This could be part of it. The port should be src-port=80, not dst-port=80. That would be the dstnat port. Clients normally do not use port 80 outbound for requests.
Hi jonas! I know some of this is a little confusing at first.
When a remote client makes a port 80 request, the client is not using port 80 to make the request. Only the destination port is 80. That is why you nat the destination port on the request (dstnat).
When your internal server responds (srcnat), the destination port will be the port the client was assigned on his router. The source port on these packets will now be 80, not the destination port.
And that is why I said that could be part of it. Let me look at your firewall rules for a bit. Maybe something there. I only brought up the stuff I saw right away.
ADD: I have found everything depends on the order of entries in these lists. I would try moving all the action=jump rules to the top of that list, so the chain=speedy rules are after (below) those.
I already made this configuration with iptables (and ipchains hehe) for other clients but this is the first time I’m using RouterOS.
I’m redirecting all traffic in the input chain to a chain specific to that interface (lp or speedy), this way I think the rules became more manageable.
Let me know if you need more information from my setup.
But the rules are in different chains! The chains in the RouterOS work differently the way the tables work in iptables? (I create the chains to make the rules more manageble but if they are problematic to use in the RouterOS I can remove them).
2 ;;; Accept icmp from internet
chain=lp action=accept protocol=icmp
3 chain=lp action=accept protocol=tcp port=80
4 chain=lp action=log log-prefix=“Blocked”
5 ;;; Drop all packages from internet
chain=lp action=drop
6 ;;; Accept icmp from internet
chain=speedy action=accept protocol=icmp
7 chain=speedy action=accept protocol=tcp port=80
8 chain=speedy action=log log-prefix=“Blocked”
9 ;;; Drop all packages from internet
chain=speedy action=drop
[admin@MikroTik] /ip firewall nat> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.120.9 protocol=tcp dst-address=MY_EXTERNAL_IP src-port=80
You are showing chain=speedy as a chain=input subset. I think it needs to be a chain=forward subset, unless it is restricting access to the router OS, not the localnet behind the interface.
And the dstnat rule. It needs to be dst-port=80. The client’s port is the src-port.
The srcnat rule is src-port=80. The client’s port is the dst-port.
Ok, I didn’t understand what you mean. For a internet user he is accessing the router, the server is my internal network with a non-routable ip. This is a standard dnat operation on iptables. Is the input chain the wrong table to put these rules? (I will drop everything except the ports I explicit accept in the input table).
I don’t know what you mean by a chain is a subset of other. I created them just to make the rules more manageable. If they have a different meaning in RouterOS I can remove them (ok, I will miss them a lot).
Is it possible to have access to default iptables command? (I think my life would be a lot easier)
As long as you are not blocking any forward chains, you should be ok.
Are you trying the access from outside the router? Like a non-localnet ip?
If you are trying to access the sever from a localnet address using the public address, you will need to use a Hairpin NAT. http://wiki.mikrotik.com/wiki/Hairpin_NAT
On input I’m blocking everthing but icmp and tcp/80 (other ports I will include later).
On nat I’m trying to redirect all incame traffic in the tcp/80 to my internal server.
At least this is what I’m trying to do but it is not working (as you can see this is a simple port forwarding). I followed the NAT documentation and it didn’t worked. Maybe I’m missing something pretty basic in the RouterOS environment (Remember both interfaces work fine and I can source nat through the router fine).
It is not necessary , I’m outside the company. They have three links and I’m getting in through the other router that I have to disable by the weekend.
Can you post “/ip firewall nat print”? I can see better that way.
Can you ping the router public address from a remote ip?
Maybe starting basic will help. When you had the www service enabled and no dstnat/srcnat rules (or disabled if you want to try again), could you get the MikroTik Webbox login page with your browser from a remote ip?
Sure, I already put the output in the previous message (when I consolidated the changes we made). The only difference is that I change back to dst-port. There I printed /ip firewall filter print and /ip firewall nat print. Let me know if you need more information about my setup.
Yes, I can ping to it fine, I can see the router in the tracerouter and when I do a tcptracerouter on port 80 I see that the packet get there but it didn’t get any answer in the port 80.
I didn’t tried to access the router login page through internet, I’m definitely not that brave
But if change the cable from the new router to the old I can access the my internal server fine (so it is not something blocking in the way).
You asked me to change to src-port and as I told you in the previous message I already changed back to dst-port I was been lazy to reposting the output again here
Any way I will consolidate it again here:
[admin@MikroTik] /ip firewall nat> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=jump jump-target=speedy dst-address-list=gw in-interface=ether2
1 chain=input action=jump jump-target=lp dst-address-list=gw in-interface=ether1
2 ;;; Accept icmp from internet
chain=lp action=accept protocol=icmp
3 chain=lp action=accept protocol=tcp port=80
4 chain=lp action=log log-prefix="Blocked"
5 ;;; Drop everything from internet
chain=lp action=drop
6 ;;; Accept icmp from internet
chain=speedy action=accept protocol=icmp
7 chain=speedy action=accept protocol=tcp port=80
8 chain=speedy action=log log-prefix="Blocked"
9 ;;; Drop everything from internet
chain=speedy action=drop
[admin@MikroTik] /ip firewall nat> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.120.9 protocol=tcp dst-address=MY_EXTERNAL_IP dst-port=80
1 chain=srcnat action=src-nat to-addresses=MY_EXTERNAL_IP protocol=tcp dst-address=192.168.120.9 dst-port=80
2 chain=srcnat action=masquerade src-address-list=lan out-interface=ether1
[admin@MikroTik] /ip firewall nat>
Let me know if you need more information from my setup.
, I’m outside the company. They have three links and I’m getting in through the other router that I have to disable by the weekend.