Can't configure NAT to provide access to HTTP server

RouterOS General
1

Hello, guys,
I am trying to configure Mikrotik to forward 80 and 443 to a host in my LAN.
the setup is like this:
42.42.42.42 - my public IP
69.69.69.69 - Mikrotik’s router WAN (ether1) IP (yep, I am behind the ISP’s NAT)
192.168.1.70 - Web server’s LAN IP.

I see that the port is open from the Internet and even see that packets are really forwarding to the correct host:

may/28 01:21:50 firewall,info HTTP NAT dstnat: in:ether1 out:(unknown 0), src-mac 9c:37:f4:02:10:e7, proto TCP (SYN), 94.19.144.57:40135->69.69.69.69:80, len 52
may/28 01:21:50 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (SYN), 94.19.144.57:40135->192.168.1.70:80, NAT 94.19.144.57:40135->(69.69.69.69:80->192.168.1.70:80), len 52
may/28 01:21:50 firewall,info HTTP NAT dstnat: in:ether1 out:(unknown 0), src-mac 9c:37:f4:02:10:e7, proto TCP (SYN), 94.19.144.57:40137->69.69.69.69:80, len 52
may/28 01:21:50 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (SYN), 94.19.144.57:40137->192.168.1.70:80, NAT 94.19.144.57:40137->(69.69.69.69:80->192.168.1.70:80), len 52
may/28 01:21:50 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (ACK), 94.19.144.57:40137->192.168.1.70:80, NAT 94.19.144.57:40137->(69.69.69.69:80->192.168.1.70:80), len 40
may/28 01:21:50 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (ACK), 94.19.144.57:40135->192.168.1.70:80, NAT 94.19.144.57:40135->(69.69.69.69:80->192.168.1.70:80), len 40
may/28 01:21:51 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (ACK,PSH), 94.19.144.57:40135->192.168.1.70:80, NAT 94.19.144.57:40135->(69.69.69.69:80->192.168.1.70:80), len 506
may/28 01:21:56 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (ACK), 94.19.144.57:40135->192.168.1.70:80, NAT 94.19.144.57:40135->(69.69.69.69:80->192.168.1.70:80), len 40
may/28 01:22:11 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (ACK,FIN), 94.19.144.57:40137->192.168.1.70:80, NAT 94.19.144.57:40137->(69.69.69.69:80->192.168.1.70:80), len 40
may/28 01:22:11 firewall,info HTTP firewall forward: in:ether1 out:LAN, src-mac 9c:37:f4:02:10:e7, proto TCP (ACK), 94.19.144.57:40137->192.168.1.70:80, NAT 94.19.144.57:40137->(69.69.69.69:80->192.168.1.70:80), len 40

However, from the external machine, I see that browser tries to access the LAN IP of the server (I tried to reach the public IP, but it always gets replaced with internal). Seems like I have to add some kind of mascarade srcnat rule, to send the answer with the public or WAN IP. However, all the manuals for dummies do not mention that.

In addition, is sill don’t understand if I should add a filter rule to accept 80 and 443 TCP packets or NAT rule is enough.

Here goes the list of my enabled filter rules:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough
 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp
 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related
 3    ;;; Allow Http(s)
      chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=80,443 log=yes log-prefix="HTTP firewall"
 4    ;;; Allow L2TP
      chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix="VPN:"
 5    ;;; Allow L2TP
      chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no log-prefix=""
 6    ;;; Allow L2TP
      chain=input action=accept protocol=ipsec-ah in-interface=ether1 log=no log-prefix=""
 9    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=no log-prefix="Drop input:"
11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related
12    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related
13    ;;; Allow VPN to LAN
      chain=forward action=accept src-address=192.168.1.0/24 in-interface=!ether1 out-interface=LAN log=no log-prefix=""
14    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="Drop forward:"

And this are my NAT rules:

  0    ;;; defconf: masquerade
      chain=srcnat action=masquerade src-address=192.168.1.0/24 log=no log-prefix=""
 1    ;;; Allow Http(s)
      chain=dstnat action=dst-nat to-addresses=192.168.1.70 protocol=tcp in-interface=ether1 dst-port=80,443 log=yes log-prefix="HTTP NAT"
 3    ;;; L2TP
      chain=dstnat action=dst-nat to-addresses=42.42.42.42 protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix=""
 5    ;;; StrongDC_Station
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=24462-24465 protocol=tcp in-interface=ether1 dst-port=24462-24465 log=no log-prefix=""
 6    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

Please, explain me, what I am missing (

2

And, yes, i have started with https://wiki.mikrotik.com/wiki/Hairpin_NAT with no luck (.

3

Your firewall filter rules are not the default ones (which accept all connections with connection-nat-state=dstnat, assuming that the actual filtering has been done by the action=dst-nat rules in NAT), but the rule chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=80,443 log=yes log-prefix=“HTTP firewall” does the job. It is placed too early in chain=forward (before the action=accept connection-state=established,related one), but thanks to that, the log shows that the issue is not in the firewall - the TCP connection is correctly established and then correctly finished. So I’d assume the web server doesn’t accept the request at application level, i.e. it has nothing to do with the Mikrotik firewall.

NB, hairpin NAT is only necessary if you want a client in a LAN subnet to connect to a server which is in the same LAN subnet but using the public IP of the server and a dst-nat rule. This is not your case, so hairpin NAT is not necessary.

4

Hi Sindy and thank you for the answer.
The server responds pretty well from the internal network. What really confuses me is that browsers from the oursude (i test with machine at the office via teamviewer) try to reach the internal IP when the related rules are enabled, despite I put my public IP.
I’ve moved the forwarding rule down under “accept established” with no luck.
BTW,
which standard rule i am missing? I configured router 5 years ago from scratch and can’t remember what I considered as unsecured =)

5

Moving the rule down only causes less Mikrotik CPU to be spent on handling the packets. I wrote that the log you’ve posted shows that the Mikrotik firewall is not the reason why the server does not respond to requests coming from the internet and that you must look for the reason on the server itself. What’s your native language?

Translation of the public address to the private one is the very purpose of the dst-nat rule. So if the browsers replace the public IP by the private one in the address line, the web server must be sending them a redirection.

6

Now i got it =). Will check my apache configs. thank you.