I have an @record that points to my public IP. For now, we’ll use 192.168.10.1/30 as my public IP on eth2.
I am attempting to route all web traffic that goes to this interface via the @record to an internal IP. Let’s use 10.10.1.0/24 as my internal network.
See the attachments for the setup for the NAT.
In theory the packet-flow should be:
Packets coming to In-Interface (eth2[192.168.10.1]) with dst-port of 80 (web traffic) using TCP protocol, forward to internal IP 10.10.1.2 port 80.
Did you flush your connections under Ip/Firewall/Connections by selecting all and deleting them, or by rebooting the router?
TCP connections have a high persistence and connection tracking takes precedence in front of DSTNAT.
Another thing: If ether2 is part of a bridge, you should use the bridge interface instead.
eth1 and eth2 are not connected to any bridges and are not slaved interfaces.
I flushed the connections and tried again, but to no avail.
I went in and modified the settings and it seems to work.. sort of. I’m still having some issues, but it seems to be accessible from the outside world now.
I changed input method from In Interface to the specific Dest Address. See the attachment.
Did you create a firewall rule to allow the destination address to be reached? Building the NAT does not automatically open the port in the firewall. You can BTW create a firewall rule that will allow any NATted port through the firewall without having to explicitly specifying it (although I personally don’t use that feature).
The NAT rule looks fine. Does another interface have the 10.10.1.0/24 network defined so the Mikrotik knows which interface to route the packet? In IP > Route will show.
Regular internet browsing works? If you’ve changed your WAN from eth1 to eth2, there’s a few things to configure. If your web browsing works, then I imagine it’s correct.
Tools > Torch temporarily shows packet flow. You can run Torch on eth2 and try to connect in remotely. You should see the packet coming in on eth2 destined to your public IP. Then you can run Torch on the LAN interface and you should see the packet going out the LAN interface, destined to 10.10.1.2.
If you’re on a home internet connection, maybe your ISP blocks inbound port 80.
I’m using to business class data services at my office in our lab setup. WAN1 and WAN2 (eth2). General browsing is working fine.
I assigned the 10.10.1.x network to the local bridge which uses ether 3-10
