NATted port 443 (HTTPS) is bypassing firewall

RouterOS Beginner Basics
1

Hi,

I’m new to networking and I’m trying to set up my home LAN. I’ve dstnat’ed some ports, like 22, 80 and 443. For a reason I can’t understand, 443 is responding from WAN even if there are no filter rules allowing it.

These are my firewall filter rules and my NAT:

/ip firewall filter
add chain=forward comment=FORWARD_ESTABLISHED_RELATED log-prefix=\
    FORWARD_ESTABLISHED_RELATED
add chain=input comment=INPUT_ESTABLISHED_RELATED connection-state=\
    established,related log-prefix=INPUT_ESTABLISHED_RELATED
add chain=input comment=INPUT_LAN src-address-list=LAN
add chain=forward comment=FORWARD_LAN src-address-list=LAN
add action=drop chain=input comment=PING_BROADCAST dst-address=192.168.1.255 \
    protocol=icmp
add action=drop chain=input comment=DNS_FROM_WAN_TCP dst-port=53 protocol=tcp
add action=drop chain=input comment=DNS_FROM_WAN_UDP dst-port=53 protocol=udp
add action=drop chain=input comment=INPUT_INVALID connection-state=invalid
add action=drop chain=forward comment=FORWARD_INVALID connection-state=invalid
add action=drop chain=input comment=INPUT_ANYTHING_ELSE

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=dst-nat chain=dstnat dst-port=22 in-interface=pppoe-out1 log=yes \
    protocol=tcp to-addresses=192.168.1.1
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 log=yes \
    protocol=tcp to-addresses=192.168.1.1
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-out1 log=yes \
    protocol=tcp to-addresses=192.168.1.100

Can you tell why am I able to hit the NAT from WAN? It is weird because it is only happening with port 443, not with 22 and 80 (and there are servers listening).

Thank you!

2

Can you elaborate on 443 coming in via wan interface, I.e. How do you see this, etc?

Maybe X.x.1.100 is talking out via wan interface hence responds coming back via same interface?

3

I can see this by connecting via a mobile WAN or by using port scanners like Shields Up. WAN and LAN addresses are completely different.

I keep researching. Thank you!

4

Default action is accept (allow), so your forward chain:

  1. accepts established & related connections
  2. accepts connections from “LAN” address list
  3. drops packets with invalid state
  4. by default accepts everything else

New connections from WAN are not invalid, so 3) won’t touch them and they will be allowed by 4). If that’s not what you like, add unconditional drop/reject rule at the end of chain.

Edit: Scratch that, the above would be true if 1) actually had option to accept establieshed & related, but it doesn’t (I got fooled by comment and log prefix). You have unconditional accept rule right at the first position = absolutely everything is allowed through.