Hello,
I installed ssl for my webserver. When I use https protocol, it throws an error, “Unable to connect to server”. The ssl server test from ssllabs.com, says “If failed to connect to the server, it usually happens due to firewall restrictions.” I added the following 2 NAT rules for ssl, which has port of 443.
Obviously, something goes wrong here. Please help me.
I would expect something like this:
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.10.X to-ports=443
Can you explain the meaning of your rules?
You can see that the rule has some hits. So if it’s just a copy of rule for port 80 (which I assume works) and only the number is different, then this one must work too and the problem is probably elsewhere (server’s own firewall for example).
/export hide-sensitive file=anynameyouwish
A full view of the config is best to determine what may be blocking the traffic.
to erlinden
I added the last two rules (3 and 4) for port 443. The third rule is exactly what you wrote, and the fourth rule is for the local connection to the server.
to Sob
Yes, I copied rules for port 80, only changed port number to 443. My web server’s firewall is open for port 443.
problem443.rsc (7.7 KB)
to Anav
I exported the configuration of the router as you suggested. Here it is.
Do you test it from LAN? Rule for port 80 has in-interface-list=all (which is useless, because it always matches, so you don’t need to add it at all), but for 443 you have in-interface-list=WAN, so it will work only from internet.
(1) /ip address
add address=192.168.100.1/24 comment=defconf interface=ether2 network=
192.168.100.0
should be
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=
192.168.100.0
(2) I don’t understand your destination nat rules.
Do you have a fixed WANIP (static) if so the dstnat rules are normally in the format
add action=dst-nat chain=dstnat dst-address=fixedWANIPaddress dst-port=80
protocol=tcp to-addresses=192.168.100.4 to-ports=80 (note: dont need to-port if same as dst-port)
If you have a dynamic IP the usual setup as follows
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=80
protocol=tcp to addresses=192.168.100.4
(3) In terms of source nat rules, did you want to be able to reach servers from users on the same LAN as the server but via your wanip address (loopback) vice simply using the LANIP of the server??
In the meantime keep this rule its default and cant go wrong.
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
However the other two sourcnat rules makes no sense to me and you should describe what you are trying to accomplish with them