Let's say I'm not generally very knowledgeable with quite a few networking concepts (at least yet) and coming from something like OpenWrt to something like RouterOS, which doesn't really hold your hand with much at all, I had some struggles. So yeah, note down the things I want to do, maybe I will help someone in a similar situation to me.
I will write the "instructions" as terminal commands just because it's easier than doing screenshots or anything. But essentially it's easy to figure out how to interpret those commands when using Winbox or Webfig.
I hope I'm not looking like an idiot writing these. Now let's go.
Just forwarding a port (DSTNAT rule)
/ip/firewall/nat/add \ chain=dstnat protocol=[tcp/udp/anything] dst-port=[port] in-interface=[WAN interface] \ action=dst-nat to-addresses=[ip to forward to] to-ports=[port]
Hairpin NAT / loopback rule
For starters, the NAT rule to achieve this, looping back the whole LAN subnet so you never have to think about it, looks like this:
/ip/firewall/nat/add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
But now the already existing DSTNAT rules (added as the above) have to be changed for this to work. Using an in-interface isn't going to work with this so in some way or another a destination address would have to be specified, which is supposed to be your public IP address.
For convenience you'll add a firewall address list with your public IP:
/ip/firewall/address-list/add address=[WAN IP] list=wanip
If you have a static public IP then just put that as the [WAN IP].
For a dynamic IP, what I personally did was just put one domain on which I have set up DDNS already beforehand as [WAN IP]. If a domain name is specified there then it will simply be resolved; which is convenient, isn't it?
And now remove the
in-interface field from all the DSTNAT rules and in place add
That should do it. But there are is another method of getting your public IP dynamically on this forum post.
I LOVE NAT <3
Setting IPv6 for a PPPoE internet connection
To mention, my internet provider gives a /64 IPv6 pool, nothing dirty, nothing silly. So these settings are made for that.
Before going any further, you may not have any default firewall rules for the IPv6 part... so let's go add those. you can basically do
/system default-configuration print, search for the "/ipv6 firewall" part, copy and paste it into the terminal.
Ok, now, well, first you will want to enable IPv6 functionality duh
Set network discovery, it has one interface by default set to "all", we'll disable that and set another one for the LAN (in my case
/ipv6/nd/set numbers=0 disabled=yes /ipv6/nd/add interface=bridge
Add a dhcp client on the PPPoE interface (my interface is
/ipv6/dhcp-client/add interface=pppoe-out1 add-default-route=yes pool-name=pool6 request=address,prefix
Now you should look at the status of that. It should be searching for a couple of seconds then show as bound. If it doesn't (and it did in my case and I had to dumbly troubleshoot this for a while..) go to PPP and restart your pppoe interface (just disable and enable it or something).
And finally, for some reason, the address the dhcp entry adds automatically has advertising off by default. So delete the address (under
/ipv6/addresses/) which has the interface as the LAN bridge and has a public address range, then re-add it like so:
/ipv6/addreses/add interface=bridge address=::1/64 from-pool=pool6 advertise=yes
And that should be it!
By the way, I took some inspiration from this GitHub gist. That bit of script seems to be unnecessary, at least these days with the current version of RouterOS and up, it seems to behave corectly without it too, so yeah.
- Script that reads all local host names and makes static local DNS entries with them. Because I am lazy. I've seen the mention of a script for this online so yeah.
- Allow a port for an ipv6 address, analog to forwarding a port for ipv4
- Offload setup with 2 WAN connections