I have two routers/networks: 192.168.0.0 which is taking network from ISP and 192.168.3.0 which is connected to 192.168.0.0 and the web-server that is running on 192.168.3.2. I can reach the web-server from 192.168.0.0 but can’t from internet. Tho if I try to connect to my public ip it directs me to mikrotik web-interface on port 80. If I change the port of mikrotik web-interface to 8888 or disable it, I still can’t reach my web-server. Disabling all default firewall filters changing nothing. It seems like there is some issue with NAT but I can’t figure it out. I tried to do something like this:
that mikrotik wiki suggesting to do, which suppose to route everything comes to 80 port to 192.168.0.103 but setting that I still can not connect from internet. The same issuue is applicable to ssh connection from outside, instead of connecting to web-server it connects to mikrotiik ssh-interface.
I have changed ISP address to 10.10.10.10 and some other private stuff. The whole settings is:
# may/19/2024 09:25:28 by RouterOS 6.49.15
# software id = 820W-TWDM
#
# model = RB760iGS
# serial number = ***
/interface bridge
add admin-mac=F4:01:C5:2D:F3:21 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=10.10.10.10/24 interface=ether1 network=10.10.10.0
/ip dhcp-server lease
add address=192.168.0.103 comment=r2 mac-address=\
add address=192.168.0.101 comment=Device2 mac-address=\
add address=192.168.0.100 comment=wifiAP mac-address=\
add address=192.168.0.102 comment=Device1 mac-address=\
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.10.10.1,10.10.10.2
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NX dst-port=24048 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.0.102
add action=dst-nat chain=dstnat connection-type="" dst-port=8080 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.0.103 to-ports=80
add action=dst-nat chain=dstnat dst-address=10.10.10.10 dst-port=22 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.3.2 to-ports=22
/ip route
add distance=1 gateway=10.10.10.1
add comment="connecting ws01u to internet" distance=1 dst-address=\
192.168.3.2/32 gateway=192.168.0.103 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes port=22
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=DIR-100
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
This option allowing access from web-server to internet doesn’t it works in a both directions?
add comment="connecting ws01u to internet" distance=1 dst-address=\
192.168.3.2/32 gateway=192.168.0.103 scope=10
isp is providing to me public ip address. I have recently switched to the mikrotik from very old dlink device on which such an acess suppose to be given by “static routing” features:
not sure how it could be translated to mikrotik config
Additionally old router had this option called advanced port forwarding rules:
SSH-WS 192.168.0.103 22
www-WS 192.168.0.103 80
that has just two options - which port do you want to route and in which direction, it allows to connect from internet by ssh or web accordingly. This can be NAT rule on mikrotik but it does not work in a same way, as you see I got NAT rule basically doing the same on mikrotik but will not work.
Let me ask in another way, as I dont think you are getting a public IP at all.
a. Compare the WANIP you get on the router ( either you ahve to set this in IP address as provided by ISP, or via IP DHCP client, or PPPOE client, ( what is wan IP)
Compare this to
b. IP Cloud on the router, enable and see what IP you get.
It is A=B=C, if www service enabled I can connect to the router from internet using this address, which was not be possible if it was local ip I guess
But if I do this I just entering web-interface of the mikrotik itself instead routing further to 192.168.0.103 as this:
Yes, it is. It is connected to Mikrotik which is the first one, it has the network 192.168.3.0, and the web-server is connected to the second interface of it and receiving 192.168.3.2 address
It is cisco isr4321, currently it has no complicated firewall it passes all traffic in both directions with no restrictions. I can access web-server from computers connected to mikrotik as well as I can ping any device in both networks from web-server. Will try to sketch some diagram…
Not that I know a lot of what I am talking about, but your dstnat rule seems to me incomplete/too wide, shouldn’t it have a dst-address?
But there must be something else, since there is a second router involved, maybe it is the “return path” that is a problem?
Your case seems to me similar to this one: http://forum.mikrotik.com/t/nat-portforward-server-to-also-be-accessible-from-within-the-lan/149327/1
(though it is inverted).
This topic you shared was kind of helped but I am not really got the issue (in anyway thank you ;D). So with this firewall section I have added, the access is starting to be available:
but things are very slow, some times I even get timeout error. I assume this config is not good and should be improved, ether traffic is looping somewhere or it is dropping at some point. The weirdest thing for me that if I specify the “in interface” for ether1 (actual WAN) or “in interface list” for WAN, in dst-nat line - I am loosing access.
Post again your (modified) configuration, maybe some member can spot the issue.
Usually a “wrong” configuration does not allow the connection, the fact that is somehow works although intermittently/slow is rare.
What address has the connected port of the second router, can you ping it?
# may/23/2024 21:03:52 by RouterOS 6.49.15
# software id = 820W-TWDM
#
# model = RB760iGS
# serial number = HG60YTGD77F
/interface bridge
add admin-mac=D4:01:C5:2D:F3:21 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=10.10.10.10/24 interface=ether1 network=10.10.10.0
/ip dhcp-server lease
add address=192.168.0.103 comment=r2 mac-address=\
add address=192.168.0.101 comment=Device2 mac-address=\
add address=192.168.0.100 comment=wifiAP mac-address=\
add address=192.168.0.102 comment=Device1 mac-address=\
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.10.10.12,10.10.10.13
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 log=yes protocol=tcp \
to-addresses=192.168.0.103 to-ports=80
add action=masquerade chain=srcnat dst-port=80 protocol=tcp to-ports=80
/ip route
add distance=1 gateway=10.10.10.1
add comment=test disabled=yes distance=1 dst-address=192.168.0.103/32 \
gateway=10.10.10.1
add comment="connecting ws01u to internet" distance=1 dst-address=\
192.168.3.2/32 gateway=192.168.0.103 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8888
set ssh disabled=yes port=22
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=DIR-100
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The addresses of the interfaces are 192.168.3.1 from web-server side and 192.168.0.103 from Mikrotik side. I can’t ping 192.168.3.1 from Mikrotik but can ping 192.168.3.2 (the web-server itself), yes if I go wider and do routing like 192.168.3.0/24 I can ping the interface but it is not making faster access from the internet, unfortunately.