Du musst für Port-Forwarding eh für jede Port-IP-Kombi eine eigene Regel machen. Da kommst du nicht drum herum. Da das ja scheinbar nicht funktioniert.
Ja das ist klar aber ich müsste dann für jede IP aus dem Homelab ne eigene Regel machen. Das erscheint mir nicht sinnvoll irgendwie bei 254 möglichen Clients 
Ah wait… hast du mal deinen Link zur Doku? Mikrotik Hairpin wenn es die hier ist (und das is ne andere als ich letztens gefunden hatte)
Die hatte ich mal drin und die hat auch nicht funktioniert
ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.141 out-interface=LAN protocol=tcp src-address=192.168.2.0/24
Ich hab jetzt Testweise mal die beiden Regeln reingeworfen
ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.141 out-interface=LAN protocol=tcp src-address=192.168.2.0/24
ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.141 out-interface=LAN protocol=udp src-address=192.168.2.0/24
Der Ping geht immerhin nur noch bis 3600 hoch gerade und nicht mehr bis 300000
Edit: Zu früh gefreut, geht dennoch auf über 9k hoch je nachdem was im Spiel passiert.
Von außen alles tutti bei entspannten 11ms auf dem Teststack mit ner Fritte auf dem selben Server von intern auch entspannte 11ms
Mit Mikrotik >9000
Moment… Da fehtl ja auch noch alles.
Die ist das
Bla Bla für 20 Zeichen.
Ne, musst du nicht??
Nur für die Hosts, wohin du auch Port-Forwards eingerichtet hast.
Jup hab da mehrere aber ja das ist halt auch nicht die Lösung und ich bin echt ratlos
Ich verstehe einfach nicht wieso sich da irgendwo son Ping bildet und nich durchgeht.
Was hast du jetzt für Regeln?
# 2025-03-28 19:22:10 by RouterOS 7.18.2
# software id = KEEF-Y536
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ####################
/interface bridge
add admin-mac=F4:1E:57:2A:33:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
1G-baseT-half,1G-baseT-full,2.5G-baseT rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether5 ] advertise=1G-baseT-half,1G-baseT-full
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 \
max-mru=1500 max-mtu=1500 name=telekom user=\
##################################
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=23h30m name=defconf
/ppp profile
add comment=MKController name=becon-profile-bd6f07fa use-encryption=yes
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=telekom list=WAN
add interface=ether1 list=WAN
add interface=ether5 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=172.31.0.1/24 comment=wg1 interface=*F network=172.31.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.141 client-id=1:b0:41:6f:e:98:51 mac-address=\
B0:41:6F:0E:98:51 server=defconf
add address=192.168.2.43 client-id=1:52:54:0:93:36:c1 mac-address=\
52:54:00:93:36:C1 server=defconf
add address=192.168.2.42 client-id=1:52:54:0:5b:1b:68 mac-address=\
52:54:00:5B:1B:68 server=defconf
add address=192.168.2.40 client-id=1:52:54:0:79:24:fb mac-address=\
52:54:00:79:24:FB server=defconf
add address=192.168.2.50 client-id=1:e4:5f:1:27:28:b2 mac-address=\
E4:5F:01:27:28:B2 server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
192.168.2.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.153
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan type=A
add address=192.168.2.43 regexp="^(.*\\.)\?home\\.dl-host\\.biz" type=A
/ip firewall address-list
add address=################################ comment=WAN-IP list=WAN-IP
add address=192.168.2.0/24 comment="Lan Subnet" list=LAN-subnet
add address=192.168.2.141 comment=Gameserver list=gameserver
add address=192.168.2.43 comment=Webserver list=webserver
add address=############################# comment="webserver wan" list=\
webserver
add address=################################ comment="gameserver WAN" list=\
gameserver
/ip firewall filter
add action=accept chain=input comment=MKController priority=0 src-address=\
10.8.0.1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=!telekom src-address=\
192.168.2.0/24
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connections for hairpin NAT" disabled=yes dst-address-list=WAN-IP \
new-connection-mark="Hairpin NAT" src-address-list=LAN-subnet
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin from Doku" dst-address=\
192.168.2.141 out-interface-list=LAN protocol=tcp src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat comment="Hairpin from Doku" dst-address=\
