из всех мануалов, если я правильно понял, то при пробросе портов в nat нужно разрешить соответствющие порты еще и в фаервол rules, если конечно есть общее запрещающее правило.
Но опытным путем у меня получается, что все работает, если только я добавлю проброс портов в nat.
Ниже конфиг нат и фаервол рулз, в фаерво рулз правила по пробросу задисаблены.
Код: Выделить всё
# jun/09/2021 10:20:03 by RouterOS 6.48.3
# software id = DBWY-
#
# model = RBD52G-5HacD2HnD
# serial number = B
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=no-mark \
connection-state=established,related protocol=udp routing-mark=main
add action=fasttrack-connection chain=forward connection-mark=no-mark \
connection-state=established,related protocol=tcp routing-mark=main
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Drop invalid Forward" \
connection-state=invalid
add action=drop chain=forward comment="drop all packets for lan, no nat" \
connection-nat-state=!dstnat connection-state=new in-interface-list=\
Internet
add action=accept chain=input comment="Accept Input established related" \
connection-state=established,related protocol=!ipsec-esp
add action=drop chain=input comment="Drop Invalid Input" connection-state=\
invalid
add action=drop chain=input dst-port=53 in-interface-list=Internet protocol=\
udp
add action=drop chain=input dst-port=53 in-interface-list=Internet protocol=\
tcp
add action=jump chain=input comment="Protected - WinBox, ssh, telnet chain" \
connection-state=new dst-port=8291,22,23 in-interface-list=Internet \
jump-target=Protected log-prefix=jumpproverka protocol=tcp
add action=accept chain=input comment=IpSec log-prefix=50ipsec-esp protocol=\
ipsec-esp
add action=accept chain=input comment="IKE, IPsecNAT" connection-state="" \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment=L2TP connection-state="" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Winbox MAC" dst-port=20561 protocol=\
udp
add action=accept chain=forward comment="Allow forward NAT" \
connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment=IpCam disabled=yes dst-port=\
8091,10554,1080 protocol=tcp
add action=accept chain=forward comment=DC++ disabled=yes dst-port=7113,9813 \
in-interface-list=all protocol=tcp
add action=accept chain=forward comment=DC++ disabled=yes dst-port=28108,6250 \
in-interface-list=all protocol=udp
add action=accept chain=forward comment=uTorrent disabled=yes dst-port=15369 \
in-interface-list=all protocol=tcp
add action=accept chain=forward disabled=yes dst-port=15369 \
in-interface-list=all protocol=udp
add action=accept chain=forward comment="Out Forward" out-interface-list=all
add action=add-src-to-address-list address-list=BlackListProtected \
address-list-timeout=3d chain=Protected comment=\
"Protected - WinBox, ssh, telnet. Drop in RAW" connection-state=new \
src-address-list="ListProtected Stage 2"
add action=add-src-to-address-list address-list="ListProtected Stage 2" \
address-list-timeout=2m chain=Protected connection-state=new \
src-address-list="ListProtected Stage 1"
add action=add-src-to-address-list address-list="ListProtected Stage 1" \
address-list-timeout=1m chain=Protected connection-state=new
add action=accept chain=Protected
add action=drop chain=input comment="Drop All Other Input" in-interface-list=\
Internet
add action=drop chain=forward comment="Drop All Other Forward" \
in-interface-list=Internet log=yes log-prefix=dropotherforward
Код: Выделить всё
# jun/09/2021 10:19:57 by RouterOS 6.48.3
# software id = DBW
#
# model = RBD52G-5HacD2HnD
# serial number = B
/ip firewall nat
add action=dst-nat chain=dstnat comment=IpCam dst-port=10554,1080,8091 \
protocol=tcp to-addresses=192.168.10.121
add action=dst-nat chain=dstnat comment=Dc++ dst-port=7113,9813 protocol=tcp \
to-addresses=192.168.10.195
add action=dst-nat chain=dstnat comment=Dc++ dst-port=28108,6250 protocol=udp \
to-addresses=192.168.10.195
add action=dst-nat chain=dstnat comment=uTorrent dst-port=15369 protocol=tcp \
to-addresses=192.168.10.195
add action=dst-nat chain=dstnat dst-port=15369 protocol=udp to-addresses=\
192.168.10.195
add action=masquerade chain=srcnat dst-address-list=Sknt out-interface=l2tp-out1
add action=masquerade chain=srcnat dst-address-list=Rkn out-interface=\
l2tp-out2
add action=redirect chain=dstnat dst-port=53 in-interface-list=all protocol=\
udp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list=all protocol=\
tcp to-ports=53
add action=masquerade chain=srcnat out-interface-list=Internet
add action=masquerade chain=srcnat comment=\
"Allow acees to other subnets for ObitVpn" src-address=192.168.51.0/24