NAT WebFig access

MikroTikFan · December 29, 2015, 7:40pm

I tried to get access to my WebFig on port 2443.

;;; Router HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.10.101 to-ports=2443 protocol=tcp dst-port=2443 log=yes log-prefix="WebFig"

but this is not working

20:37:18 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:1344->192.168.10.10
1:2443, len 52 
20:37:21 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:1344->192.168.10.10
1:2443, len 52 
20:37:27 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:1344->192.168.10.10
1:2443, len 48 
20:37:34 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:19354->192.168.10.1
01:2443, len 52 
20:37:37 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:19354->192.168.10.1
01:2443, len 52 
20:37:42 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:19354->192.168.10.1
01:2443, len 48

Inside network (LAN) I have access to webfig https://192.168.10.101:2443

Please help me to find reason and get access to WebFig outside my network

ZeroByte · December 29, 2015, 8:15pm

Why not just set the port in IP services instead of running it on a standard port but doing dstnat to bend the connections into that port? It seems to be a bit over-complicated.

Then you just put an input chain rule that allows dst-port=2443 from in-interface=wan

EDIT: Your log excerpt leads me to believe that you’ve got that same port mapped to 192.168.10.10 earlier in your dstnat chain…

MikroTikFan · December 29, 2015, 8:35pm

I have done your suggestions and changed webfig port from services to just 443.
I have checked from LAN and all works fine on port 443.
I have disabled NAT rule and add new one in firewall input filter:

;;; WinFig
chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=2443 log=yes log-prefix="WebFig-Firewall"

but from outside same result ;-( cant get this service

I can’t see after that any logs from prefix “WebFig-Firewall”

Regarding 192.168.10.10, please look at logs and you will see not …10.10 just 192.168.10.101, this addres is first after my cable router with DMZ to all ports to second Mikrotik.

proto TCP (SYN), 31.61.141.158:1344->192.168.10.101:2443, len 52

ZeroByte · December 29, 2015, 9:12pm

I didn’t mean that you had to change to port 443…

In services, you can set the server to run on whatever port you like, even 2443.

/ip service set [ find where name=www-ssl ] port=2443

If you do that, then the ssl service is now running directly on 2443 without needing any NAT rules.
(disable any dstnat rules about the webfig port 2443 or 443)

Then your input rule that you posted should work properly. (note that it’s still showing port 2443 in your reply)

MikroTikFan · December 29, 2015, 9:56pm

Thank’s, I got your point

Now is working