Using MikroTik RouterOS 5.16, I have trouble whith opening port 443 and trying to NAT it to an another port inside the MikroTik router.
Port 80 is working fine, but the 443 til the port 8000 dows not. Have I done anything wrong here ? The 192.168.0.3:8000 is set up with HTTPS, and works fin inside in the LAN.
This setup looks correct. You don’t need the filter rules to allow ports 80 and 443 as it’s implied when you have NAT rules setup.
Go to Tools > Torch. Torch will show you what packets are coming and going from what interfaces. In a working scenario, you should see packets destined to port 443 coming in ether1. You should then also see packets destined to port 8000 leaving ether2 with a dst-ip of 192.168.0.3. Maybe you’ll find packets aren’t coming into the wan, or maybe they are but not going other the lan. or maybe you’ll find both are working, and it’s your server that’s not accepting the connections due to something like a wrong gateway defined in the server?
But it requires newer RouterOS, 5.x doesn’t have it.
And the problem here is that firewall filter happens after dstnat. So if packet originally comes to port 443 and you change its destination to port 8000, you need to allow the latter in filter.
Bloody hell, I just checked my rules on several routers. Default config for forward chain was allow established, allow related, drop invalid. Which is why I’ve never had to add a rule for NAT’d connections.
Right, RouterOS by default allows everything and unlike in iptables, you can’t set default policy for chain. So unless you add a drop/reject rule at the end, everything not specifically blocked is allowed.
If your goal is to allow all traffic from ether2-master, then allow connections to ports 80 and 443, and finally block the rest, you have it correct. If would work with port 8000 too, you’d just have to allow 8000 in forward chain instead of 443.