I’m using my hAP (RouterOS 6.49.6) to protect a single web server, using dstnat forwarding only traffic on ports 80 and 443. Port 80 works as expected, however connections over https (port 443) fail on the client side (curl says “SSL23_GET_SERVER_HELLO:unknown protocol”). Some quick research shows that this can happen if the incoming connection at the webserver is on a port other than 443. So I suspect that somehow the connection to x.x.x.x:443 is landing at a different port on the webserver.
My NAT rules are pretty simple:
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=dstnat action=dst-nat to-addresses=y.y.y.y to-ports=80 protocol=tcp dst-address=x.x.x.x dst-port=80 log=no
log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=y.y.y.y to-ports=443 protocol=tcp dst-address=x.x.x.x dst-port=443 log=no
log-prefix=""
(x.x.x.x is the public WAN address of the hAP, and y.y.y.y the internal address of the webserver on the LAN interface.)
Unfortunately the Torch tool does not show anything about how the traffic is “translated” by destnat, what the final destination port is and such.
Any ideas what could be going on here or how to debug this?