General • Re: Forward WAN port to another subnet/router LAN

/interface bridge add admin-mac=B8:69:F4:03:26:AE arp=proxy-arp auto-mac=no comment=defconf name=bridge port-cost-mode=short/interface wireless set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=belarus disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=WhyFi2 station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled/interface wireless set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=belarus disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=WhyFi2 station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=<...> user=<...>/interface wireguard add comment="WireGuard server" listen-port=13231 mtu=1420 name=wg1 private-key="xxx"/interface list add comment=defconf name=WAN/interface list add comment=defconf name=LAN/ip pool add name=dhcp ranges=192.168.88.100-192.168.88.254/ip dhcp-server add address-pool=dhcp interface=bridge lease-time=1h name=defconf/routing table add disabled=no fib name=wg-vpn/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10/interface bridge port add bridge=bridge disabled=yes ingress-filtering=no interface=*D internal-path-cost=10 path-cost=10/ip neighbor discovery-settings set discover-interface-list=LAN/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192/interface list member add comment=defconf interface=bridge list=LAN/interface list member add comment=defconf interface=ether1 list=WAN/interface list member add disabled=yes interface=*A list=WAN/interface list member add interface=pppoe-out1 list=WAN/interface pptp-server server# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol insteadset enabled=yes# My external router. Port forward destination is there/interface wireguard peers add allowed-address=192.168.80.7/32,192.168.10.0/24,192.168.1.0/24 comment="Sokol Router" interface=wg1 public-key="<...>"/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0/ip address add address=10.0.88.0/24 disabled=yes interface=bridge network=10.0.88.0/ip address add address=192.168.80.1/24 comment="WireGuard server" interface=wg1 network=192.168.80.0/ip dhcp-server network add address=192.168.88.0/24 boot-file-name=undionly.kpxe comment=defconf dns-server=192.168.88.60 gateway=192.168.88.1 next-server=192.168.88.60/ip firewall filter add action=accept chain=input disabled=yes dst-port=443 protocol=tcp/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked/ip firewall filter add action=accept chain=input comment="Allow establish Remote Access" in-interface-list=WAN log=yes log-prefix=remote_sys port=500,4500 protocol=udp/ip firewall filter add action=accept chain=input comment="Allow establish Remote Access" in-interface-list=WAN log=yes log-prefix=remote_sys protocol=ipsec-esp/ip firewall filter add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp/ip firewall filter add action=accept chain=input comment="IKE2: Allow ALL incoming traffic from 10.0.88.0/24 to this RouterOS" ipsec-policy=in,ipsec log-prefix=vpn src-address=10.0.88.0/24/ip firewall filter add action=accept chain=input comment="Allow access to WinBox via WireGuard" dst-port=8291 in-interface=wg1 protocol=tcp/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=bad/ip firewall filter add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to OFFICE network" dst-address=192.168.88.0/24 ipsec-policy=in,ipsec log-prefix=vpn src-address=10.0.88.0/24/ip firewall filter add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.90.0/24 to WAN only" out-interface-list=WAN src-address=10.0.90.0/24/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec log-prefix=vpn/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall mangle add action=passthrough chain=forward comment="Traffic from Vacuum" src-address=192.168.88.57/ip firewall mangle add action=passthrough chain=forward comment="Traffic to vacuum" dst-address=192.168.88.57/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn/ip firewall mangle add action=accept chain=forward comment="Forward Gritsevtsa -> Sokol" dst-address=192.168.1.0/24 src-address=192.168.10.0/24/ip firewall mangle add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.80.0/24/ip firewall mangle add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.88.0/24/ip firewall mangle add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 in-interface-list=WAN/ip firewall mangle add action=accept chain=forward comment="Forward Home -> Gritsevtsa" dst-address=192.168.10.0/24 src-address=192.168.88.0/24/ip firewall mangle add action=log chain=prerouting disabled=yes protocol=icmp src-address=10.0.88.2/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new dst-address-list=split-vpn new-connection-mark=wg-vpn passthrough=yes/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wg-vpn dst-address-list=split-vpn new-routing-mark=wg-vpn passthrough=no/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none log-prefix=vpn src-address=10.0.88.0/24/ip firewall nat add action=masquerade chain=srcnat connection-mark=wg-vpn/ip firewall nat add action=masquerade chain=srcnat disabled=yes ipsec-policy=out,none src-address=10.0.90.0/24/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN/ip firewall nat add action=dst-nat chain=dstnat dst-port=8123 protocol=tcp to-addresses=192.168.88.60 to-ports=8123# HERE HERE HERE: I assume this rule will do the job but apparently it doesn't/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=8124 protocol=tcp to-addresses=192.168.1.200 to-ports=8123/ip firewall nat add action=dst-nat chain=dstnat comment="Port forward to HTPC" dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.60 to-ports=443/ip firewall nat add action=dst-nat chain=dstnat comment="Port forward to qBittorent on NAS" dst-port=6882 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.63 to-ports=6882/ip firewall nat add action=masquerade chain=srcnat disabled=yes out-interface=wg2/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT for Home Assistant" dst-address=192.168.88.60 dst-port=443,8123 log-prefix=hair-pin protocol=tcp src-address=192.168.88.0/24/ip firewall nat add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.0/24 log=yes protocol=tcp src-address=86.57.152.197/ip firewall nat add action=dst-nat chain=dstnat comment="Forward to MeatPC:RDP" disabled=yes dst-port=3389 protocol=tcp to-addresses=192.168.88.13 to-ports=3389/ip route add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10/ip route add disabled=no dst-address=192.168.10.0/24 gateway=wg1 routing-table=main suppress-hw-offload=no

chain=forward action=accept protocol=tcp out-interface=wg1 in-interface-list=WAN dst-port=8123 log=yes log-prefix=""

forward: in:pppoe-out1 out:wg1, connection-state:new,dnat proto TCP (SYN), <my-current-ip>:45329->192.168.1.200:8123, NAT <my-current-ip>:45329->(<mikrotik-public-ip>:8124->192.168.1.200:8123), len 64