ПРоброс порта микротик 2 провайдера?

Доброго времени суток! Пoдскажите пожалуйста что я упустил, никак не могу добиться проброса, ДСТ нат прописал но при обращении на 5000 порт пакеты уходят в последнее forward drop правило.

/ip firewall filter
add action=accept chain=input comment=Allow_limited_pings in-interface-list=WAN limit=50,5:packet protocol=icmp
add action=drop chain=input comment="Pings_Drop " in-interface-list=WAN protocol=icmp
add action=add-dst-to-address-list address-list=Conection-limit address-list-timeout=1d chain=input comment=Connection_limit connection-limit=200,32 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=Adr_list_connection-limit_drop in-interface-list=WAN src-address-list=Conection-limit
add action=drop chain=input comment=Port_scanner_drop in-interface-list=WAN src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=Bogon_Wan_Drop in-interface-list=WAN src-address-list=BOGON
add action=accept chain=input comment=Accept_Winbox_Ssh dst-port=8084,8083 in-interface-list=LAN protocol=tcp src-address-list=CLINICS
add action=drop chain=input comment=Drop_winbox_black_list dst-port=8084,8083 in-interface-list=WAN protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=5m chain=input comment=Winbox_add_black_list connection-state=new dst-port=8084,8083 in-interface-list=WAN \
    protocol=tcp src-address-list=Winbox_Ssh_stage3
add action=add-src-to-address-list address-list=Winbox_Ssh_stage3 address-list-timeout=1m chain=input comment=Winbox_Ssh_stage3 connection-state=new dst-port=8084,8083 in-interface-list=WAN \
    protocol=tcp src-address-list=Winbox_Ssh_stage2
add action=add-src-to-address-list address-list=Winbox_Ssh_stage2 address-list-timeout=1m chain=input comment=Winbox_Ssh_stage2 connection-state=new dst-port=8084,8083 in-interface-list=WAN \
    protocol=tcp src-address-list=Winbox_Ssh_stage1
add action=add-src-to-address-list address-list=Winbox_Ssh_stage1 address-list-timeout=1m chain=input comment=Winbox_Ssh_stage1 connection-state=new dst-port=8084,8083 in-interface-list=WAN \
    protocol=tcp
add action=accept chain=input comment="PPTP \E8 GRE" dst-port=1723 in-interface-list=WAN protocol=tcp
add action=accept chain=input in-interface-list=WAN protocol=gre
add action=accept chain=input comment=L2TP in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input  connection-state=established
add action=accept chain=input  connection-state=related
add action=drop chain=input connection-state=invalid
add action=drop chain=input in-interface-list=WAN log-prefix=dropINOTHER
add action=drop chain=output  dst-address=8.8.4.4 out-interface=IPS2-KTC
add action=accept chain=forward out-interface-list=WAN src-address=192.168.0.0/24
add action=accept chain=forward disabled=yes dst-port=5000 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="est, rel, unt" connection-state=established
add action=drop chain=forward log=yes log-prefix=dropALL


/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=IPS1-DKP new-connection-mark=ISP1-DKP-in passthrough=yes src-address-list=ISP1-DKP-ADDRESESS
add action=mark-connection chain=prerouting in-interface=IPS2-KTC new-connection-mark=ISP2-KTC-in passthrough=yes src-address-list=ISP2-KTC-ADDRESESS
add action=mark-routing chain=prerouting connection-mark=ISP1-DKP-in new-routing-mark=ISP1-DKP passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2-KTC-in new-routing-mark=ISP1-KTC passthrough=yes
add action=mark-routing chain=output new-routing-mark=ISP1-DKP passthrough=yes src-address-list=ISP1-DKP-ADDRESESS
add action=mark-routing chain=output new-routing-mark=ISP1-KTC passthrough=yes src-address-list=ISP2-KTC-ADDRESESS


/ip route
add check-gateway=ping comment=ISP1-DKP distance=1 gateway=IPS1-DKP routing-mark=ISP1-DKP
add check-gateway=ping comment=ISP2-Kaztranscom distance=1 gateway=188.0.147.129 routing-mark=ISP1-KTC
add comment=IPS1-DKP-Route distance=10 gateway=IPS1-DKP
add comment=IPS2-KTC-Route distance=20 gateway=IPS2-KTC
add comment="DNS aviability" distance=1 dst-address=8.8.4.4/32 gateway=IPS1-DKP

/ip route rule
add src-address=10.0.2.2/32 table=ISP1-DKP
add src-address=10.0.3.2/32 table=ISP1-KTC
add dst-address=192.168.0.0/24 table=main
add routing-mark=ISP1-DKP table=ISP1-DKP
add routing-mark=ISP1-KTC table=ISP1-KTC
  • Вопрос задан
  • 151 просмотр
Решения вопроса 2
hint000
@hint000
у админа три руки
третье снизу в таблице filter

add action=accept chain=forward comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \E2\FB\F5\EE\E4 \E2 \E8\ED\E5\F2" disabled=yes dst-port=5000 in-interface-list=WAN protocol=tcp

оно же disabled=yes, т.е. это правило выключено (не применяется), его нужно включить.
Это будет работать при условии, что при пробросе номер порта 5000 не меняется. А иначе в цепочке forward нужно указывать номер внутреннего порта.
Ответ написан
@trjflash Автор вопроса
Разобрался. Не хватало правила src-nat
add action=src-nat chain=srcnat dst-address=192.168.0.93 dst-port=5000 protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.253


А и да, микрот должен быть шлюзом для хоста на который идет проброс, а не как у меня паралельно рабочей схеме
Ответ написан
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы