We want to do this:
Internet<->MikroTik in Bridge Mode with Firewall Filter<->Hosted Server
-
The primary objective is to allow RDP and FTP in from the outside but block everything else from the outside. From the inside everything must go out.
-
The problem we are running into is we add these rules and blocking outside to inside is working, but now the hosted server cannot access anything to the outside. The return TCP/IP from the outside is not port 3389 or port 80, but random.
/interface bridge filter> pr
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; Accept ICMP for PING
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=icmp
1 ;;; Accept FTP Transfer Port
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=20 ip-protocol=tcp
2 ;;; Accept FTP Control Port
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=21 ip-protocol=tcp
3 ;;; Accept RDP
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=3389 ip-protocol=tcp
4 ;;; Log everything that is about to get dropped
chain=forward action=log mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp log-prefix="firewall_drop"
5 ;;; Drop everything
chain=forward action=drop mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp
Just FYI bridge is set to use firewall and connection tracking is on.
Best Answer
I suggest to use local ip subnet for your server and have private LAN between mikrotik (router) and server. Also have mikrotik directly on public ip. Then do the ip src-nat for outgoing traffic (from server to internet). All incoming traffic should be port forwarded (dst-nat). Also you can use normal layer3 ip firewall and disable layer3 firewall for layer2 / bridge network.