DNAT

Hello,

I trying to open a port fort my webserver, but i can not get it working at all.

192.168.0.193 is my webserver.

/ip firewall nat
add action=log chain=dstnat
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.0.193
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway src-address=192.168.0.0/24

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
2 ;;; default configuration
chain=input action=accept protocol=icmp

3 ;;; default configuration
chain=input action=accept connection-state=established

4 ;;; default configuration
chain=input action=accept connection-state=related

5 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

6 ;;; default configuration
chain=forward action=accept connection-state=established

7 ;;; default configuration
chain=forward action=accept connection-state=related

8 ;;; default configuration
chain=forward action=drop connection-state=invalid


Is there anything I have forgotten to do?

Yes. You forgot to let port 80 through the firewall

5 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

You need this, and move it above rule#5.

/ip firewall filter
add chain=input action=accept protocol=tcp dst-port=80 in-interface=ether1-gateway

move X 5

Replace X with the line number of this new rule.

edit: I forgot the protocol. The coffee is a bit slow to act on me this morning.

Hello,

thanks for the post, but that dident help me

It looks like this now:

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=80

1 ;;; default configuration
chain=input action=accept protocol=icmp

2 ;;; default configuration
chain=input action=accept connection-state=established

3 ;;; default configuration
chain=input action=accept connection-state=related

4 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

5 ;;; default configuration
chain=forward action=accept connection-state=established

6 ;;; default configuration
chain=forward action=accept connection-state=related

7 ;;; default configuration
chain=forward action=drop connection-state=invalid


/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=log log-prefix=“”

1 chain=dstnat action=dst-nat to-addresses=192.168.0.193 protocol=tcp dst-port=80
3 ;;; default configuration
chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=ether1-gateway


I tryed telnet.


telnet 127.0.0.1 80 on the server and it works, the webserver is listning on 0.0.0.0 (its work flawless on my old dlink router)
when i telnet “public ip” 80 I just get connection timed out.

So something is wrong, anyd more idés?

telnet 127.0.0.1 80 on the server and it works, the webserver is listning on 0.0.0.0 (its work flawless on my old dlink router)
when i telnet “public ip” 80 I just get connection timed out.

If you are on a router localnet when you try the public ip, it probably doesn’t work because you need a hairpin nat.
http://wiki.mikrotik.com/wiki/Hairpin_NAT
The part that concerns you starts about halfway down the page at this sentence.

When a client on the same internal network as the web server requests a connection to the web server’s public IP address, the connection breaks.

Hello SurferTim!

That explains a lot, I tested from a server outside from my network.
It works!

Thanks!

Doesn’t the port 80 firewall rule be on the forward chain?
I assume, because it is working now, that you do not have any forward chain rules at all.
In that case, the allowed port 80 rule is just doing nothing because you are not connecting to your router itself, the traffic is going to your server.