I’m pretty much satisfied with my setup (several vlans on hEx and a CRS-Switch). Just one thing is not working as expected: port forwarding for my home server to serve as webserver (443 only).
I figured out that you can do the port forwarding directly to it’s ip so you don’t have to use a NAT rule, which is not recommended as my modem is a Fritz!Box which already NATs. Just I cannot make 443 traffic to come through to my server. I have no problem with local request.
Any idea on how to troubleshoot? (I already disabled all firewall rules).
If there’s no problem there, i.e. you answered 4 x YES, then next step is forwarding port from Fritz!Box to somewhere, which can be either your router (if you have double NAT) or server’s internal address (if you don’t). If it’s the former, you need additional dstnat rule from your router to server. You can see if something is coming (= you configured Fritz!Box correctly) with either Tools->Torch or using logging rule like:
And you need to be testing this from internet, not from device in same LAN (once it works from internet, it’s possible to make it work from LAN too, but requires additional config).
If there is a router/modem in front of the MT device, then you have to be able to (on the fritz) port forward 443 to the LANIP of the MT router (on the fritz lan subnet).
Wow, that hint was good as gold! I was able to exactly track down when traffic came through and when not. In the end I was able to fix everything, was a mixture of everything (DNS misconfig, typo in IP, …)
I actually read about that and liked the idea, but it just didn’t work out. Using the mangle inspection, I wasn’t able to get packets to the Mikrotik by the direct port forwarding.