Dear all,
I have a Web server on Debian 11. which is accessible with 443 ports in the browser.
Locally it is accessible on my all LAN Computers.
But I want to access it with a public IP
I have a forward port 443. but I not working even though I see packets are coming on this rule.
But not accessible on the web

Can you please share the config, instead of posting screenshots?
Make sure to remove serial and any other private information (like public IP).

Are your other port forwards working?

Can you please share the config, instead of posting screenshots?

Code: Select all

/export file=anynameyoulike

Make sure to remove serial and any other private information (like public IP).

Are your other port forwards working?

please help me in this regards
Thanks


/interface bridge
add name=Bridge_LAN
add name="Bridge_LAN Central Park"
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface pppoe-client
add disabled=no interface=ether1_WAN name=PPPoE_PTCL user=abc

/ip pool
add name=dhcp_pool ranges=192.168.110.11-192.168.110.250
/ip dhcp-server
add address-pool=dhcp_pool interface=Bridge_LAN name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=VPN
/interface bridge port
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/ip address
add address=192.168.110.1/24 interface=Bridge_LAN network=192.168.110.0
add address=192.88.16.1/24 interface=Bridge_LAN network=192.88.16.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.110.101 always-broadcast=yes comment="Windows 10 Laptop" \
mac-address=74:70:FD:1D:CE:23
add address=192.168.110.102 always-broadcast=yes comment="Windows 11 Laptop" \
mac-address=74:E5:F9:D1:59:F2
/ip dhcp-server network
add address=192.168.110.0/24 dns-server=192.168.110.1,8.8.8.8,8.8.4.4 \
gateway=192.168.110.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.110.3 name=airavenue.contegris.com
/ip firewall filter
add action=accept chain=input comment="Router Access Remotely" dst-port=\
4477,4478 protocol=tcp
add action=accept chain=input comment="Web Allow" dst-port=53 in-interface=\
Bridge_LAN protocol=tcp
add action=accept chain=input comment="Web Allow" dst-port=53 in-interface=\
Bridge_LAN protocol=udp
add action=drop chain=input comment="Block Attack" dst-port=\
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment="Block Attack" dst-port=\
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-FIN/SYN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-RST/SYN scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping Port Scanners" \
src-address-list="Port Scanners"
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.110.0/24
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=4481 \
protocol=tcp to-addresses=192.168.110.101 to-ports=3389
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=4482 \
protocol=tcp to-addresses=192.168.110.102 to-ports=3389
add action=dst-nat chain=dstnat comment="Web Server" dst-address=\
xx.xx.xx.xx dst-port=447 protocol=tcp to-addresses=192.168.110.103 \
to-ports=443
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PPPoE_PTCL routing-table=main \
suppress-hw-offload=no

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4478
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox port=4477
set api-ssl disabled=yes

/system clock
set time-zone-name=Asia/Karachi
/system identity
set name="Air Avenue"
/system note
set show-at-login=no
/tool romon
set enabled=yes

May I ask who took care of this firewall?
You might want to consider bringing it back to default...that saves a lot of time analyzing the problems you run into.

While we are at it...if you place the export in between code tags </>, your post will become more readable.

Will update my answer with recommendations while reading the config.

• Remove "Bridge_LAN Central Park"
• Remove "add address=192.88.16.1/24 interface=Bridge_LAN network=192.88.16.0"
• /ip firewall filter
  add action=accept chain=input comment="Router Access Remotely" dst-port=\
  4477,4478 protocol=tcp
  add action=accept chain=input comment="Web Allow" dst-port=53 in-interface=\
  Bridge_LAN protocol=tcp
  add action=accept chain=input comment="Web Allow" dst-port=53 in-interface=\
  Bridge_LAN protocol=udp
  
  Why? Think you don't want to become a DNS server for the web!? And remote access to the router (what service??)...don't! Winbox access through WAN...never! Port obfuscation...no security at all!
• add action=drop chain=input comment="Block Attack" dst-port=\
  25,53,87,512-515,543,544,7547,8080 protocol=tcp
  add action=drop chain=input comment="Block Attack" dst-port=\
  53,80,87,161,162,1900,4520-4524,8080 protocol=udp
  
  You already allowed DNS access above, why block it here!?

I'm done, perhaps @anav or @mkx (or any other firewall expert) want to take the opportunity to optimize this crap.

May I ask who took care of this firewall?
You might want to consider bringing it back to default...that saves a lot of time analyzing the problems you run into.

While we are at it...if you place the export in between code tags </>, your post will become more readable.

Will update my answer with recommendations while reading the config.

• Remove "Bridge_LAN Central Park"
• Remove "add address=192.88.16.1/24 interface=Bridge_LAN network=192.88.16.0"
• /ip firewall filter
  add action=accept chain=input comment="Router Access Remotely" dst-port=\
  4477,4478 protocol=tcp
  add action=accept chain=input comment="Web Allow" dst-port=53 in-interface=\
  Bridge_LAN protocol=tcp
  add action=accept chain=input comment="Web Allow" dst-port=53 in-interface=\
  Bridge_LAN protocol=udp
  
  Why? Think you don't want to become a DNS server for the web!? And remote access to the router (what service??)...don't! Winbox access through WAN...never! Port obfuscation...no security at all!
• add action=drop chain=input comment="Block Attack" dst-port=\
  25,53,87,512-515,543,544,7547,8080 protocol=tcp
  add action=drop chain=input comment="Block Attack" dst-port=\
  53,80,87,161,162,1900,4520-4524,8080 protocol=udp
  
  You already allowed DNS access above, why block it here!?

I'm done, perhaps @anav or @mkx (or any other firewall expert) want to take the opportunity to optimize this crap.

I have all the DNS for accessing the Web server on my LAN.
and I have blocked the DNS for the wan port.
because it consuming my internet speed. (DNS attack)

Now I see...it is allowed only via bridge.

Still...please consider going back to defaults (which will protect you a lot better) or even better...block everything on the end of both input and forwarch chain. Just be aware to allow everything you want explicitely.

You are aware that you do not have any filter rules on the forward chain?

Is it intentional that you want to forward 443 to 447?

add action=dst-nat chain=dstnat comment="Web Server" dst-address=\
xx.xx.xx.xx dst-port=447 protocol=tcp to-addresses=192.168.110.103 \
to-ports=443

Ignore if intentional

Is it intentional that you want to forward 443 to 447?

add action=dst-nat chain=dstnat comment="Web Server" dst-address=\
xx.xx.xx.xx dst-port=447 protocol=tcp to-addresses=192.168.110.103 \
to-ports=443

Ignore if intentional

also trying to change or port nating. but could not.