Mikrotik block and allow traffic flow

D

Dirty Harry101

Active Member
Joined
Sep 23, 2016
Messages
80
Reaction score
0
Location
JHB
Hey guys

I need to setup my mikrotik where I block all traffic, so no funny browsing and what not, but I need to allow rdp connections going out of the network. So network -> MTK -> ISP -> to remote server.

My brain cant function enough to know where to start ha ha. I tried to drop all out going, and locked myself out lol. I am back in, but need some sort of idea where to start.

Thank you
 
IP > Firewall

First create a rule to allow only TCP/3389, interface out. (perhaps destination 0.0.0.0/0, would be a wise addition)
Then another rule, action deny, interface out = WAN connection. (keeping in mind this will block EVERYTHING including UDP traffic, so no DNS).

IN THAT ORDER

screenshot.1486034615.png
screenshot.1486034616.png
 
Thanks will try that.

Thats fine, just want to test for now. How would I add DNS then?
 
You rule order is important. I.e if you drop all before the allow rule, the allow rule will not work
 
/ip firewall filter
add action=drop chain=forward comment="Block VW" disabled=yes layer7-protocol=\
VWClub protocol=tcp src-address=192.168.2.0/24
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
connection-limit=30,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
\_ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=\
!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
3h chain=forward comment="Add Spammers to the list for 3 hours" \
connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=accept chain=forward comment="Allow Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" dst-port=443 \
layer7-protocol=Facebook protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.68
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.89
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.15
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.68
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=tcp src-address=192.168.2.65
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=accept chain=output disabled=yes dst-port=4949 out-interface=ether8 \
protocol=tcp
add action=accept chain=output disabled=yes dst-port=3389 out-interface=ether8 \
protocol=tcp
add action=accept chain=input disabled=yes dst-port=53 protocol=udp
add action=accept chain=input disabled=yes protocol=udp src-port=53
add action=drop chain=forward disabled=yes
 
I changed the order of your firewall rules and added a return rule.

/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT_ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input disabled=yes dst-port=53 protocol=udp
add action=accept chain=input disabled=yes protocol=udp src-port=53
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=accept chain=output disabled=yes dst-port=4949 out-interface=ether8 protocol=tcp
add action=accept chain=output disabled=yes dst-port=3389 out-interface=ether8 protocol=tcp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0acket protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=forward comment="Allow Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" dst-port=443 layer7-protocol=Facebook protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.68
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.89
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.15
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.68
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=tcp src-address=192.168.2.65
add action=drop chain=forward comment="Block VW" disabled=yes layer7-protocol=VWClub protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5acket protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=return chain=ICMP
 
I have added 4 new rules.
Two will drop any invalid packets received.
add action=drop chain=input comment="drop invalid input" connection-state=invalid
add action=drop chain=forward comment="drop invalid forward" connection-state=invalid
Drop all inputs that haven't been allowed.
add action=drop chain=input comment="drop not allowed inputs" log-prefix=input_drop
Drop all forwards that haven't been allowed.
add action=drop chain=forward comment="drop not allowed forwards" log-prefix=forward_drop

/ip firewall filter
add action=drop chain=input comment="drop invalid input" connection-state=invalid
add action=drop chain=forward comment="drop invalid forward" connection-state=invalid
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT_ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input disabled=yes dst-port=53 protocol=udp
add action=accept chain=input disabled=yes protocol=udp src-port=53
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="drop not allowed inputs" log-prefix=input_drop
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=accept chain=output disabled=yes dst-port=4949 out-interface=ether8 protocol=tcp
add action=accept chain=output disabled=yes dst-port=3389 out-interface=ether8 protocol=tcp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0acket protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=forward comment="Allow Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" dst-port=443 layer7-protocol=Facebook protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.68
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.89
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.15
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.68
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=tcp src-address=192.168.2.65
add action=drop chain=forward comment="Block VW" disabled=yes layer7-protocol=VWClub protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes
add action=drop chain=forward comment="drop not allowed forwards" log-prefix=forward_drop
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5acket protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=return chain=ICMP
 
The filter is what you gave me
both are posted below
I noticed if I print, it only shows up to rule #7, not any further?

/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=\
tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment=\
"Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT_ADDRESS LIST" disabled=yes dst-port=8291 \
protocol=tcp src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input dst-port=53 protocol=udp
add action=accept chain=input protocol=udp src-port=53
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=accept chain=output dst-port=4949 out-interface=ether8 protocol=tcp
add action=accept chain=output protocol=tcp src-port=3389
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 \
dst-port=25,587 limit=30/1m,5:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=forward comment="Allow Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" dst-port=443 layer7-protocol=Facebook protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.68
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.89
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.15
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.68
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=tcp src-address=192.168.2.65
add action=drop chain=forward comment="Block VW" disabled=yes layer7-protocol=VWClub protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube protocol=udp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=return chain=ICMP

/ip firewall nat
add action=redirect chain=dstnat disabled=yes dst-port=443 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=196.15.170.130 dst-port=4949 protocol=tcp to-addresses=196.15.170.130 to-ports=4949
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=8080 protocol=tcp to-addresses=192.168.2.96 to-ports=8080
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=8080 protocol=tcp to-addresses=192.168.2.96 to-ports=8080
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=23 protocol=tcp to-addresses=192.168.2.96 to-ports=23
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=23 protocol=tcp to-addresses=192.168.2.96 to-ports=23
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=3389 protocol=tcp to-addresses=192.168.2.4 to-ports=3389
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=3389 protocol=tcp to-addresses=192.168.2.4 to-ports=3389
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=3390 protocol=tcp to-addresses=192.168.2.7 to-ports=3389
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=3390 protocol=tcp to-addresses=192.168.2.7 to-ports=3389
add action=dst-nat chain=dstnat dst-address=154.66.208.246 dst-port=3390 protocol=tcp to-addresses=192.168.2.7 to-ports=3389
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=37777-37778 protocol=tcp to-addresses=192.168.2.109 to-ports=37777-37778
 
Dirty Harry101 said:
/ip firewall nat
add action=redirect chain=dstnat disabled=yes dst-port=443 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=196.15.170.130 dst-port=4949 protocol=tcp to-addresses=196.15.170.130 to-ports=4949
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=8080 protocol=tcp to-addresses=192.168.2.96 to-ports=8080
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=8080 protocol=tcp to-addresses=192.168.2.96 to-ports=8080
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=23 protocol=tcp to-addresses=192.168.2.96 to-ports=23
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=23 protocol=tcp to-addresses=192.168.2.96 to-ports=23
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=3389 protocol=tcp to-addresses=192.168.2.4 to-ports=3389
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=3389 protocol=tcp to-addresses=192.168.2.4 to-ports=3389
add action=dst-nat chain=dstnat dst-address=154.117.185.86 dst-port=3390 protocol=tcp to-addresses=192.168.2.7 to-ports=3389
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=3390 protocol=tcp to-addresses=192.168.2.7 to-ports=3389
add action=dst-nat chain=dstnat dst-address=154.66.208.246 dst-port=3390 protocol=tcp to-addresses=192.168.2.7 to-ports=3389
add action=dst-nat chain=dstnat dst-address=41.0.237.170 dst-port=37777-37778 protocol=tcp to-addresses=192.168.2.109 to-ports=37777-37778
Click to expand...

Move your masquerade rule to the top of the list and add your outgoing interface to that rule.
Disable all the other rules under nat just for testing
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X