Issues forwarding port 80/443

shadowers · January 4, 2013, 8:40am

Hello all,

I have successfully forwarded several ports to my internal servers as well as set up a hairpin NAT such that internal clients can access the server(s) via the WAN IP.

All traffic external my NAT’d network is able to access my web server; however, my internal clients are not able to do such using the WAN IP.

This is my current NAT rule to forward traffic destined for port 443:

chain=dstnat action=dst-nat to-addresses=192.168.1.103 protocol=tcp 
     in-interface=ether1-gateway dst-port=443

My current hairpin NAT rule looks like this:

chain=srcnat action=masquerade src-address=192.168.1.0/24 
     dst-address=192.168.1.0/24

I also have a masquerade rule for traffic leaving my NAT’d network:

chain=srcnat action=masquerade out-interface=ether1-gateway

What have I missed to cause my internal clients to be able to access my webserver via its WAN IP?

Thanks in advance.

tomaskir · January 4, 2013, 8:57am

Problem is here “in-interface=ether1-gateway”. The traffic from the LAN is not coming in on that interface. In that nat rule use “dst-address=WAN_IP”.

shadowers · January 4, 2013, 7:04pm

I do not have a static WAN IP. I use no-ip to keep track of my dynamic ip. Were my IP static, I would have done as you suggested. Is there another way to accomplish what you have shown using a dynamic IP as I have outlined?

tomaskir · January 4, 2013, 7:06pm

You can keep it interface based then, just create a second NAT rule, which will be the same, just replace “in-interface=ether2-LAN”

shadowers · January 4, 2013, 8:46pm

I created the rule as you suggested. It didn’t make a change I could see. Also, wouldn’t making a rule cause all traffic on port 443 to be redirected to my local webserver?

tomaskir · January 4, 2013, 9:15pm

Yes it would. You can try one more thing. Just one rule, but set “dst-address-type=local”, no interfaces involved. That should have less of a negative impact.
You can also schedule a script to run to put your dynamic WAN IP into an address list, and use “dst-address-list=WAN_List”, which would be the best option.

Also, make sure your firewall allows traffic from your lan back to your lan in the forward chain. (for Hairpin NAT)

shadowers · January 4, 2013, 9:38pm

Changing the dst-address-type worked! I do like the second solution better though, I will go learn about scripting for Mikrotik and make the script needed. Thanks for your help!