Nat not working

zither911 · August 2, 2018, 8:48am

Hi,

I am natting port 80 to a server which doesnt work. If i change the dst-port to 81 while still natting to internal server on port 80 it works.
Is mikrotik holding port 80 for some reason?

Regards

Steveocee · August 2, 2018, 8:50am

By default the www service is enabled and the router will hold port 80. You can change that to free it up or you can disable www service if you are using Winbox.

Can you post some config?

zither911 · August 2, 2018, 9:03am

Hi,

Below is my NAT config :

add action=accept chain=srcnat dst-address=192.168.101.0/24 src-address=192.168.99.0/24
add action=src-nat chain=srcnat comment=“company Internet” out-interface=Public src-address=192.168.102.0/24 to-addresses=wan ip 2
add action=src-nat chain=srcnat comment=“Rest Of Network Internet” out-interface=Public src-address-list=PrivateIPs to-addresses=wan ip 1
add action=dst-nat chain=dstnat comment=“Automate” dst-address=wan ip 2 dst-port=80 in-interface=Public protocol=tcp to-addresses=192.168.102.11 to-ports=80 (THIS DOESNT WORKexcept when changing dst-port to any other port you can access it via that port. I need 80 as this is coded in an app that needs to poll my internal server)
add action=dst-nat chain=dstnat dst-address=wan ip 2 dst-port=443 in-interface=Public protocol=tcp to-addresses=192.168.102.11 to-ports=443
add action=dst-nat chain=dstnat dst-address=wan ip 2 dst-port=70 in-interface=Public protocol=tcp to-addresses=192.168.102.11 to-ports=70
add action=dst-nat chain=dstnat dst-address=wan ip 2 dst-port=3389 in-interface=Public protocol=tcp to-addresses=192.168.102.11 to-ports=3389
add action=dst-nat chain=dstnat dst-address=wan ip 2 dst-port=8484 in-interface=Public protocol=tcp to-addresses=192.168.102.11 to-ports=8484
add action=dst-nat chain=dstnat comment=“Control” dst-address=wan ip 2 dst-port=8040-8041 in-interface=Public protocol=tcp to-addresses=192.168.102.12 to-ports=8040-8041
add action=dst-nat chain=dstnat dst-address=wan ip 2 dst-port=3390 in-interface=Public protocol=tcp to-addresses=192.168.102.12 to-ports=3389

Sob · August 2, 2018, 12:43pm

Yes, but dstnat as part of prerouting process (where it’s decided if the packet goes to router itself or through router to somewhere else) will happily “override” it. So you can have both RouterOS using port 80 and forward port 80 from public address at the same time and it will work. Obviously you won’t be able to connect to router’s service on port 80 using address that’s also used for port forwarding, but any other router’s address will work.

Van9018 · August 4, 2018, 1:49am

I find Torch a useful tool to track where packets are being lost. Torch on the WAN to determine if packets are actually hitting your wan, if they are, check dst-nat rule - is the ‘packets’ field incrementing?

Then torch on the LAN side, see if packets are leaving your Mikrotik with the new dest ip (your LAN IP). You should also see packets coming back from your web server, destined to the public IP of the sender and source IP of your LAN.

Then torch again on the wan, you should see those packets leaving the wan with src-ip of your WAN interface (your public IP).