Help Port Forwarding

Hello,

I have problem with my router

My network server ------------------------- router --------------------------- client
server web: 192.168.1.11
routeur: 192.168.1.1 and WAN 192.168.0.2

I want to forward port 443. It does not work! I tested a lot of things!!


My last config:

NAT:
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway
1 chain=dstnat action=dst-nat to-addresses=192.168.1.11 protocol=tcp
dst-address=192.168.0.2 dst-port=443

Filters: 0 chain=input action=accept dst-address=192.168.0.2

1 chain=input action=accept protocol=tcp in-interface=ether1-gateway
src-port=443 dst-port=443
2 ;;; default configuration
chain=input action=accept protocol=icmp
3 ;;; default configuration
chain=input action=accept connection-state=established
4 ;;; default configuration
chain=input action=accept connection-state=related
5 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
6 ;;; default configuration
chain=forward action=accept connection-state=established
7 ;;; default configuration
chain=forward action=accept connection-state=related
8 ;;; default configuration
chain=forward action=drop connection-state=invalid

Do you really have 192.168.0.2 as WAN address? If so, what about the router with public address, does it forward port 443 to your 192.168.0.2?

Yes. After i have my “box” on 192.168.0.1 with realy WAN ip.
I say WAN for interfarce.

it would be preferable plug my cable on lan interface x2?

And does that “box” with real public address forward port 443 to 192.168.0.2? I assume you want it to work from outside, i.e. allow anyone to connect to your web server, right? If so, they will be connecting to your public address.

If you had only one network (everything in 192.168.0.x range), you’d need to configure “box” to forward port 443 to some 192.168.0.x (server address).

If you have another router and second network (which currently puts you behind double NAT, but it works too), you need to do the same thing twice, first set up “box” to forward port 443 from public address to 192.168.0.2 (this is what I’m asking about) and then set up router to forward port 443 from 192.168.0.2 to 192.168.1.11 (you already have that).

If you have both set correctly, then it also depends on where do you test if from. It might work from outside, but fail if tested from other device in internal network. That would be the problem described here.

Im sorry but i realy dont understand.

On virtual routerOS its ok! but the same configuration does not work in real router…

VM: chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=192.168.1.162 dst-port=4001 log=no log-prefix=“”

IRL: chain=dstnat action=dst-nat to-addresses=192.168.1.11 to-ports=443 protocol=tcp dst-address=192.168.0.2 dst-port=443

withouth firewall rules.

But IRL, if I understand it correctly, you have:

[Server|192.168.1.11] ----- [192.168.1.1|Router|192.168.0.2] ---- [192.168.0.1|“box”|1.2.3.4] ----- (internet)

Where 1.2.3.4 is example public adddress. I assume that when a packet comes to 192.168.0.2:443, it gets correctly forwarded to 192.168.1.11:433. But it can happen only when it’s first forwarded from 1.2.3.4:443 to 192.168.0.2:443. Is the “box” configured this way?

yes but, [Server|192.168.1.11] ----- [192.168.1.1|Router|192.168.0.2]----- [192.168.0.x]Client

My client on 192.168.0.0/24 can’t join my server. Forget my box.

But on virtual lab it’s ok

Your filter is using the wrong chain in the firewall - your rules to allow the server’s IP are all in the input chain.
The input chain is for talking to the Mikrotik itself (regardless of interface).
The FORWARD chain matches packets which flow THROUGH the router.

Many other products have a design where input means “as you receive a packet on an interface”
This is not the case with ROS (which is based on Linux netfilters - a.k.a. iptables).

Furthermore, the forward filter chain is called after the dstnat happens, so make sure the dst-address=x.x.x.x matches the private IP of the server, and not the public IP of the router.

Lastly, your dstnat rule might need to get tweaked just a touch - add the criteria in-interface=WAN (replace WAN with the actual wan interface name) or else you’re going to block your LAN’s own outgoing https connections.

There is also an issue with the filters. You want accept only traffic with src-port 443 and dst-port 443, which is wrong.
The originating port of an https connection is NOT 443, but some randomly chosen high number port, only the destination is 443. The same goes for most of the connections, so you need to match only the dst-port.