MikroTik WebFig access from WAN and LAN

RouterOS Beginner Basics
1

Hello guys!
Recently i bought Mikrotik 951G-2HnD and I have one question about firewall features and access to WebFig.
I want to do:
a) from LAN (internal network 192.168.0.0/24) i want to access WebFig by http://192.168.0.1:80
b) from Internet (WAN port) i want to access WebFig by http://x.y.z.a:8080, where x.y.z.a - my WAN static ip
By default WebFig works on 80 port, its ok.
So i need to open 80 port for LAN connections, and open 8080 for WAN connections and redirect it to 192.168.0.1:80
So i add this rule in section Filter:

chain=input action=accept connection-nat-state=“” protocol=tcp dst-port=80 log=no

and i add this rule in section Nat:

chain=dstnat action=redirect to-addresses=192.168.0.1 to-ports=80 protocol=tcp in-interface=ether1-WAN dst-port=8080 log=yes

And now i can connect to WebFig from WAN by 80 and 8080 ports - both of them. This is no good)
If i delete Filter rule - i can not connect to WebFig from WAN at all.

So how i can get it work from WAN by :8080 and from LAN by :80?
Thank you.

2

If you want port 80 not available from WAN, you need to block it. Either you can have “block everything not allowed” type firewall like this (minimal version):

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=<LAN>
add action=drop chain=input

Or just block connections from WAN like this:

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=<WAN>

In any case, because action=redirect changes port but not incoming interface, you need to add exception before drop rule (you can limit it to port 80, but it’s probably not necessary):

/ip firewall filter
add action=accept chain=input connection-nat-state=dstnat
3

Why? This is not a secure configuration at all. It is a bad idea to allow port 8080 connections from everywhere. If you are limiting the outside connections to a few trusted IPs, you shouldn’t really care whether it is on port 80 or 8080.