Привет! RB750G - RouterOS 6.7. Проблема с переадресацией портов. Переадресация работает только тогда, когда я также добавляю правило брандмауэра для цепочки FORWARD для конкретного порта. Например, если я перенаправляю порт 3389 на NAT, то должен добавить правило accept forward для порта 3389 в брандмауэре. Как я читал, dst-nat должен обрабатываться до фильтрации брандмауэра, и он не должен на него влиять. Но в моем случае это не так. Мне нужно иметь правила forward в брандмауэре, потому что я хочу разрешать только определенные протоколы для клиентов. Что посоветуете? Вот конфигурация: x.x.x.x - публичный IP-адрес.
NAT:
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway
1 ;;; Server
chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=3389 protocol
dst-address=x.x.x.x in-interface=ether1-gateway dst-port=3389
2 chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=1723 protocol
dst-address=x.x.x.x in-interface=ether1-gateway dst-port=1723
3 X chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=443 protocol=
dst-address=x.x.x.x dst-port=443
4 ;;; ILO
chain=dstnat action=dst-nat to-addresses=192.168.234.10 to-ports=443 protocol=t
dst-address=x.x.x.x in-interface=ether1-gateway dst-port=443
5 chain=dstnat action=dst-nat to-addresses=192.168.234.10 to-ports=17988-17990
protocol=tcp dst-address=x.x.x.x in-interface=ether1-gateway
dst-port=17988-17990
Брандмауэр:
0 ;;; Drops invalid connections on input and forward chains
chain=input action=drop connection-state=invalid
1 chain=forward action=drop connection-state=invalid
2 ;;; Access to router from LAN - administration
chain=input action=accept src-address-list=LAN
3 chain=input action=accept connection-state=related
4 chain=input action=accept connection-state=established
5 chain=input action=accept protocol=icmp
6 chain=input action=drop
7 ;;; LAN2WAN rules
chain=forward action=accept connection-state=established
8 chain=forward action=accept connection-state=related
9 ;;; HTTP
chain=forward action=accept protocol=tcp dst-port=80
10 ;;; HTTPS
chain=forward action=accept protocol=tcp dst-port=443
11 ;;; POP3
chain=forward action=accept protocol=tcp dst-port=110
12 ;;; SMTP
chain=forward action=accept protocol=tcp dst-port=25
13 ;;; DNS
chain=forward action=accept protocol=udp dst-port=53
14 ;;; NTP
chain=forward action=accept protocol=udp dst-port=123
15 ;;; PING
chain=forward action=accept protocol=icmp
16 ;;; RDP
chain=forward action=accept protocol=tcp dst-port=3389
17 ;;; VPN
chain=forward action=accept protocol=tcp dst-port=1723
18 ;;; Bloom
chain=forward action=accept protocol=tcp dst-port=8194-8294
19 chain=forward action=accept protocol=udp dst-port=48129-48137
20 ;;; ILO
chain=forward action=accept protocol=tcp dst-port=17988-17990
21 ;;; Hosting
chain=forward action=accept protocol=tcp dst-port=2083
22 chain=forward action=drop
NAT:
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway
1 ;;; Server
chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=3389 protocol
dst-address=x.x.x.x in-interface=ether1-gateway dst-port=3389
2 chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=1723 protocol
dst-address=x.x.x.x in-interface=ether1-gateway dst-port=1723
3 X chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=443 protocol=
dst-address=x.x.x.x dst-port=443
4 ;;; ILO
chain=dstnat action=dst-nat to-addresses=192.168.234.10 to-ports=443 protocol=t
dst-address=x.x.x.x in-interface=ether1-gateway dst-port=443
5 chain=dstnat action=dst-nat to-addresses=192.168.234.10 to-ports=17988-17990
protocol=tcp dst-address=x.x.x.x in-interface=ether1-gateway
dst-port=17988-17990
Брандмауэр:
0 ;;; Drops invalid connections on input and forward chains
chain=input action=drop connection-state=invalid
1 chain=forward action=drop connection-state=invalid
2 ;;; Access to router from LAN - administration
chain=input action=accept src-address-list=LAN
3 chain=input action=accept connection-state=related
4 chain=input action=accept connection-state=established
5 chain=input action=accept protocol=icmp
6 chain=input action=drop
7 ;;; LAN2WAN rules
chain=forward action=accept connection-state=established
8 chain=forward action=accept connection-state=related
9 ;;; HTTP
chain=forward action=accept protocol=tcp dst-port=80
10 ;;; HTTPS
chain=forward action=accept protocol=tcp dst-port=443
11 ;;; POP3
chain=forward action=accept protocol=tcp dst-port=110
12 ;;; SMTP
chain=forward action=accept protocol=tcp dst-port=25
13 ;;; DNS
chain=forward action=accept protocol=udp dst-port=53
14 ;;; NTP
chain=forward action=accept protocol=udp dst-port=123
15 ;;; PING
chain=forward action=accept protocol=icmp
16 ;;; RDP
chain=forward action=accept protocol=tcp dst-port=3389
17 ;;; VPN
chain=forward action=accept protocol=tcp dst-port=1723
18 ;;; Bloom
chain=forward action=accept protocol=tcp dst-port=8194-8294
19 chain=forward action=accept protocol=udp dst-port=48129-48137
20 ;;; ILO
chain=forward action=accept protocol=tcp dst-port=17988-17990
21 ;;; Hosting
chain=forward action=accept protocol=tcp dst-port=2083
22 chain=forward action=drop
