Не отрабатывает проброс портов

[vadim.jukov]

Доброго времени суток, уважаемы форумчане!
Помогите разобраться, почему не отрабатывает проброс портов?!
Порты 80 и 443 отрабатывают запрос. а порты 55899 и 44899 только увеличиваются счетчики и больше ничего

P.S:
AKADO - WAN (провайдер)
2.2.2.0/24 - LAN
3.3.3.0/29 - L2TP VPN

1) Правила фильтра:

Код: Выделить всё

# dec/05/2018 12:29:39 by RouterOS 6.43.7
# software id = RALS-T2Z8
#
# model = 951Ui-2HnD
# serial number =********
/ip firewall filter
add action=accept chain=input comment="Accept input icmp" in-interface=AKADO protocol=icmp
add action=accept chain=forward in-interface=AKADO protocol=icmp
add action=accept chain=input comment="Accept established & related connection" connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept services ports" connection-state=established,related,new dst-port=80,443,55899,44899 in-interface=AKADO protocol=tcp
add action=accept chain=input comment="Accept L2TP" dst-port=1701,500,4500 in-interface=AKADO protocol=udp
add action=accept chain=input in-interface=AKADO protocol=ipsec-esp
add action=accept chain=forward comment="Forward L2TP -> LAN" dst-address=2.2.2.0/24 src-address=3.3.3.0/29
add action=accept chain=input comment="Accept connections for LAN to WAN" in-interface=!AKADO src-address=2.2.2.0/24
add action=drop chain=input comment="Drop all input DNS" dst-port=53 in-interface=AKADO protocol=udp
add action=drop chain=input dst-port=53 in-interface=AKADO protocol=tcp
add action=drop chain=input comment="Drop all invalid connections" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input in-interface=AKADO
add action=accept chain=forward comment="Accept forward from LAN to WAN" in-interface=!AKADO out-interface=AKADO
add action=drop chain=forward comment="Block Bogon IP Address" src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=input comment="Block hole Windows" dst-port=135,137-139,445,593,4444 protocol=tcp
add action=drop chain=forward dst-port=135,137-139,445,593,4444 protocol=tcp
add action=drop chain=input dst-port=135,137-139 protocol=udp
add action=drop chain=forward dst-port=135,137-139 protocol=udp
add action=drop chain=input comment="Drop WINBOX brute forcers" dst-port=3333protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=3333in-interface=AKADO protocol=tcp src-address-list=ssh_stage3
add action=drop chain=input comment="Drop SSH brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=22 in-interface=AKADO protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners
add action=drop chain=forward src-address-list=port_scanners
add action=drop chain=forward comment="Drop all other connections"

2) Таблица NAT:

Код: Выделить всё

# dec/05/2018 12:32:36 by RouterOS 6.43.7
# software id = RALS-T2Z8
#
# model = 951Ui-2HnD
# serial number = *********
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT for HTTPS port on web" dst-port=443 in-interface=AKADO protocol=tcp to-addresses=2.2.2.6 to-ports=443
add action=dst-nat chain=dstnat comment="DST-NAT for HTTP port on web" dst-port=80 in-interface=AKADO protocol=tcp to-addresses=2.2.2.6 to-ports=80
add action=netmap chain=dstnat comment="DST-NAT for SSH port on web" dst-port=55899 in-interface=AKADO log=yes log-prefix="web ssh connect" protocol=tcp to-addresses=2.2.2.6 to-ports=22
add action=dst-nat chain=dstnat comment="DST-NAT for transmission port on media" dst-port=44899 in-interface=AKADO protocol=tcp to-addresses=2.2.2.8 to-ports=9091
add action=masquerade chain=srcnat comment="LAN masquerade" out-interface-list=WAN

Заранее спасибо за Ваши ответы!

[gmx]

Полностью выключать ВСЕ правила фаерволла не пробовали???
Данный микротик прописан шлюзом на устройствах, на которые пробрасываются порты?

[vadim.jukov]

Полностью выключать ВСЕ правила фаерволла не пробовали???
Данный микротик прописан шлюзом на устройствах, на которые пробрасываются порты?

1) Правила отключал, результата не было.
2) Да, микротик стоит как шлюз на серверах.
3) Нашел причину, не был установлен чекбокс на new в connection state.

Спасибо за Ваш ответ!

P.S тему можно закрывать.