Issues after forwarding port 80

RouterOS Beginner Basics
1

Hello Everyone,

I have a 3011UiAS routing at a small office with almost no special requirements. There is however a webserver on one of the machines. I had simple port 80 forward to the machine and everything was running smoothly. Recently someone complained that they couldn’t access one specific website on the internet from the office. More over, it seems like it’s a problem with websites from this distant country.

This is my config:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=dst-nat chain=dstnat comment="Webserver" dst-port=\
    80 protocol=tcp to-addresses=192.168.1.20 to-ports=80

All the rules are defaults, except the port 80 forward.

It doesn’t make much sense to me, but I just need to disable that one forward and the problematic foreign website works perfect. Any ideas?

Thanks in advance,
Daniel

2

Problematic website? Websites from distant country? More like every single http website on default port in the world. You’d have to use https websites exclusively to not notice immediatelly. :slight_smile:

Your dstnat rule matches any tcp connection to port 80, no matter what the destination address is. So outgoing connections included. Add dst-address-type=local to your dstnat rule and it will be much better.

3

@Sob Has nailed the issue however I have another way of working around it. Add an “in interface” to your dst-nat rule which is your WAN interface. Then it will only catch that traffic.

4

I mentioned the distance because I thought it might be latency related, is the only hint I could find. It’s odd, not only 99% of the internet was working, but also the same website would randomly work on some machines and others wouldn’t.

I tried the “local” fix, it worked! Thanks!

5

Is there any other paranormal activity going on in that office? :slight_smile: Because I really can’t find any explanation for what you’re describing.

6

I bet people stick to google services and work stuff, or maybe they didn’t feel like complaining that offtopic sites weren’t working. Thanks again!