Код: Выделить всё
# nov/11/2021 13:32:44 by RouterOS 6.49
# model = 2011UiAS-2HnD
# serial number = 8144072455EE
/interface bridge
add admin-mac=64:D1:54:7B:9B:3C arp=proxy-arp auto-mac=no comment=defconf name=bridge1-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1-lan lease-time=1d name=defconf
/interface bridge port
add bridge=bridge1-lan comment=defconf interface=ether2
add bridge=bridge1-lan comment=defconf interface=ether3
add bridge=bridge1-lan comment=defconf interface=ether4
add bridge=bridge1-lan comment=defconf interface=ether5
add bridge=bridge1-lan comment=defconf interface=ether6
add bridge=bridge1-lan comment=defconf interface=ether7
add bridge=bridge1-lan comment=defconf interface=ether8
add bridge=bridge1-lan comment=defconf interface=ether9
add bridge=bridge1-lan comment=defconf interface=ether10
add bridge=bridge1-lan comment=defconf interface=sfp1
add bridge=bridge1-lan comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge1-lan list=LAN
add comment=defconf interface=ether1-wan list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge1-lan network=192.168.1.0
add address=***********/30 interface=ether1-wan network=**********
/ip dhcp-server lease
add address=192.168.1.253 client-id=1:18:66:da:26:25:87 mac-address=18:66:DA:26:25:87 server=defconf
add address=192.168.1.160 client-id=1:50:9a:4c:59:8c:4d mac-address=50:9A:4C:59:8C:4D server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=195.64.222.2,195.64.192.35
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="accept establish & related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not from lan" in-interface=!bridge1-lan
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept http & https from LAN" dst-port=80,443 in-interface=bridge1-lan out-interface=ether1-wan protocol=tcp
add action=drop chain=forward comment="drop all from WAN to LAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan
add action=accept chain=forward comment="accept dns from LAN" dst-port=53 in-interface=bridge1-lan out-interface=ether1-wan protocol=udp
add action=accept chain=forward comment="accept WAN -> LAN RDP" dst-address=192.168.1.253 dst-port=2839 in-interface=ether1-wan protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=1738 in-interface=ether1-wan protocol=tcp to-addresses=192.168.1.251 to-ports=1738
add action=masquerade chain=srcnat dst-address=192.168.1.253 dst-port=2839 protocol=tcp
add action=dst-nat chain=dstnat dst-port=2839 in-interface=ether1-wan log=yes protocol=tcp to-addresses=192.168.1.253 to-ports=2839
set 0 interfaces=sfp1,ether1-wan,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
проверка проброса не через локальную сеть
пакеты идут и в rules и в nat
лог c правила
Код: Выделить всё
dstnat: in:ether1-wan out:(unknown 0), src-mac 00:04:96:8b:e5:cc, proto TCP (SYN), 85.140.14.83:43723->внешний IP микротика:2839, len 60