NAt Configuration

aamirahmad170 · May 16, 2019, 2:01pm

Hi,

I am unable to forward using my public IP (Static IP ) to my private ip address which is a webserver ,

Can someone help me?

Amir

sindy · May 16, 2019, 2:05pm

Yes, someone can. But someone can only help you if you show what you have done already by posting an export of your config (see my automatic signature for details), and describe what doesn’t work and what analytic steps you have already performed with what results.

aamirahmad170 · May 16, 2019, 2:11pm

[dkhkhdfasjhkadhja@MikroTik] /ip> /export hide-sensitive

may/16/2019 19:40:15 by RouterOS 6.44.2

software id =

model =

serial number = 742A063D16B6

/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=10M-full,100M-full,1000M-full
set [ find default-name=sfp-sfpplus2 ] advertise=10M-full,100M-full,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=10h10m name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-count=3
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=ether8
add bridge=bridge1 hw=no interface=sfp-sfpplus1
add bridge=bridge1 hw=no interface=sfp-sfpplus2
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=183.82.98.20/19 comment=defconf interface=ether1 network=183.82.96.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.34 client-id=1:38:f9:d3:51:9b:b8 mac-address=38:F9:D3:51:9B:B8 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=202.53.8.8,202.53.8.9
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.88.36 to-ports=80
/ip route
add distance=1 gateway=183.82.96.1
/ip service
set telnet port=2201
set ftp port=2202
set www port=2203
set ssh port=2200
set winbox port=8888
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Asia/Kolkata

aamirahmad170 · May 16, 2019, 2:16pm

Hi,

I tired putting the NAT rule

add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.88.36 to-ports=80

Then i tried hitting the public ip.(note my server is already running on 192.168.88.36.)

But it says address unreachable

Am i missing something

Amir

sindy · May 16, 2019, 3:06pm

Well, I am missing any /ip firewall filter rules in your configuration export. With the current configuration your Mikrotik is accessible via ether1 for anyone at all its management interfaces (ssh, telnet, winbox, …) as the default handling in the firewall filter is “accept”.

So maybe there is some other (external) firewall device between its ether1 and the internet? If so, it may be the reason why your dst-nat rule seems not to work.

If there is none, chances are high that your Mikrotik is by now a part of some botnet. Listening at non-standard ports is not a sufficient protection of management interfaces.

The default firewall filter rules which you can find in the output of /system default-configuration print are quite good and play well with your dst-nat rule. However, these rules are only present in the default configuration if the device is a SOHO one; for the CRS or CCR product lines, there is no default firewall filter.

Other reasons why your dst-nat rule seems not to be working may be:

that you’re testing it from a client device in your LAN subnet (so the request doesn’t come to your Mikrotik via its ether1 so the dst-nat rule doesn’t match)
or that your ISP blocks port 80 on client addresses because he wants people to place http servers to his hosting, so the initial SYN packet from client never reaches your Mikrotik’s ether1,
that the route to internet on your server at 192.168.88.36 doesn’t point to 192.168.88.1 (Mikrotik’s IP on the LAN) or doesn’t exist at all, so the client’s SYN reaches the server but the response doesn’t go back via the Mikrotik and so the client doesn’t recognize it as a response because it comes from a different IP address.

To check which case it is, run /tool sniffer quick interface=ether1 port=80 and try to connect from a browser not connected in your Mikrotik’s LAN; it you can see packets with dst-address=your.public.ip:80, the issue is at your server side; if you don’t see such packets, something external is blocking access to port 80 at your WAN address. The sniffer watches the traffic on the interface before firewall handles it on your Mikrotik.

anav · May 16, 2019, 6:19pm

More basic than than there is a flaw in your configuration…
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0

This needs to change to…
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0

Also for your sourcenat rule, it can be simplified…
from: /ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24

to: /ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

aamirahmad170 · June 2, 2019, 8:58pm

Thanks Anav, you are a genius, your tip to change the

add address=192.168.88.1/24 interface=ether2 network=192.168.88.0

to

add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0

This somehow caused the wifi speed to double up

Amir

aamirahmad170 · June 2, 2019, 9:02pm

Sindy , i am trying to implement your inputs also give me some time i wil reply after reading through the whole thing carefully.

Amir