Форумчане приветствую, такая проблема не работает проброс портов. Возможно проблема в настройке firewall, посмотрел кучу форумов мануалов но решения так и не нашел - разрешающее правило есть, но работает только подключение по winbox. Где ошибка? Конфигурацию прилагаю: /interface ethernet set [ find default-name=ether1 ] name=ether1-inter set [ find default-name=ether2 ] name=ether2-local /ip neighbor discovery set ether1-inter discover=no /ip pool add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.254 add name=dhcp ranges=192.168.1.50-192.168.1.254 /ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=ether2-local lease-time=6d10m name=dhcp1 /interface l2tp-server server set caller-id-type=ip-address /ip address add address=X.X.X.X/17 comment=defconf interface=ether1-inter network=X.X.Y.Y add address=192.168.1.1/24 interface=ether2-local network=192.168.1.0 /ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 /ip dns set servers=8.8.8.8,8.8.3.3 /ip firewall address-list add address=192.0.0.0/24 list=BOGON add address=0.0.0.0/8 list=BOGON add address=10.0.0.0/8 list=BOGON add address=100.64.0.0/10 list=BOGON add address=127.0.0.0/8 list=BOGON add address=169.254.0.0/16 list=BOGON add address=172.16.0.0/12 list=BOGON add address=192.0.2.0/24 list=BOGON add address=192.168.0.0/16 list=BOGON add address=198.18.0.0/15 list=BOGON add address=198.51.100.0/24 list=BOGON add address=203.0.113.0/24 list=BOGON add address=224.0.0.0/4 list=BOGON add address=240.0.0.0/4 list=BOGON /ip firewall filter add action=accept chain=input comment="Allow SSH" dst-port=65522 in-interface=!ether1-inter protocol=tcp add action=accept chain=input comment="Allow HTTPS" dst-port=443 in-interface=!ether1-inter log=yes protocol=tcp add action=accept chain=input comment="Allow Winbox" dst-port=65521 in-interface=!ether1-inter log=yes protocol=tcp add action=accept chain=input comment="Allow cons" dst-port=50138 in-interface=!ether1-inter log=yes protocol=tcp add action=accept chain=input comment="Allow sbis" dst-port=50139 in-interface=!ether1-inter protocol=tcp add action=accept chain=input comment="Allow SNMP" dst-port=161 in-interface=!ether1-inter log=yes protocol=udp add action=accept chain=input comment="Allow GRE" in-interface=ether1-inter log=yes protocol=gre add action=accept chain=input connection-state=new dst-port=65521,50138,50139,443,65522 log=yes protocol=tcp add action=drop chain=input in-interface=ether1-inter src-address-list=BOGON add action=accept chain=input connection-state=established add action=accept chain=input connection-state=related add action=accept chain=input protocol=icmp add action=drop chain=input connection-state=new in-interface=!ether2-local add action=accept chain=forward connection-state=established add action=accept chain=forward connection-state=related add action=drop chain=forward connection-state=invalid add action=accept chain=ether2-local-ether1-inter add action=drop chain=ether1-inter-ether2-local add action=jump chain=forward in-interface=ether1-inter jump-target=ether1-inter-ether2-local out-interface=ether2-local add action=jump chain=forward in-interface=ether2-local jump-target=ether2-local-ether1-inter out-interface=ether1-inter add action=drop chain=input dst-port=53 in-interface=ether1-inter log=yes log-prefix=query_in_drop protocol=udp add action=drop chain=input dst-port=53 in-interface=ether1-inter protocol=tcp add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid add action=accept chain=input comment="Allow Established connections" connection-state=established add action=accept chain=input in-interface=ether1-inter src-address=192.168.0.0/24 add action=drop chain=input comment="Drop everything else" add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp add action=accept chain=icmp comment="ICMP echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=icmp comment="ICMP net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="ICMP host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment="ICMP host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="ICMP allow source quench" icmp-options=4:0 protocol=icmp add action=accept chain=icmp comment="ICMP allow echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="ICMP allow time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="ICMP allow parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="ICMP deny all other types" add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\ fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\ fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\ !fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners add action=drop chain=forward comment="dropping port scanners" src-address-list=port_scanners add action=drop chain=input comment="Drop everything else" in-interface=ether1-inter add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid add action=drop chain=forward comment="Drop new forward WAN" connection-state=new in-interface=ether1-inter add action=accept chain=forward disabled=yes dst-address=192.168.1.2 dst-port=3389 in-interface=!ether1-inter protocol=tcp add action=accept chain=forward disabled=yes dst-address=192.168.1.5 dst-port=443 in-interface=!ether1-inter protocol=tcp add action=accept chain=forward disabled=yes dst-address=192.168.1.12 dst-port=50139 in-interface=!ether1-inter protocol=tcp /ip firewall nat add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=50138 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.2 to-ports=3389 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=50139 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.12 to-ports=50139 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=443 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.5 to-ports=443 add action=masquerade chain=srcnat dst-address=192.168.1.2 dst-port=3389 protocol=tcp src-address=192.168.1.0/24 add action=masquerade chain=srcnat dst-address=192.168.1.5 dst-port=443 protocol=tcp src-address=192.168.1.0/24 add action=masquerade chain=srcnat dst-address=192.168.1.12 dst-port=50139 protocol=tcp src-address=192.168.1.0/24 add action=masquerade chain=srcnat out-interface=ether1-inter add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface=ether2-local protocol=udp add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-ports=8080 add action=dst-nat chain=dstnat disabled=yes dst-address=X.X.X.X dst-port=50138 protocol=tcp to-addresses=192.168.1.2 to-ports=3389 add action=dst-nat chain=dstnat disabled=yes dst-address=X.X.X.X dst-port=50139 protocol=tcp to-addresses=192.168.1.12 to-ports=50139 add action=dst-nat chain=dstnat disabled=yes dst-address=X.X.X.X dst-port=443 protocol=tcp to-addresses=192.168.1.5 to-ports=443 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes /ip route add distance=1 gateway=X.X.X.X /ip service set telnet disabled=yes set ftp disabled=yes set www address=192.168.1.0/24 disabled=yes set ssh port=65522 set api disabled=yes set winbox port=65521 set api-ssl disabled=yes /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-local
add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=50138 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.2 to-ports=3389 - восклицательный знак не нужен здесь.
add action=dst-nat chain=dstnat comment="rdp for disa-pc" dst-port=33185 protocol=tcp to-addresses=192.168.21.254 to-ports=3389 Вот точно работающее правило для перенаправления. Разберитесь с вашем farewall он у вас очень намудренный. Возьмите за основу фаервол по умолчанию, и добавьте в него то, что необходимо.
