(1) Change this rule in the forward chain FROM
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
(2) Not sure if order is critical but best to do this.... ( fixed your hairpin rule as well)
/ip firewall address-list
add name=MYNETNAME list=MyWAN comment="dyndns from my IP Cloud settings"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="hairpin" dst-address=10.21.21.0/24 src-address=10.21.21.0/24
add action=dst-nat chain=dstnat comment=submission dst-port=587 dst-address-list=MyWAN protocol=tcp to-addresses=10.21.21.244
add action=dst-nat chain=dstnat comment=smtp dst-port=25 dst-address-list=MyWAN protocol=tcp to-addresses=10.21.21.244
add action=dst-nat chain=dstnat comment=imaps dst-port=993 dst-address-list=MyWAN protocol=tcp to-addresses=10.21.21.244
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
(2) Not sure if order is critical but best to do this.... ( fixed your hairpin rule as well)
/ip firewall address-list
add name=MYNETNAME list=MyWAN comment="dyndns from my IP Cloud settings"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="hairpin" dst-address=10.21.21.0/24 src-address=10.21.21.0/24
add action=dst-nat chain=dstnat comment=submission dst-port=587 dst-address-list=MyWAN protocol=tcp to-addresses=10.21.21.244
add action=dst-nat chain=dstnat comment=smtp dst-port=25 dst-address-list=MyWAN protocol=tcp to-addresses=10.21.21.244
add action=dst-nat chain=dstnat comment=imaps dst-port=993 dst-address-list=MyWAN protocol=tcp to-addresses=10.21.21.244
Statistics: Posted by anav — Thu Mar 28, 2024 7:17 pm
