Can’t forward an external IP:port to internal IP:Port
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1
1 chain=dstnat action=dst-nat to-addresses=192.168.99.180 to-ports=81
protocol=tcp dst-address=24.154.xx.xx in-interface=ether1 dst-port=8810
2 chain=dstnat action=dst-nat to-addresses=192.168.99.180 to-ports=5900
protocol=tcp dst-address=24.154.xx.xx dst-port=5900
Are there firewall filters in the way?
Is the host firewall permitting that traffic through?
Are the NAT rules counting packets?
How are you testing?
Only one firewall filter: to block icmp
I can use web proxy to access same host and port on same ethernet ports.
Besides dst-nat for forwarding, only NATting done is outbound masquerade.
I’m testing w/ web browser; place ip_address:port number in address bar.
Whenever I try to access the host, I see the bytes and packets counters increase.
If you see the counters going up, that means the rule is working and doing what it is supposed to. Run torch on your LAN interface to see the traffic going to the server you are forwarding to and see if it is replying back. Are you doing anything with load balancing or policy based routing?
Is that forwarding to an internal web server? Normally I use “to-ports=80”, not 81. Just a thought.
I’m forwarding to a Win XP Dude Server.
No load bal, no policy.
Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram.
Also ensure that the host firewall on the server is accepting traffic. Windows 2008/R2, 7 and Vista all have the concept of different areas, where a firewall can be configured to only let traffic in when it’s sourced from the same subnet, etc. Run a packet sniffer on the Dude server to see if the packets make it there.