Those are input chain rules, not forward chain rules. Casey
On Wed, Jun 11, 2014 at 2:38 PM, Jerry Roy <[email protected]> wrote: > Ya, they are already in there. > > add chain=input comment="default configuration - icmp" protocol=icmp > add chain=input comment=established connection-state=established > add chain=input comment=related connection-state=related > add chain=input dst-port=22,443,8728,8291 protocol=tcp > add action=drop chain=input comment="default configuration" > in-interface=ether1-gateway > > > *Jerry Roy* > Sr. Systems Engineer > MTCNA/MTCRE/MTCTCE > > > 1 949 681 5054 > 1 562 305 9545 Cell > > Unity Network Services > > *An iPass Company* > 125 Technology Drive > Suite 100 > Irvine, CA 92618 > > > > > On Wed, Jun 11, 2014 at 11:27 AM, Casey Mills <[email protected]> wrote: > > > Did you add the forward table rules? > > > > Casey > > > > > > On Wed, Jun 11, 2014 at 2:12 PM, Jerry Roy <[email protected]> wrote: > > > > > Yes, Its the WAN IP. > > > > > > I believe I still have the default rules in there. I removed the dest > > > address from the rule but still same issue. > > > > > > I keep getting a syn sent in the connections log. > > > > > > *Jerry Roy* > > > Sr. Systems Engineer > > > MTCNA/MTCRE/MTCTCE > > > > > > > > > 1 949 681 5054 > > > 1 562 305 9545 Cell > > > > > > Unity Network Services > > > > > > *An iPass Company* > > > 125 Technology Drive > > > Suite 100 > > > Irvine, CA 92618 > > > > > > > > > > > > > > > On Wed, Jun 11, 2014 at 10:51 AM, Casey Mills <[email protected]> > wrote: > > > > > > > I assume 172.250.x.x is you WAN IP. > > > > > > > > I don't see a need to specify dst-address in this rule, you are > already > > > > specifying the in-interface. > > > > add action=dst-nat chain=dstnat comment="FTP for Work" > > > > dst-address=172.250.x.x dst-port=21 in-interface=ether1-gateway > > > > protocol=tcp to-addresses=192.168.200.200 to-ports=21 > > > > > > > > My RB2011 came with a few forward table filter rules that might come > in > > > > handy. > > > > add chain=forward comment="default configuration" > > > > connection-state=established > > > > add chain=forward comment="default configuration" > > > connection-state=related > > > > add action=drop chain=forward comment="default configuration" > > > > connection-state=invalid > > > > > > > > Casey > > > > > > > > > > > > > > > > > > > > On Wed, Jun 11, 2014 at 12:46 PM, Jerry Roy <[email protected]> wrote: > > > > > > > > > All, > > > > > > > > > > This was working and now it's not. Can someone suggest what is > wrong > > > with > > > > > this? I have an ftp server sitting on the LAN at 192.168.200.200. I > > > want > > > > to > > > > > access it from anywhere. I exported my FW and Nat rules below. > Thanks > > > for > > > > > looking :) > > > > > > > > > > /ip firewall filter > > > > > add action=drop chain=input comment="drop ssh brute forcers" > > > dst-port=22 > > > > > protocol=tcp src-address-list=ssh_blacklist > > > > > add action=add-src-to-address-list address-list=ssh_blacklist > > > > > address-list-timeout=1w3d chain=input connection-state=new > > dst-port=22 > > > > > protocol=tcp \ > > > > > src-address-list=ssh_stage3 > > > > > add action=add-src-to-address-list address-list=ssh_stage3 > > > > > address-list-timeout=1m chain=input connection-state=new > dst-port=22 > > > > > protocol=tcp src-address-list=\ > > > > > ssh_stage2 > > > > > add action=add-src-to-address-list address-list=ssh_stage2 > > > > > address-list-timeout=1m chain=input connection-state=new > dst-port=22 > > > > > protocol=tcp src-address-list=\ > > > > > ssh_stage1 > > > > > add action=add-src-to-address-list address-list=ssh_stage1 > > > > > address-list-timeout=1m chain=input connection-state=new > dst-port=22 > > > > > protocol=tcp > > > > > add chain=input comment="default configuration - icmp" > protocol=icmp > > > > > add chain=input comment=established connection-state=established > > > > > add chain=input comment=related connection-state=related > > > > > add chain=input dst-port=22,443,8728,8291 protocol=tcp > > > > > add action=drop chain=input comment="default configuration" > > > > > in-interface=ether1-gateway > > > > > /ip firewall nat > > > > > add action=masquerade chain=srcnat comment="default configuration" > > > > > out-interface=ether1-gateway to-addresses=0.0.0.0 > > > > > add action=dst-nat chain=dstnat comment="Den Camera" dst-port=8080 > > > > > protocol=tcp to-addresses=192.168.200.90 to-ports=8080 > > > > > add action=dst-nat chain=dstnat comment="FTP for Work" > > > > > dst-address=172.250.x.x dst-port=21 in-interface=ether1-gateway > > > > > protocol=tcp to-addresses=\ > > > > > 192.168.200.200 to-ports=21 > > > > > add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=20 > > > > > in-interface=ether1-gateway protocol=tcp > to-addresses=192.168.200.200 > > > > > to-ports=20 > > > > > add action=dst-nat chain=dstnat dst-address=172.250.x.x > > > > dst-port=5000-6000 > > > > > in-interface=ether1-gateway protocol=tcp > to-addresses=192.168.200.200 > > > > > to-ports=\ > > > > > 5000-6000 > > > > > add action=dst-nat chain=dstnat comment=Xbox > dst-address=172.250.x.x > > > > > dst-port=88,3074 in-interface=ether1-gateway protocol=tcp > > > > > to-addresses=192.168.200.93 \ > > > > > to-ports=3074 > > > > > add action=dst-nat chain=dstnat dst-address=172.250.x.x > dst-port=3074 > > > > > in-interface=ether1-gateway protocol=udp > to-addresses=192.168.200.93 > > > > > to-ports=3074 > > > > > /ip firewall service-port > > > > > set ftp disabled=yes ports=99 > > > > > set tftp disabled=yes > > > > > set irc disabled=yes > > > > > set pptp disabled=yes > > > > > [admin@RB2011UAS-2HnD] /ip firewall> > > > > > > > > > > /ip firewall nat > > > > > add action=masquerade chain=srcnat comment="default configuration" > > > > > out-interface=ether1-gateway to-addresses=0.0.0.0 > > > > > add action=dst-nat chain=dstnat comment="Den Camera" dst-port=8080 > > > > > protocol=tcp to-addresses=192.168.200.90 to-ports=8080 > > > > > add action=dst-nat chain=dstnat comment="FTP for Work" > > > > > dst-address=172.250.x.x dst-port=21 in-interface=ether1-gateway > > > > > protocol=tcp to-addresses=\ > > > > > 192.168.200.200 to-ports=21 > > > > > add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=20 > > > > > in-interface=ether1-gateway protocol=tcp > to-addresses=192.168.200.200 > > > > > to-ports=20 > > > > > add action=dst-nat chain=dstnat dst-address=172.250.x.x > > > > dst-port=5000-6000 > > > > > in-interface=ether1-gateway protocol=tcp > to-addresses=192.168.200.200 > > > > > to-ports=\ > > > > > 5000-6000 > > > > > add action=dst-nat chain=dstnat comment=Xbox > dst-address=172.250.x.x > > > > > dst-port=88,3074 in-interface=ether1-gateway protocol=tcp > > > > > to-addresses=192.168.200.93 \ > > > > > to-ports=3074 > > > > > add action=dst-nat chain=dstnat dst-address=172.250.x.x > dst-port=3074 > > > > > in-interface=ether1-gateway protocol=udp > to-addresses=192.168.200.93 > > > > > to-ports=3074 > > > > > [admin@RB2011UAS-2HnD] /ip firewall nat> > > > > > > > > > > > > > > > *Jerry Roy* > > > > > Sr. Systems Engineer > > > > > MTCNA/MTCRE/MTCTCE > > > > > > > > > > > > > > > 1 949 681 5054 > > > > > 1 562 305 9545 Cell > > > > > > > > > > Unity Network Services > > > > > > > > > > *An iPass Company* > > > > > 125 Technology Drive > > > > > Suite 100 > > > > > Irvine, CA 92618 > > > > > -------------- next part -------------- > > > > > An HTML attachment was scrubbed... > > > > > URL: < > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/eb9686c0/attachment.html > > > > > > > > > > > -------------- next part -------------- > > > > > A non-text attachment was scrubbed... > > > > > Name: image001.gif > > > > > Type: image/gif > > > > > Size: 2041 bytes > > > > > Desc: not available > > > > > URL: < > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/eb9686c0/attachment.gif > > > > > > > > > > > _______________________________________________ > > > > > Mikrotik mailing list > > > > > [email protected] > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > Mikrotik > > > > > RouterOS > > > > > > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: < > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/3f0eac85/attachment.html > > > > > > > > > _______________________________________________ > > > > Mikrotik mailing list > > > > [email protected] > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > > RouterOS > > > > > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/123fbce5/attachment.html > > > > > > > -------------- next part -------------- > > > A non-text attachment was scrubbed... > > > Name: image001.gif > > > Type: image/gif > > > Size: 2041 bytes > > > Desc: not available > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/123fbce5/attachment.gif > > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > [email protected] > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > RouterOS > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/bdcb70fb/attachment.html > > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/6cbceda6/attachment.html > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image001.gif > Type: image/gif > Size: 2041 bytes > Desc: not available > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/6cbceda6/attachment.gif > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/b9ad3305/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
