Настройка Firewall для доступа к локальным машинам из внешней сети WAN (PPPoE)?

Question

[Bogdan Dolgopolov]

Доброго времени суток!
Оборудование: MikroTok hEX S (mmips) Версия прошивки 7.11.2 (stable)
Интернет поставляется провайдером по PPPoE с получением белого IP динамически (интерфейс WAN(pppoe-out1))
Имеется сервер c развёрнутой системой виртуализации (внутри есть несколько виртуальных машин 192.168.0.[98-100]).
Есть настроенный Firewall и задача получить доступ к открытому порту из внешней сети
Я что-то упускаю в настройке разрешения или на правильно прокидываю dst-nat. В локальной сети 192.168.0.98:9003 отображается верно

Экспорт конфига:

# 2023-11-06 02:15:30 by RouterOS 7.11.2
# software id = BJGH-2N44
#
# model = RB760iGS
# serial number = A815099DACFA
/ip firewall filter
add action=accept chain=input comment=\
    "Forward and Input Established and Related connections" connection-state=\
    established,related
add action=drop chain=input connection-state=invalid in-interface=pppoe-out1
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=add-src-to-address-list address-list=ddos-blacklist \
    address-list-timeout=1d chain=input comment=DDOS connection-limit=100,32 \
    in-interface-list=INTERNET protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
    src-address-list=ddos-blacklist
add action=jump chain=forward comment="SYN Protect" connection-state=new \
    connection-type="" jump-target=SYN-Protect protocol=tcp
add action=jump chain=input connection-state=new in-interface-list=INTERNET \
    jump-target=SYN-Protect protocol=tcp
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
    protocol=tcp
add action=drop chain=SYN-Protect connection-state=new protocol=tcp
add action=drop chain=input comment="Protected - Ports Scanners" \
    src-address-list="Port Scanners"
add action=add-dst-to-address-list address-list="Ports Scanners" \
    address-list-timeout=none-dynamic chain=input in-interface-list=INTERNET \
    protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="ssh Brute Forces" connection-state=new \
    dst-port=22 jump-target=sshbruteforces protocol=tcp
add action=drop chain=sshbruteforces comment="Drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=sshbruteforces connection-state=new \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=sshbruteforces connection-state=new \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=sshbruteforces connection-state=new \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=sshbruteforces connection-state=new
add chain=sshbruteforces dst-port=22 protocol=tcp
add action=accept chain=input comment="Access VPN Tunnel Data" \
    in-interface-list=VPN
add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\FE\F9\E5\E5 \EF\F0\
    \E0\E2\E8\EB\EE \E4\EB\FF \EF\F0\EE\F5\EE\E6\E4\E5\ED\E8\FF \F2\EE\EB\FC\EA\
    \EE \ED\EE\F0\EC\E0\EB\FC\ED\FB\F5 PING \E7\E0\EF\F0\EE\F1\EE\E2" \
    in-interface-list=INTERNET limit=50/5s,2:packet protocol=icmp
add action=drop chain=forward comment="Drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add chain=sshbruteforces connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="Drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=jump chain=input comment="Telnet Brute Forces" connection-state=new \
    dst-port=23 jump-target=telnetbruteforces protocol=tcp
add action=drop chain=telnetbruteforces comment="Drop Telnet Brute Forcers" \
    src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=1w3d chain=telnetbruteforces connection-state=new \
    src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
    address-list-timeout=1m chain=telnetbruteforces connection-state=new \
    src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
    address-list-timeout=1m chain=telnetbruteforces connection-state=new \
    src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
    address-list-timeout=1m chain=telnetbruteforces connection-state=new
add chain=telnetbruteforces dst-port=23 protocol=tcp
add action=drop chain=forward comment="Drop telnet brute downstream" dst-port=\
    23 protocol=tcp src-address-list=telnet_blacklist
add chain=telnetbruteforces connection-state=new dst-port=23 protocol=tcp
add action=drop chain=forward comment="Drop telnet brute downstream" dst-port=\
    23 protocol=tcp src-address-list=telnet_blacklist
add action=jump chain=input comment="Winbox Brute Forces chain" \
    connection-state=new dst-port=8291 jump-target=winboxbruteforces protocol=\
    tcp
add action=drop chain=winboxbruteforces comment="Drop winbox brute forcers" \
    src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=1w3d chain=winboxbruteforces connection-state=new \
    src-address-list=winbox_stage5
add action=add-src-to-address-list address-list=winbox_stage5 \
    address-list-timeout=1m chain=winboxbruteforces connection-state=new \
    src-address-list=winbox_stage4
add action=add-src-to-address-list address-list=winbox_stage4 \
    address-list-timeout=1m chain=winboxbruteforces connection-state=new \
    src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
    address-list-timeout=1m chain=winboxbruteforces connection-state=new \
    src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=winboxbruteforces connection-state=new \
    src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=winboxbruteforces connection-state=new
add chain=winboxbruteforces dst-port=8291 protocol=tcp
add action=drop chain=forward comment="Drop Winbox Brute Downstream" dst-port=\
    8291 protocol=tcp src-address-list=winbox_blacklist
add chain=winboxbruteforces connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=forward comment="Drop winbox brute downstream" dst-port=\
    8291 protocol=tcp src-address-list=winbox_blacklist
add action=accept chain=forward comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC 9003" \
    dst-port=9003 in-interface-list=INTERNET protocol=tcp
add action=drop chain=input comment=\
    "\C7\E0\EF\F0\E5\F9\E0\FE\F9\E5\E5 \EF\F0\E0\E2\E8\EB\EE " \
    in-interface-list=INTERNET

Настройка правила NAT для порта




Пробовал отключать все правила Firewall и доступа из вне нет.
Даже после явного разрешения всех input пакетов

Answer 1

[Gregory]

как вы проверяете проброс портов? на виртуальных машинах шлюз прописан?

Comments

[Bogdan Dolgopolov]

Если я правильно понимаю, то шлюз верный. IP роутера 192.168.0.1

[Bogdan Dolgopolov]

Проверяю get запросом

[Bogdan Dolgopolov]

tcpdump при активации 9003 и попытке открыть страничку молчит

[Bogdan Dolgopolov]

1 - GET запрос по локальной сети
2 - глобальный

[Bogdan Dolgopolov]

Gregory по совету от продавца я добавил правило netmap и пакеты пошли

Answer 2

[Юрий MikroTik]

Если проверяете из этой же сети, то нужен Hairpin NAT