192.168.2.141 out-interface-list=LAN protocol=udp src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.43 dst-port=80 \
out-interface-list=LAN protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.43 dst-port=443 \
out-interface-list=LAN protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
protocol=udp to-addresses=192.168.2.141 to-ports=25565-25620
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25621-25710 \
log=yes log-prefix=gametcp protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25621-25710 \
log=yes log-prefix=gameudp protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27000 protocol=udp to-addresses=192.168.2.141 to-ports=27000
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27003 protocol=udp to-addresses=192.168.2.141 to-ports=27003
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27000 protocol=udp to-addresses=192.168.2.141 to-ports=27000
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27003 protocol=udp to-addresses=192.168.2.141 to-ports=27003
/ip service
set telnet address=192.168.2.0/24
set www address=192.168.2.0/24 disabled=yes
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24
set winbox address=192.168.2.0/24
set api-ssl address=192.168.2.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=telekom type=external
/ipv6 address
add address=::1 from-pool=telekom.ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=telekom.ipv6 \
pool-prefix-length=56 rapid-commit=no request=prefix use-peer-dns=no
/ipv6 dhcp-server
add address-pool=telekom.ipv6 interface=bridge name=server1 prefix-pool=\
telekom.ipv6
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=######################### comment="WAN IPv& Bridge" list=\
WAN-V6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall nat
add action=dst-nat chain=dstnat dst-address-list=WAN-V6 dst-port=25565-25620 \
protocol=tcp to-address=fe80::b041:6f00:40e:9851/128
add action=dst-nat chain=dstnat dst-address-list=WAN-V6 dst-port=25565-25620 \
protocol=udp to-address=fe80::b041:6f00:40e:9851/128
add action=dst-nat chain=dstnat dst-address-list=WAN-V6 dst-port=27000-27050 \
protocol=tcp to-address=fe80::b041:6f00:40e:9851/128
add action=dst-nat chain=dstnat dst-address-list=WAN-V6 dst-port=27000-27050 \
protocol=udp to-address=fe80::b041:6f00:40e:9851/128
add action=dst-nat chain=dstnat dst-address-list=WAN-V6 dst-port=25621-25710 \
protocol=udp to-address=fe80::b041:6f00:40e:9851/128
add action=dst-nat chain=dstnat dst-address-list=WAN-V6 dst-port=25621-25710 \
protocol=tcp to-address=fe80::b041:6f00:40e:9851/128
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge other-configuration=\
yes
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system scheduler
add disabled=yes interval=1d name=backup policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-03-25 start-time=01:13:44
add comment=MKController interval=1m30s name=resources-bd6f07fa on-event=":loc\
al accessToken \"bd6f07fa-11f4-4698-b817-97a6eef46062\";:local scriptVersi\
on \"1.0.12\";:local serialNumber \"\";:do {; :set serialNumber [/syste\
m routerboard get serial-number];} on-error={ :set serialNumber \"\"};;:lo\
cal ethernetMacAddress \"\";:do {; :set ethernetMacAddress [/interface \
ethernet get [/interface ethernet find default-name=ether1] mac-address ];\
} on-error={ :set ethernetMacAddress \"\"};;:local wanMacAddress \"\";:do \
{; :set wanMacAddress [/interface wireless get [/interface ethernet fin\
d default-name=wlan1] mac-address ];} on-error={ :set wanMacAddress \"\"};\
;:delay 1000ms;;:local cpuLoad [/system resource get cpu-load];:local tota\
lMemory [/system resource get total-memory];:local freeMemory [/system res\
ource get free-memory];:local totalDiskSpace [/system resource get total-h\
dd-space];:local freeDiskSpace [/system resource get free-hdd-space];:loca\
l fwVersion [/system resource get version];:local architeture [/system res\
ource get architecture-name];:local boardName [/system resource get board-\
name];:local publicIp [/ip cloud get public-address];:local voltage \"\";:\
local temperature \"\";:do {; :set temperature [/system health get valu\
e-name=temperature];} on-error={ :set temperature \"\"};;:local count [ip \
arp print count-only where !disabled];:delay 1000ms;;:local pppConected [/\
ppp active print count-only ];:local systemIdentity [/system identity get \
name] ;:local dhcpLeaseBound [:len [/ip dhcp-server lease find status=\"bo\
