Confused why NAT not working..

RouterOS Beginner Basics
1

Hi guys, a noob here and hope you all can help me figure out why I can’t reach my internal network with a dst-nat


  • I am trying to reach 192.168.100.11 on port 80 from the internet
  • it is the only device on vlan 100

My router config below

# feb/14/2021 23:23:33 by RouterOS 7.1beta4
# software id = CHTQ-UP81
#
# model = RB760iGS
/interface vlan
add interface=ether3 name=DMZ_VLAN vlan-id=100
add interface=ether2 name=LAN_VLAN vlan-id=10
/ip pool
add name=LAN_POOL ranges=192.168.10.100-192.168.10.200
add name=DMZ_POOL ranges=192.168.100.20-192.168.100.30
add name=BACKUP_POOL ranges=192.168.88.10-192.168.88.15
/ip dhcp-server
add address-pool=LAN_POOL disabled=no interface=LAN_VLAN name=LAN_DHCP_SERVER
add address-pool=DMZ_POOL disabled=no interface=DMZ_VLAN name=DMZ_DHCP_SERVER
add address-pool=BACKUP_POOL disabled=no interface=ether4 name=BACKUP_NETWORK
/ip address
add address=192.168.10.1/24 interface=LAN_VLAN network=192.168.10.0
add address=192.168.100.1/24 interface=DMZ_VLAN network=192.168.100.0
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.10,1.1.1.1 gateway=192.168.10.1
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=1.1.1.1 gateway=192.168.100.1
/ip firewall address-list
add address=192.168.10.0/24 list=LAN_ADDRESS_VLAN
add address=192.168.100.0/24 list=DMZ_ADDRESS_VLAN
/ip firewall filter
add action=accept chain=input comment="Accept all connections establish, related, and untracked" connection-state=established,related,untracked connection-type="" log=yes log-prefix=INPUT-EST_RELATED_UNTRACKED
add action=accept chain=input comment="PING OUTSIDE -> IN" log=yes log-prefix=ICMP_FROM_OUT protocol=icmp
add action=drop chain=input comment="DROP INVALID CONNECTION" connection-state=invalid log=yes log-prefix=DROP_INVALID
add action=accept chain=forward comment="ACCEPT ESTABLISHED, RELATED, UNTRACKED - FORWARD" connection-state=established,related,untracked
add action=drop chain=forward comment="DROP INVALID - FORWARD" connection-state=invalid log=yes log-prefix=INVALID_FORWARD
add action=accept chain=forward comment="ALLOW FORWARD OUT TO WEB" out-interface=ether1
add action=accept chain=forward comment="ALLOW FROM LAN_VLAN TO DMZ_VLAN" dst-address-list=DMZ_ADDRESS_VLAN src-address-list=LAN_ADDRESS_VLAN
add action=drop chain=forward comment="LAST RULE - DROP ALL ELSE FORWARD"
add action=drop chain=input comment="Drop all packets from outside" in-interface=ether1 log=yes log-prefix=DROP-ALL
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 log=yes log-prefix=wekan protocol=tcp to-addresses=192.168.100.10 to-ports=80[
/ip service
set www-ssl disabled=no

Any help would be appreciated

2

THe issue is not clear to me as I would not configure it the way you have but it may be hidden in the firewall rules…
They are kinda like the default but not quite and the additions/modification suck (sorry tdw :stuck_out_tongue_winking_eye: )
Suggest from this…

/ip firewall filter
add action=accept chain=input comment="Accept all connections establish, related, and untracked" connection-state=established,related,untracked connection-type="" log=yes log-prefix=INPUT-EST_RELATED_UNTRACKED
add action=accept chain=input comment="PING OUTSIDE -> IN" log=yes log-prefix=ICMP_FROM_OUT protocol=icmp
add action=drop chain=input comment="DROP INVALID CONNECTION" connection-state=invalid log=yes log-prefix=DROP_INVALID
add action=drop chain=input comment="Drop all packets from outside" in-interface=ether1 log=yes log-prefix=DROP-ALL
add action=accept chain=forward comment="ACCEPT ESTABLISHED, RELATED, UNTRACKED - FORWARD" connection-state=established,related,untracked
add action=drop chain=forward comment="DROP INVALID - FORWARD" connection-state=invalid log=yes log-prefix=INVALID_FORWARD
add action=accept chain=forward comment="ALLOW FORWARD OUT TO WEB" out-interface=ether1
add action=accept chain=forward comment="ALLOW FROM LAN_VLAN TO DMZ_VLAN"dst-address-list=DMZ_ADDRESS_VLAN src-address-list=LAN_ADDRESS_VLAN
add action=drop chain=forward comment="LAST RULE - DROP ALL ELSE FORWARD"


To this
Forward Chain.
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN

Forward chain…
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept in-interface-list=LAN out-interface=WAN comment=“Allow LAN to WAN traffic”
add action=accept in-interface=vlan10 out-interface=vlan100 comment=“Allow LAN users to access DMZ”
***add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface=WAN
add action=drop chain=forward comment=“Drop all else”

*** Looks like you were missing the firewall rule for port forwarding.

PS… ensure you do have something like this in the config!!
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
and
/interface list member
add comment=defconf interface=eth1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan100 list=LAN

3

Thank you for this. I am going to try this in a little bit. Its been a busy weekend with work.

Also I tried moving my machine I want port forwarded to a different ether5 with no vlan and i still couldn’t port forward.

I don’t know if this an issue with mikrotik or my machine

4

I think the show stopper is that firewall filter does not include rule which actually allows DST-NATed connections. Constructing DST-NAT rules is not enough in Mikrotik world (mind that this has its merits). Default configuration has a rule (the last in list) which combines allowing dst-nat-ed connections and dropping the rest. In your context, you need a rule like this:

/ip firewall filter
add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1

and move it to penultimate place (above the “drop everything else from outside” rule).

Another thing which strikes me odd (but might be just fine) is that you have VLAN 100 tagged over ether3 … which means some other device (either a switch or the server itself) has to deal with tagged frames. If router can ping server @192.168.100.10 (and vice versa), then this is fine though.