to NONE
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
(6) Are you using IPV6?? If not disable IPV6 and get rid of all its addresses and for ipv6 firewall rules, remove all and simply put.
add chain=forward action=drop
add chain=input action=drop
(7) Proper firewall ruleset.
/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" { add this rule last for all rules }
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Code:
RouterOS 7.2# model = RBD53G-5HacD2HnD&EG18-EA/interface bridgeadd admin-mac=18:FD:74:A8:CA:D8 auto-mac=no comment=defconf name=bridge/interface lteset [ find ] allow-roaming=no band="" name=lte1/interface wirelessset [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=latvia disabled=no distance=indoors \ frequency=auto installation=indoor mode=ap-bridge ssid=LMT-2GHz-CAD8 wireless-protocol=802.11 wps-mode=push-button-5sset [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=latvia disabled=no distance=indoors \ frequency=auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=LMT-5GHz-CAD8 wireless-protocol=802.11/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] apn=internet.lmt.lv ipv6-interface=bridge name="LMT Internet" use-network-apn=noadd apn=static1.lmt.lv ip-type=ipv4 name=LMT-static1.lmt.lvadd apn=static2.lmt.lv ip-type=ipv4 name=LMT-static2.lmt.lvadd apn=internet1.lmt.lv ip-type=ipv4 name=LMT-internet1.lmt.lvadd apn=static61.lmt.lv ipv6-interface=bridge name=LMT-static61.lmt.lvadd apn=static62.lmt.lv ipv6-interface=bridge name=LMT-static62.lmt.lv/interface wireless security-profilesset [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=LMT/ip pooladd name=dhcp ranges=192.168.8.10-192.168.8.254/ip dhcp-serveradd address-pool=dhcp interface=bridge lease-time=3h name=defconf/interface bridge portadd bridge=bridge comment=defconf interface=ether1add bridge=bridge comment=defconf interface=ether2add bridge=bridge comment=defconf interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=ether5add bridge=bridge comment=defconf interface=wlan1add bridge=bridge comment=defconf interface=wlan2/ip neighbor discovery-settingsset discover-interface-list=LAN/ipv6 settingsset disable-ipv6=yes forward=no/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=lte1 list=WAN/interface lte settingsset external-antenna=main/ip addressadd address=192.168.8.1/24 comment=defconf interface=bridge network=192.168.8.0/ip dhcp-server networkadd address=192.168.8.0/24 comment=defconf gateway=192.168.8.1/ip dnsset allow-remote-requests=yes/ip dns staticadd address=192.168.8.1 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=forward dst-address=10.39.44.92 dst-port=30814 protocol=tcpadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=\ yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=accept chain=input protocol=icmpadd action=accept chain=input connection-state=establishedadd action=accept chain=input connection-state=relatedadd action=drop chain=input in-interface-list=!LANadd action=accept chain=input comment="defconf: accept established,related,untracked"add action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)"add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=\ yesadd action=accept chain=forward comment="defconf: accept established,related, untracked"add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=input comment="drop all else"/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANadd action=dst-nat chain=dstnat comment=beemmp dst-address=0.0.0.168-247.255.255.169 dst-port=30814 protocol=tcp src-address=\ 0.0.0.168-247.255.255.169 to-addresses=192.168.8.254 to-ports=30814add action=dst-nat chain=dstnat dst-address=0.0.0.168-247.255.255.169 dst-port=30814 protocol=udp src-address=\ 0.0.0.168-247.255.255.169 to-addresses=192.168.8.254 to-ports=30814/ip serviceset www-ssl certificate=router.lan disabled=no/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6add address=::/104 comment="defconf: other" list=bad_ipv6add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \ src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN/system clockset time-zone-name=Europe/Riga/system identityset name="LMT LTE18"/system routerboard settingsset auto-upgrade=yes/system routerboard reset-buttonset enabled=yes hold-time=5s..10s on-event=reset-configuration/system scriptadd dont-require-permissions=yes name=reset-configuration owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/system reset-configuration"/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tr069-clientset acs-url=https://acs.lmt.lv:8049 check-certificate=no connection-request-port=8081 connection-request-username=\ vzl5dlFhNnfc enabled=yes periodic-inform-interval=12h username=LMTStatistics: Posted by Rihards9229 — Mon Jan 08, 2024 7:50 pm