Segítségeteket kérném a megfelelő tűzfal szabály létrehozásában. Az eszköz Mikrotik hAPac2. A port forward szabályom szerintem jó, legalábbis, ha meghívom a böngészőből látom a winboxban a byte-ok és a csomagok számát is nőni.
> ip firewall filter export
# feb/07/2023 10:25:00 by RouterOS 6.49.7
# software id = XQP8-1QZR
#
# model = RBD52G-5HacD2HnD
/ip firewall filter
add action=drop chain=input comment="Input filter a k\FCls\F5 DNS t\E1mad\E1sok ellen" dst-port=53 protocol=udp src-address=!192.168.0.0/16
add action=fasttrack-connection chain=forward connection-state=established,related dst-address=192.168.5.0/24
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment=ProxmoxVE connection-nat-state="" connection-state=established,related dst-port=8006 protocol=tcp src-port=8006
add action=accept chain=input comment="Established connections" connection-state=established
add action=accept chain=input in-interface=!pppoe-digi src-address=192.168.0.0/24
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1d10m chain=input comment="port scanners kiv\E9d\E9s\E9re" protocol=tcp \
psd=21,3s,3,1
add action=drop chain=input comment="drop blacklist input" src-address-list=blacklist
add action=drop chain=forward comment="drop blacklist forward" src-address-list=blacklist
add action=drop chain=input comment="Invalid csomagok eldob" connection-state=invalid
add action=drop chain=forward comment="Invalid csomagok eldob" connection-state=invalid
add action=drop chain=input comment="Input filter a k\FCls\F5 DNS t\E1mad\E1sok ellen" dst-port=53 protocol=udp src-address=!192.168.0.0/16
add action=fasttrack-connection chain=forward connection-state=established,related dst-address=192.168.5.0/24
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="Established connections" connection-state=established
add action=accept chain=input in-interface=!pppoe-digi src-address=192.168.0.0/24
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1d10m chain=input comment="port scanners kiv\E9d\E9s\E9re" protocol=tcp \
psd=21,3s,3,1
add action=drop chain=input comment="drop blacklist input" src-address-list=blacklist
add action=drop chain=forward comment="drop blacklist forward" src-address-list=blacklist
add action=drop chain=input comment="Invalid csomagok eldob" connection-state=invalid
add action=drop chain=forward comment="Invalid csomagok eldob" connection-state=invalid
Ugye a fentiekből a
add action=accept chain=forward comment=ProxmoxVE connection-nat-state="" connection-state=established,related dst-port=8006 protocol=tcp src-port=8006
sor lenne a releváns.
Még egy kis infó:
A
/ip firewall connection print detail
parancs releváns sora, tehát a NAT szabályom így néz ki.
C d protocol=tcp src-address=192.168.5.181:50460 dst-address=79.120.174.212:8006 reply-src-address=192.168.5.153:8006
reply-dst-address=192.168.5.181:50460 tcp-state=syn-sent timeout=4s orig-packets=1 orig-bytes=52 orig-fasttrack-packets=0
orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps