Connection Reset Errors

auseklis307 · April 29, 2025, 6:40pm

NOTE: I FOUND THE REAL ISSUE AND IT IS DETAILED IN MY REPLY TO MY OWN POST BELOW

I have an Apache2 web server behind my RB4011 (10.74.2.10) and I am trying to resolve an issue. Whenever an external user attempts to upload files or perform certain actions on a hosted web site, they get a “connection reset error.” After several days of researching, I found that the issue is apparently with the firewall settings on my RB4011. Here are the relevant config lines:

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.60 dst-port=80 log=yes \
    log-prefix=pub protocol=tcp to-addresses=10.74.2.10
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.60 dst-port=443 log=yes \
    log-prefix=spub protocol=tcp to-addresses=10.74.2.10
add action=dst-nat chain=dstnat comment="SSH to Web Server" \
    dst-address=XX.YY.ZZ.60 dst-port=22 protocol=tcp to-addresses=10.74.2.10

The server runs Let’s Encrypt for all websites, and all are configured to require SSL.

The LAN goes out onto the internet as XX.YY.ZZ.11, but the web server goes out as XX.YY.ZZ.60

Can someone tell me what I’ve done incorrectly here and help me fix it, please?

auseklis307 · April 29, 2025, 9:04pm

I realized that the issue is that the web server is not sending traffic from the right public IP–so the connection breaks during certain web/SSL operations.

My RB4011 is configured with 5 public IPs assigned by my ISP:

xx.yy.zz.11 (default public IP)
xx.yy.zz.50 – to be used only by 10.74.2.8
xx.yy.zz.55 – to be used only by 10.74.2.9
xx.yy.zz.60 – to be used only by 10.74.2.10
xx.yy.zz.73 – to be used only by 10.74.2.11
xx.yy.zz.74 – to be used only by 10.74.2.12

I have been reading the Mikrotik documentation and following advice from various forum threads marked as solved, but nothing seems to work.

These are my current /routing table, /ip firewall filter, /ip firewall mangle, /ip firewall nat, ,IP route, and /routing rule settings:

/routing table
add comment="Z.50" disabled=no fib name=X50
add comment="Z.55" disabled=no fib name=X55
add comment="Z.60" disabled=no fib name=X60
add comment="Z.73" disabled=no fib name=X73
add comment="Z.74" disabled=no fib name=X74

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN

/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=X50 \
    passthrough=no src-address=10.74.2.8
add action=mark-connection chain=prerouting new-connection-mark=X55 \
    passthrough=no src-address=10.74.2.9
add action=mark-connection chain=prerouting new-connection-mark=X60 \
    passthrough=no src-address=10.74.2.10
add action=mark-connection chain=prerouting new-connection-mark=X73 \
    passthrough=no src-address=10.74.2.11
add action=mark-connection chain=prerouting new-connection-mark=X74 \
    passthrough=no src-address=10.74.2.12

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=xx.yy.zz.60 dst-port=80 \
    protocol=tcp to-addresses=10.74.2.10
add action=dst-nat chain=dstnat dst-address=xx.yy.zz.60 dst-port=443 \
    protocol=tcp to-addresses=10.74.2.10
add action=dst-nat chain=dstnat dst-address=xx.yy.zz.60 dst-port=22 \
	protocol=tcp to-addresses=10.74.2.10

/ip route
add comment="X.50" disabled=no distance=4 dst-address=0.0.0.0/0 \
    gateway=xx.yy.zz.50 routing-table=X50 suppress-hw-offload=no
add comment="X.55" disabled=no distance=4 dst-address=0.0.0.0/0 \
    gateway=xx.yy.zz.55 routing-table=X55 suppress-hw-offload=no
add comment="X.60" disabled=no distance=4 dst-address=0.0.0.0/0 \
    gateway=xx.yy.zz.60 routing-table=X60 suppress-hw-offload=no
add comment="X.73" disabled=no distance=4 dst-address=0.0.0.0/0 \
    gateway=xx.yy.zz.73 routing-table=X73 suppress-hw-offload=no
add comment="X.74" disabled=no distance=4 dst-address=0.0.0.0/0 \
    gateway=xx.yy.zz.74 routing-table=X74 suppress-hw-offload=no

/routing rule
add action=lookup-only-in-table disabled=no src-address=10.74.2.8 table=X50
add action=lookup-only-in-table disabled=no src-address=10.74.2.9 table=X55
add action=lookup-only-in-table disabled=no src-address=10.74.2.10 table=X60
add action=lookup-only-in-table disabled=no src-address=10.74.2.11 table=X73
add action=lookup-only-in-table disabled=no src-address=10.74.2.12 table=X74