und\"]];:local ipArpStale [:len [/ip arp find where status=\"stale\"]];:do\
\_{; /resolve ovpn.mkcontroller.com; if ([/interface ovpn-client get\
\_\"mkcontroller-bd6f07fa\" value-name=connect-to] != \"ovpn.mkcontroller.\
com\") do={; /interface ovpn-client set \"mkcontroller-bd6f07fa\" c\
onnect-to=\"ovpn.mkcontroller.com\"; };} on-error={; /log info \"MKC\
ontroller status check ERROR - dns not working\"; if ([/interface ovpn-\
client get \"mkcontroller-bd6f07fa\" value-name=connect-to] = \"ovpn.mkcon\
troller.com\") do={; /interface ovpn-client set \"mkcontroller-bd6f\
07fa\" connect-to=\"ae7ddcb7076634e018cfd162fa7adaaa-83587a24a218f19c.elb.\
sa-east-1.amazonaws.com\"; };};:do {; /resolve bd6f07fa-11f4-4698-b81\
7-97a6eef46062.dns.mkcontroller.com server=18.230.87.42;} on-error={};:loc\
al mkdata \"serialNumber=\$serialNumberðernetMacAddress=\$ethernetMacAd\
dress&wanMacAddress=\$wanMacAddress&cpuLoad=\$cpuLoad&totalMemory=\$totalM\
emory&freeMemory=\$freeMemory&totalDiskSpace=\$totalDiskSpace&freeDiskSpac\
e=\$freeDiskSpace&fwVersion=\$fwVersion&deviceNumber=\$count&voltage=\$vol\
tage&temperature=\$temperature&pppConected=\$pppConected&systemIdentity=\$\
systemIdentity&scriptVersion=\$scriptVersion&publicIp=\$publicIp&architetu\
re=\$architeture&dhcpLeaseBound=\$dhcpLeaseBound&ipArpStale=\$ipArpStale&b\
oardName=\$boardName\";:delay 1000ms;;/tool fetch url=\"https://app.mkcont\
roller.com/mkcontroller-server/rest/device/bd6f07fa-11f4-4698-b817-97a6eef\
46062/hwDataV4\" http-method=post http-data=\"\$mkdata\" keep-result=no;:l\
ocal schedulerRunCount [/system scheduler get [/system scheduler find name\
=\"resources-bd6f07fa\"] run-count];:local schedulerCheck [(\$schedulerRun\
Count % 10)];:if (\$schedulerCheck = 0) do={:do {:local sshPort [/ip servi\
ce get ssh port];:local webfigPort [/ip service get www port];:local apiPo\
rt [/ip service get api port];:local ftpPort [/ip service get ftp port];:l\
ocal winboxPort [/ip service get winbox port];:local portHttpParams \"sshP\
ort=\$sshPort&webfigPort=\$webfigPort&apiPort=\$apiPort&ftpPort=\$ftpPort&\
winboxPort=\$winboxPort\";/tool fetch url=\"https://app.mkcontroller.com/m\
kcontroller-server/rest/device/bd6f07fa-11f4-4698-b817-97a6eef46062/device\
Ports\" http-method=post http-data=\"\$portHttpParams\" keep-result=no} on\
-error={};};" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-03-28 start-time=03:32:13
add comment=MKController interval=1h name=portStatus-bd6f07fa on-event=":local\
\_mkUrl \"https://app.mkcontroller.com/mkcontroller-server/rest/device/dev\
icePortStatusDisabled/bd6f07fa-11f4-4698-b817-97a6eef46062\";:local sshPor\
t \"\";:local wwwPort \"\";:local apiPort \"\";:local winboxPort \"\";:loc\
al ftpPort \"\";:local portHttpParams \"\";:do {;:set sshPort value=[/ip s\
ervice get ssh disabled];} on-error={;/log error \"MKController - error wh\
ile setting ssh port\";};:do {;:set wwwPort value=[/ip service get www dis\
abled];} on-error={;/log error \"MKController - error while setting www po\
rt\";};:do {;:set apiPort value=[/ip service get api disabled];} on-error=\
{;/log error \"MKController - error while setting api port\";};:do {;:set \
winboxPort value=[/ip service get winbox disabled];} on-error={;/log error\
\_\"MKController - error while setting winbox port\";};:do {;:set ftpPort \
value=[/ip service get ftp disabled];} on-error={;/log error \"MKControlle\
r - error while setting ftp port\";};:do {;:set portHttpParams value=\"ssh\
Port=\$sshPort&webfigPort=\$wwwPort&apiPort=\$apiPort&winboxPort=\$winboxP\
ort&ftpPort=\$ftpPort\";} on-error={;/log error \"MKController - error whi\
le setting http params\";};:do {;/tool fetch url=\"\$mkUrl\" http-method=p\
ost http-data=\"\$portHttpParams\" keep-result=no;} on-error={;/log error \
\"MKController - unable to post port status data\";};" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-03-28 start-time=03:32:09
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
p\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes down-script="" host=192.168.2.141 http-codes="" test-script=\
"" type=simple up-script=""
/tool sniffer
set filter-ip-address=192.168.2.141/32
Das ist die aktuelle config… wächst natürlich bisserl weil ich grad auch am wireguard einrichten bin
Kannst du bitte mal nur die Firewall-Regeln exportieren, dass ist ja tierisch nervig so.
