Forward / dstnat port 80 and 443

casey · June 7, 2014, 3:39am

Just picked up a new RB2011 for the house but having issues getting port 80 and 443 forwarded to an inside host. I have several other ports forwarded for various things like Foscam cameras, RDP, Plex, controlling my HTPC with the Ceton app, and it all works great. But when I try to forward port 80, 443, and 50500 to my Iomega / Lenovo IX2-DL network storage I can no longer surf the web.

Here are my firewall rules.
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid

Here are my NAT rules.
add action=masquerade chain=srcnat out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 protocol=tcp to-addresses=192.168.55.200 to-ports=8080
add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 protocol=tcp to-addresses=192.168.55.201 to-ports=8081
add action=dst-nat chain=dstnat comment=IX2 dst-port=80 protocol=tcp to-addresses=192.168.55.54 to-ports=80
add action=dst-nat chain=dstnat comment=IX2 dst-port=443 protocol=tcp to-addresses=192.168.55.54 to-ports=443
add action=dst-nat chain=dstnat comment=IX2 dst-port=50500 protocol=tcp to-addresses=192.168.55.54 to-ports=50500
add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 protocol=tcp to-addresses=192.168.55.52 to-ports=3389
add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400 protocol=tcp to-addresses=192.168.55.50 to-ports=32400
add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832 protocol=tcp to-addresses=192.168.55.50 to-ports=5832

casey · June 9, 2014, 3:24pm

I did eventually find the answer to this issue before my new topic was approved on this forum.

In the dstnat chain I had to specify the WAN interface for port 80 and 443.

Instead of this:
chain=dstnat comment=IX2 dst-port=80 protocol=tcp to-addresses=192.168.55.54 to-ports=80
I needed to use this:
chain=dstnat comment=IX2 dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 to-ports=80

My next issue was hairpin NAT. Using a dynamic DNS name to access my port forwards from inside the network. This rule works, but not for port 80 while I’m inside the network. This rule masquerades traffic going to the outside world from inside. It also masquerades local traffic going to local devices and the response from local devices to the original requesting device.
action=masquerade chain=srcnat src-address=192.168.55.0/24

Only issue, by specifying the in-interface in the rule above, I can’t access port 80 using my dynamic DNS name while inside the network.