Hi, everyone!
I have some difficulties making DNAT work.
My setup is one “LAN-server”, providing web service on port 80 (among other services), a Mikrotik “router” connecting the LAN to Internet and a client “Internet-PC” (located in Internet) trying to connect by browser to LAN-server (http://:1234). I think I have the basic DNAT configuration in place, but when I test, the Internet-PC browser cannot reach the web service (“The connection has timed out” in browser).
So far I have tested the following:
- direct-connecting (without DNAT) from LAN-PC (inside the LAN) by browser is OK
- DNAT-connecting from Internet-PC to LAN-server’s Remote Desktop service is OK
- DNAT-connecting from Internet-PC to LAN-server’s SSH service is OK
- DNAT-connecting from Internet-PC to LAN-server’s web service by telnet client shows traffic arriving at the LAN-server’s network interface and being processed by its web service
My DNAT configuration is following:
/ip firewall nat add action=dst-nat chain=dstnat dst-address= dst-port=1234 in-interface-list=WAN protocol=tcp to-addresses= to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat dst-address= dst-port=1234 in-interface-list=WAN protocol=udp to-addresses= to-ports=80
My guess is that I am missing some configuration parameters (on the Mikrotik router) specific to DNAT of this type of traffic (web)?
Is there a way to see raw traffic arriving at a network interface, before being processed by firewall rules, e.g. like the output from tcpdump?