I have web server with port forwarding working on the public interface. When I try to access the sites hosted on the server from the LAN I get nothing. External access works fine. Here’s the config.
/ip firewall filter
add action=drop chain=input comment=“Drop Invalid connections”
connection-state=invalid disabled=no
add action=accept chain=input comment=“Allow ICMP” disabled=no protocol=icmp
add action=accept chain=input comment=“Allow Established connections”
connection-state=established disabled=no
add action=accept chain=input comment=“Allow SP Office” disabled=no
src-address-list=sp-office
add action=accept chain=input disabled=no in-interface=!ether1-gateway
src-address=10.0.0.0/8
add action=drop chain=input comment=“Drop Everything Else” disabled=no
add action=drop chain=input comment=“drop ftp brute forcers” disabled=no
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment=“drop ftp brute forcers” content=
“530 Login incorrect” disabled=no dst-limit=1/1m,9,dst-address/1m protocol=
tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output comment=“drop ftp brute forcers”
content=“530 Login incorrect” disabled=no protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input comment=“drop ssh brute forcers”
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input comment=“drop ssh brute forcers”
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input comment=“drop ssh brute forcers”
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=
ssh_stage1
add action=drop chain=input comment=“Drop everything else” disabled=no
add action=drop chain=forward comment=“Drop BOGON” disabled=no src-address=
0.0.0.0/8
add action=drop chain=forward comment=“Drop BOGON” disabled=no dst-address=
0.0.0.0/8
add action=drop chain=forward comment=“Drop BOGON” disabled=no src-address=
127.0.0.0/8
add action=drop chain=forward comment=“Drop BOGON” disabled=no dst-address=
127.0.0.0/8
add action=drop chain=forward comment=“Drop BOGON” disabled=no src-address=
224.0.0.0/3
add action=drop chain=forward comment=“Drop BOGON” disabled=no dst-address=
224.0.0.0/3
add action=jump chain=forward comment=“Jump 2 TCP” disabled=no jump-target=tcp
protocol=tcp
add action=jump chain=forward comment=“Jump 2 UDP” disabled=no jump-target=udp
protocol=udp
add action=jump chain=forward comment=“Jump 2 ICMP” disabled=no jump-target=
icmp protocol=icmp
add action=drop chain=tcp comment=“deny TFTP” disabled=no dst-port=69 protocol=
tcp
add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=
111 protocol=tcp
add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=
135 protocol=tcp
add action=drop chain=tcp comment=“deny NBT” disabled=no dst-port=137-139
in-interface=ether3 protocol=tcp
add action=drop chain=tcp comment=“deny cifs” disabled=no dst-port=445
protocol=tcp
add action=drop chain=tcp comment=“deny NFS” disabled=no dst-port=2049
protocol=tcp
add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=20034
protocol=tcp
add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=
12345-12346 protocol=tcp
add action=drop chain=tcp comment=“deny BackOriffice” disabled=no dst-port=3133
protocol=tcp
add action=drop chain=tcp comment=“deny DHCP” disabled=no dst-port=67-68
protocol=tcp
add action=drop chain=udp comment=“deny TFTP” disabled=no dst-port=69 protocol=
udp
add action=drop chain=udp comment=“deny PRC portmapper” disabled=no dst-port=
111 protocol=udp
add action=drop chain=udp comment=“deny PRC portmapper” disabled=no dst-port=
135 protocol=udp
add action=drop chain=udp comment=“deny NBT” disabled=no dst-port=137-139
in-interface=ether3 protocol=udp
add action=drop chain=udp comment=“deny NFS” disabled=no dst-port=2049
protocol=udp
add action=drop chain=udp comment=“deny BackOriffice” disabled=no dst-port=3133
protocol=udp
add action=accept chain=icmp comment=“echo reply” disabled=no icmp-options=0:0
protocol=icmp
add action=accept chain=icmp comment=“net unreachable” disabled=no
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment=“host unreachable” disabled=no
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=“host unreachable fragmentation required”
disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment=“allow source quench” disabled=no
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment=“allow echo request” disabled=no
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment=“allow time exceed” disabled=no
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment=“allow parameter bad” disabled=no
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment=“deny all other types” disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment=“scrnat masq” disabled=no
out-interface=ether1-gateway
add action=netmap chain=dstnat comment=“Production WWW” disabled=no
dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=10.5.5.32
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=no