dstnat problem

Hello all, I can’t do functional dstnat and I don’t know why.
I do dstnat for public ip address, port 80, to access pc from LAN.

ether1 - public ip - 100.0.0.50
ether2 - subnet 192.168.1.0/24, ip 192.168.1.1, nat to public ip
pc with web in ether2 - 192.168.1.66

I need dst nat from 100.0.0.50:80 to 192.168.1.66:80
When dstnat is not applied, MikroTik WebManagement is displayed in browser.
I used standart dstnat as I found everywhere.
When I put address to browser, this still waiting.
When dstnat is applied, log in firewall filter rules is not processed,
only prerouting log show me connection.

Any idea where is problem? Thank you for help.

Router setting:
address:
100.0.0.50/28 100.0.0.48 100.0.0.63 ether1
192.168.1.1/24 192.168.1.0 192.168.1.255 ether2
nat:
chain=dstnat action=dst-nat to-addresses=192.168.1.66 to-ports=80 protocol=tcp dst-address=100.0.0.50 dst-port=80
chain=srcnat action=src-nat to-addresses=100.0.0.50 src-address=192.168.1.0/24 out-interface=ether1
gateway:
0.0.0.0/0 → 100.0.0.50

hello try changing the dst-port from 80 to 8080 as the in port
this is one of my forward and works perfect

add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=80

the scr-nat rule it’s not necessary

What firewall filter rule? Please post the output of “/ip firewall export”.
Also ensure that the host you’re forwarding to has a correct route back (probably a default route to the router IP on the interface the host is behind).

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=81 in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=81
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=22 in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=22

as you can see the route back rule it’s not necessary 'cause the default gateway…

You mentioned firewall filters. Can you post those also, not just the NAT settings?

Also, I meant a default route on the webserver. Traffic might e making it there, but the server doesn’t know how to get back to the client.

And just to verify, you are testing from outside the network and not from behind the router?

of course the webserver should have as a default gateway the LAN ip of the mikrotik router

I made a reset of Mikrotik, I deleted filters and addresses and set up this:

add address=192.168.2.1/24 broadcast=192.168.2.255 interface=ether2 network=192.168.2.0
add address=10.0.0.51/28 broadcast=10.0.0.63 interface=ether1 network=10.0.0.48
add action=dst-nat chain=dstnat dst-address=10.0.0.51 dst-port=80 protocol=tcp to-addresses=192.168.2.44 to-ports=80

To ether1 is connected notebook with IP address 10.0.0.50
To ether2 is connected PC with Apache and IP address 192.168.2.44
From notebook I do http://10.0.0.51/ and browser still waiting for response.
Some basic setting missing probably, help please.

Does http://192.168.2.44 load?

First establish that the two hosts can talk normally, then introduce the NAT part.

what it’s the ip address and gateway of the apache webserver?

These host can’t talk normally, apache is on private site and ether1 is public site. Only port 80 can be opened from public site to Apache. Apache server ip is 192.168.2.44, mask 255.255.255.0, gateway 192.168.2.1. Thank you guys.

what do you mean when say PRIVATE SITE? dont understand

Guys it works, I have on Apache server firewall on .
So I must have any bad configuration in full configuration

And just to verify, you are testing from outside the network and not from behind the router?

This is problem on real configuration. But I need access public IPs from internal site too.
Please how can I change config to this can work? Thank you.

So it’s working now in your mock setup?

If you need to access the public IP from the inside you have to hairpin NAT the traffic. You will lose the ability to track inside users by IP on the web server.

The basic command is

/ip firewall nat add chain=srcnat dst-address=192.168.1.66 dst-port=80 protocol=tcp src-address=192.168.1.0/24 action=masquerade

Search the forums for “hairpin NAT” for details.

Fewi you are King, thank you, it works! I don’t exactly understand what you mean: "You will lose the ability to track inside users by IP on the web server. " In Apache log is gateway 192.168.1.1 record, but it is access of public address from NATed LAN, so I think this is ok becouse subnet is NATed to public address and all clients looks as one address on internet.

It means that all inside users that are on the same subnet as the server will appear to the web server as the router IP address when they access the server via its public IP address. If you can live with that you’re all set. Unfortunately there is no workaround to that side effect.

Hm, I have one more probably problematic question.

When I have two subnets 192.168.1.0/24 and 192.168.2.0/24
Every subnet has NATed public address 10.0.0.1 and 10.0.0.2
and dstnated port 80 to any LAN computer.

With new rule, I’m able access 10.0.0.1 from 192.168.1.0/24
and access 10.0.0.2 from 192.168.2.0/24.

Is it possible access cross public ie. 10.0.0.1 from 192.168.2.0/24?

Unless I am mistaken that should be working without any additional configuration. If it doesn’t try duplicating those hairpin NAT rules setting the src-address qualifier to the other LAN network.

Fewi you are right, this works without additional configuration. Thank you for help.