80 port and others

rockyinc · September 25, 2020, 11:52am

Hello

I’m pretty new to mikrotik routers and would like to ask for some assistance:

Recently i bought RB4011iGS+5HacQ2HnD-IN. to replace my InnBox home router.

After configuration both v4 and v6 IP and everything i noticed some changes:
I also have an website witch uses port 80. and if i have in NAT port routing for port 80 to the server IP for the website enabled some applications on my other PC won’t connect or work.. for example glyph for game arch age.. but if i disable NAT rule it starts to work..

The same happens for League of legends.. if i have ports 5222 and 5223 routed to certen IP to server the LOL chat can’t connect.. if i disable it that it works fine.

I did not have those problems with my Innbox router that my ISP provided. i hade same ports routed to ports and IP of server.. and at the same time all aplicatins worked fine.

Can anyone tell me what i need to change?

Sob · September 25, 2020, 6:59pm

Start with posting what exactly you have now. Common problem is missing condition for original destination and dstnat rule then applies not only to incoming, but also to outgoing traffic. But RouterOS offers many ways how you can misconfigure something, so it’s better to see what exactly it is, rather than guess.

rockyinc · September 26, 2020, 1:45am

In IP - FIrewall - NAT i have created a simple rule:
in general:
chain: dstnat
dst port: 80

In action:
action: dst-nat
to address: server IP
to ports 80.

If this rule is enabled.. the website will work, but the glyph program on one of my PCs will show error connecting. But if i disable the rule then the program starts working normaly. the same goes for ports 5222 and 5223. they are similary configured.. onyl the to ports is to 3389. if its turned on the LOL chat wont work, but if it’s off than it works.

is there anything in nat that i need to change or hove? u need any more informations?

Sob · September 26, 2020, 3:18pm

If you have:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=<server IP> to-ports=80

then it’s what I described, the condition is only for tcp and port 80 and it matches also outgoing traffic from LAN to internet. You need to limit it a little more. If you have static public address, add dst-address= to dstnat rules. If you have dynamic public address, use dst-address-type=local. You’ll also find out that the latter still blocks access to services on router, e.g. if you’d want to access WebFig on default port 80 from LAN. You can fix that by adding dst-address=!<router’s LAN address>.

And one more small detail, when dst-port is same as to-ports, you don’t need to add to-ports at all.

anav · September 26, 2020, 11:15pm

Instead of forcing Sob to guess, takes years off his life!!
(unless your on his will)

Just post your config.
/export hide-sensitive file=anynameyouwish

rockyinc · September 28, 2020, 5:27am

Yes, I have static IP and that seemed to work for me.. when i input my WAN IP into dst. address the ports behave correctly.

Thank you