You have to make decisions and design you network.
On ether1 which is connected to your ISP you should define a smaller network.
e.g /30 (to tell the truth it is much easier if you request one more smaller range from your ISP than splitting what you have now).
So on ether1 10.10.10.192/30 your gw is 10.10.10.193 and 10.10.10.194/30 is your IP (on the mikrotik - ether1).
You then ask your ISP to route
- 10.10.10.196/30
- 10.10.10.200/29
- 10.10.10.208/28
to the address 10.10.10.194 and to setup the same /30 netmask on their side as you did on yours.
Then on ether2 you configure one (or more) of the address ranges seen above. On this interface you don't do any NAT. You setup the pool according to the address ranges configured on the interface.
On ether3 you configure private addresses as you wish. The examples you provided seems fine. Here you setup MASQUERADE
and this is the only place you have NAT.
And what was wrong with your original setup?
- You should not assign /32 networks the way you did.
- The ISP will address all as being on the same network however this is not the case.
- You do not do SNAT and DNAT at the same time on an interface. In this case you only do SNAT which alters the source address. When the packets comes back the netfilter subsystem remembers what he did the will automatically do the reverse transformation. (MASQUERADE is a special case of SNAT)
EDIT If you do not want to involve your ISP in this then you do the same and enable proxy-arp, this is well described here: http://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP
The FTP config is actually looking into the FTP data to see the 530 code. You'll want to adapt the SSH config not the FTP config. Try this:
add chain=forward protocol=tcp dst-port=3389 src-address-list=rdp_blacklist action=drop \
comment="drop rdp brute forcers" disabled=no
add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage3 action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage2 action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=3389 connection-state=new src-address-list=rdp_stage1 \
action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=3389 connection-state=new action=add-src-to-address-list \
address-list=rdp_stage1 address-list-timeout=1m comment="" disabled=no
What this config actually does, is for each incoming attempt it adds the IP address to a list. The first time it gets added to stage1, then if the IP is still in stage1 (after a minute) and another attempt is made, it gets added to stage2, and after it does this two more times it is added to the rdp_blacklist list where it actually gets blocked for 10 days.
If you want it to be more or less aggressive you can change the list timeouts, or even add more lists if you so desire.
You can add a list of these to allow specific IP ranges only:
add chain=forward dst-port=3389 src-address=192.168.0.0/24 action=accept
add chain=forward dst-port=3389 src-address=10.10.0.1/32 action=accept
add chain=forward dst-port=3389 action=drop
Just add as many of the src-address lines you need ahead of the final drop line.
If you have a LOT of ranges, you can create an address-list and reference that using this:
add chain=forward dst-port=3389 src-address-list=rdp_acceptlist action=accept
add chain=forward dst-port=3389 action=drop
And then add your addresses to the rdp_acceptlist
To add to the rdp_acceptlist use the following command:
/ip firewall address-list add list=rdp_acceptlist address=192.168.0.0/24
Best Answer
Unfortunately Mikrotik RouterOS does not support acting as HTTPS proxy. Also if you check further it does not have any options for SSL certificates regarding to its proxy.
You can use Linux/squid or Microsoft ISA / TMG for HTTPS scenario.
If you want, Mikrotik has HTTP proxy with authentication in IP > Web Proxy.