Forwarding Port 80 to Web Server

phil1995 · March 19, 2008, 12:51am

I am attempting to set up a router which will forward the port 80 request from my ISP’s static IP of 67.143.224.198 to my local web server on 192.168.0.10. When I access 67.143.224.198 from a web browser I am ble to see the router welcome page, but it is not forwarding to my local web server. I followed the instructions on page 40 in the MT manual to set up the NAT as shown below with no luck. If anyone could offer any suggestions, it would be greatly appreciated.

Eth1 = Internet1
Eth2 = Local2 DHCP Server

NAT
0 Chain=srcnat out-interface=interface1 action=masquerade

1 chain=dstnat in-interface=internet1 dst-address=67.143.198 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.10 to-ports=0-65535

IP Address
0 Address:67.143.224.198/30 Network:67.143.224.196 Broadcast 67.143.224.199 IInterface: Internet 1

1 Address:192.168.0.1/24 Network:192.168.0.0 Broadcast: 192.168.0.255 Interface: Local2

Routes
0 ADC DST-ADDRESS:67.143.224.196/30 Pref-SRC: 67.143.224.198

1 ADC DST-ADDRESS:192.168.0.0/24 Pref-SRC: 192.168.0.1

2 A S DST-ADDRESS: 0.0.0.0/0 Gateway: r 67.143.224.197

DHCP-SERVER

0 Nam:DHC Interface: Local2 Address-Pool:dhcppool1 Lease:3d

ahmedsaffar76 · March 19, 2008, 1:21am

Hi ;
Glad to write here .
first it is important to state the names of the interfaces correctly and they should match the interfaces names in the rules .
so the name of Ether2 = local2 should occur in the rules as well not interface1 as you wrote below also you wrote the public ip wrong and i do not know if what is below is from the router or you just wrote here :

try to use the following :

/ip firewall nat
add chain=dstnat in-interface=!internet1 dst-address=!67.143.224.198 protocol=tcp \
    dst-port=80 action=dst-nat to-address=192.168.0.10 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat out-interface=!local2 src-address=!192.168.0.10 \
    action=masquerade comment="" disabled=no

here i think you will never be able to do what you want while you have only one public ip from your ISP ,
you should have more than one public ip , one to be natted to your server and another one to be used for the internet connection from your local network .

with best regards .

phil1995 · March 19, 2008, 3:04am

I am simply attempting to replace a linksys router. In the linksys I could go into the port forwarding and tell it to forward anything on port 80 to my webserver IP an my IIS would handle the rest. I have done a reset and changed my configuration as follows: Still not working.

NAT
0 Chain=srcnat out-interface=ether1 action=masquerade

1 chain=dstnat in-interface=ether1 dst-address=67.143.224.198 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.1 to-ports=0-65535

2 chain=srcnat action=masquerade src. address=192.168.0.1 out-interface:ether2

IP Address
0 Address:67.143.224.198/30 Network:67.143.224.196 Broadcast 67.143.224.199 IInterface: ether1

1 Address:192.168.0.254/24 Network:192.168.0.0 Broadcast: 192.168.0.255 Interface: ether2

Routes
0 ADC DST-ADDRESS:67.143.224.196/30 Pref-SRC: 67.143.224.198 Interface:ether1

1 ADC DST-ADDRESS:192.168.0.0/24 Pref-SRC: 192.168.0.254 Interface:ether2

2 A S DST-ADDRESS: 0.0.0.0/0 Gateway: r 67.143.224.197 internet:ether1

ahmedsaffar76 · March 19, 2008, 11:53am

Hi again ;
Did you try to use the rules i wrote for you ?
try them and give me your feedback
with best regards .

phil1995 · March 19, 2008, 12:22pm

If I understand your rules correctly. I have renamed the interfaces back to ether1 and ether2 and implemented them in 1 and 2 for the Nat.

Let me know if I misunderstood your rules.

Thank you for your help so far.

ahmedsaffar76 · March 19, 2008, 1:29pm

Hi again ;
no i am used the names as you used it :
internet1 for internet connection
local2 for the local network

delete your nat rules , be sure that the ether NIC connected to internet have the name internet1 and the NIC for the local network named local2
just copy the codes in green colour and from new terminal paste them there and you will get the rules in the firewall nat window
check if this will help and give us your feedback .
with best regards .

phil1995 · March 20, 2008, 12:43am

Ok, I have done as prescribed, but it still does not work.
What are the ! before the IP address. From what I can tell that means anything but this IP. I could not even access the internet with the ! in place.

[admin@MikroTik] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=internet1 src-address=192.168.0.0/24
action=masquerade

1 X chain=dstnat in-interface=internet1 dst-address=67.143.224.198
protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.1
to-ports=0-65535

2 chain=srcnat out-interface=local2 src-address=192.168.0.1
action=masquerade

phil1995 · March 20, 2008, 12:55am

Something doesnt look right to me on the static IP. Here are the settings that I have been using on my linksys router that I am replacing. It looks like the route is setting 67.143.224.198 as the pref-src. The gateway needs to be 67.143.224.197

Linksys Settings
Static IP:
IP Address:67.143.224.198
Subnet Mask: 255.255.255.252
Gateway : 67.143.224.197

[admin@MikroTik] ip address> pr
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 67.143.224.198/30 67.143.224.196 67.143.224.199 internet1
1 192.168.0.254/24 192.168.0.0 192.168.0.255 local2

[admin@MikroTik] ip route> pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 67.143.224.196/30 67.143.224.198 internet1
1 ADC 192.168.0.0/24 192.168.0.254 local2
2 A S 0.0.0.0/0 r 67.143.224.197 internet1

Letni · March 20, 2008, 2:00am

change to-ports=80 and enable this rule.

-Louis

phil1995 · March 20, 2008, 2:47am

Thanks Louis.
I changed it as directed, still doesnt work

[admin@MikroTik] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=internet1 src-address=192.168.0.0/24
action=masquerade

1 chain=dstnat in-interface=internet1 dst-address=67.143.224.198
protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.1
to-ports=80

2 chain=srcnat out-interface=local2 src-address=192.168.0.1
action=masquerade

phil1995 · March 20, 2008, 3:40am

Thanks for everyones help, I finally got it to work. It required adding an additona nat with protocol=UDP as illustrated below.

http://wiki.mikrotik.com/wiki/Talk:Forwarding_a_port_to_an_internal_IP

ip firewall nat add chain=dstnat dst-address=aaa.aaa.aaa.aaa protocol=tcp dst-port=bbbb
action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=yyyy
ip firewall nat add chain=dstnat dst-address=aaa.aaa.aaa.aaa protocol=udp dst-port=bbbb
action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=yyyy

[admin@MikroTik] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=internet1 src-address=192.168.0.0/24
action=masquerade

1 chain=srcnat out-interface=local2 src-address=192.168.0.1
action=masquerade

2 chain=dstnat dst-address=67.143.224.198 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.0.1 to-ports=80

3 chain=dstnat dst-address=67.143.224.198 protocol=udp dst-port=80
action=dst-nat to-addresses=192.168.0.1 to-ports=80