Forward the port 80 to another port in mikrotik

alinux1366 · May 13, 2019, 4:32pm

Hi,

I have two disjoint networks, one with ip ranges 192.168.101.1 to 192.168.150.255 (ZONE 1) and the other with ip range 192.168.192.1-254 (ZONE 2). These zones are connected using a mikrotik router by connecting the Zone 1 to eth1 and Zone 2 to eth2. I need to forward the ip address of 192.168.192.10:80 to 192.168.192.10:8080 when it is browsed from Zone 1. To this end, I have added the following in the router, however, it does not work. I am a beginner in Mikrotik and cannot figure out the problem.

/ip firewall nat
print
0 chain=dstnat action=dst-nat to-addresses=192.168.192.10 to-ports=8080
protocol=tcp dst-address=192.168.192.10 dst-port=80 log=no log-prefix=“”

anav · May 14, 2019, 2:27pm

/ip firewall nat
chain=dstnat action=dst-nat source-address-list=zone1 dst port=8080 protocol=tcp/
to-addressess=192.168.192.10 to-ports=80

suggest you make a firewall address list for the range required

Sob · May 14, 2019, 6:45pm

@anav: Your rule takes connections to :8080 and forwards them to 192.168.192.10:80, if they come from zone1. The original was better, it didn’t limit sources, but it took requests to 192.168.192.10:80 and sent them to 192.168.192.10:8080 as requested.

So it’s going to be something else, two thoughts:

Is this traffic allowed “/ip firewall filter chain=forward”?
Do devices in Zone 1 have this router as either their default gateway? Or if not, do they have route to 192.168.192.0/24 via this router?

anav · May 15, 2019, 3:12pm

Thats right, the rule I made takes any request from zone one lan users that is headed for port 8080 and sends it to the specific zone 2 IP address and translated to port 80.
I thought that would accomplish the aim LOL.

Without seeing the OPs config…
/export hide-sensitive file=yourconfig15may

We will not be able to progress much further! A diagram would help also.

adding back in the destination address…
/ip firewall nat
chain=dstnat action=dst-nat source-address-list=zone1 dst address=192.168.192.10 port=8080 protocol=tcp/
to-addressess=192.168.192.10 to-ports=80

Sob · May 15, 2019, 4:40pm

You want dst-port and not just port. I also think that you have the ports swapped.

anav · May 17, 2019, 1:18pm

You right are, me Phuck…
/ip firewall nat
chain=dstnat action=dst-nat source-address-list=zone1 dst address=192.168.192.10 dst-port=80 protocol=tcp/
to-addressess=192.168.192.10 to-ports=8080

rbnewfan · May 17, 2019, 2:01pm

Why source-address-list or source address at all?
As someone mentioned, he is most likely missing a route at the original zone (or properly configured gateway) towards second zone.

anav · May 17, 2019, 4:29pm

Well without knowing his configuration, NO DIAGRAM, NO CONFIGURATION, what is the point of your postt??
If its two subnets on the same router one needs to ensure fw rules allows crosstalk vice routing solution in my limited experience.

@source address, for security reasons I like to ensure always limiting access to any flow of traffic. It also allows the op to specify which users on the LAN should be able to crosstalk to the other subnet. Although I suppose that could be better served if moved to, or executed by, a firewall rule.