Ähm ich kenn nur den export
Ok got it
# 2025-03-28 22:39:56 by RouterOS 7.18.2
# software id = KEEF-Y536
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ##################
/ip firewall address-list
add address=################## comment=WAN-IP list=WAN-IP
add address=192.168.2.0/24 comment="Lan Subnet" list=LAN-subnet
add address=192.168.2.141 comment=Gameserver list=gameserver
add address=192.168.2.43 comment=Webserver list=webserver
add address=################# comment="webserver wan" list=\
webserver
add address=################ comment="gameserver WAN" list=\
gameserver
/ip firewall filter
add action=accept chain=input comment=MKController priority=0 src-address=\
10.8.0.1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=!telekom src-address=\
192.168.2.0/24
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connections for hairpin NAT" disabled=yes dst-address-list=WAN-IP \
new-connection-mark="Hairpin NAT" src-address-list=LAN-subnet
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin from Doku" dst-address=\
192.168.2.141 out-interface-list=LAN protocol=tcp src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat comment="Hairpin from Doku" dst-address=\
192.168.2.141 out-interface-list=LAN protocol=udp src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.43 dst-port=80 \
out-interface-list=LAN protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.43 dst-port=443 \
out-interface-list=LAN protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
protocol=udp to-addresses=192.168.2.141 to-ports=25565-25620
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25621-25710 \
log=yes log-prefix=gametcp protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25621-25710 \
log=yes log-prefix=gameudp protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27000 protocol=udp to-addresses=192.168.2.141 to-ports=27000
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27003 protocol=udp to-addresses=192.168.2.141 to-ports=27003
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27000 protocol=udp to-addresses=192.168.2.141 to-ports=27000
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=27003 protocol=udp to-addresses=192.168.2.141 to-ports=27003
Moin,
Warum genau stehen für die 27000er Ports die Regeln teilweise doppelt drin?
Einmal als Range und einmal als einzelne für die ersten 4?
Zusätzlich würde ich keine Outgoing-List setzen in den SRC-NAT-Regeln…
Und generell würde ich erstmal alle FW-Regeln da rauswerfen, die du gar nicht benutzt, die von der „defconf“ angelegt wurden. Das ist so unübersichtlich…
Die sind disabled und die hatte ich aktiv zum debuggen… es debuggt sich halt einfacher wenn da nur der Traffic drüber geht der mich interessiert.
Wieso sollte man keine Listen in srcnat setzen? Also nur für mich ums zu verstehen? Denn das sind die Rules aus der Doku. In der List sind auch nur die Bridges drin.
Habs aber angepasst und getestet, macht allerdings kein unterschied zu meinem Problem
Dann müsste man jetzt wirklich anfangen mit WireGuard / TCPdump / Packet sniffer zu schauen, was wo lang geht und was eben nicht.
Puhh wär ich dabei aber ehrlicherweise bin ich kein Netzwerkadmin oder Profi
Das sagtest du ja bereits.
Hast du da vielleicht brauchbaren Stuff in den ich mich reinlesen könnte der auch hilfreich wäre? Alles was ich da jetz fand erschien mir nicht hilfreich
So direkt auch nicht wirklich. 
Hmm dann werd ich mein Problem wohl nie lösen können. So gut der Router auch ist und so viel man damit auch machen kann, wenn aber selbst sowas einfaches wie ein Portforward ohne einen riesen Delay nicht funktioniert, dann wirds echt schwierig.
Ich kann mir auch echt schwer vorstellen, dass niemand hier ein ähnliches Szenario laufen hat irgendwie aber ja guuut mal sehen ob ich noch was finde. Dank dir auf jedenfall für die Hilfe bis hier.
Ich verstehe es auch nicht, da es bei mir mit den gleichen Regeln funktioniert.
Du hast davor doch noch einen anderen Router oder?