netmap to external IP

RouterOS Beginner Basics
1

Hi there!

What i have:
RB951G-2HnD (6.33.1)
x.x.x.x - Router Public IP
y.y.y.y - WebServer Public IP

What I need:
All HTTP request that going to x.x.x.x:8081 should be redirected to y.y.y.y:80

Here is a situation:
As i assume i should use a port forwarding (dst-nat netmap) but it isn’t work and i didn’t get why (btw on old Linksys it works fine)

Here is my firewall rulz:

0	;;; DROP from Guest to Local Network    
      chain=forward action=drop src-address=10.0.1.0/24
      dst-address=172.16.254.0/24 log=no log-prefix=""

1    ;;; DROP from Local Network to Guest
     chain=forward action=drop src-address=172.16.254.0/24
     dst-address=10.0.1.0/24 log=no log-prefix=""

2    ;;; GuestNetworkWebAccess
     chain=forward action=accept protocol=tcp src-address=10.0.1.0/24
     out-interface=ether1-gateway dst-port=80,443 log=yes
     log-prefix="GuestNetwork"

 3    ;;; GuestNetwork_NTP
      chain=forward action=accept protocol=udp src-address=10.0.1.0/24
      out-interface=ether1-gateway dst-port=123 log=no log-prefix=""

 4    ;;; GuestNetworkICMPDrop
      chain=input action=drop protocol=icmp in-interface=guest-bridge log=no
      log-prefix=""

 5    ;;; GuestNetworkExternalTrafficDrop
      chain=forward action=drop src-address=10.0.1.0/24
      out-interface=ether1-gateway log=no log-prefix=""

 6    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix=""

 7    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no
      log-prefix=""

 8    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no
      log-prefix=""

 9    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no
      log-prefix=""

10    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix=""

11    ;;; default configuration
      chain=forward action=drop connection-state=new
      connection-nat-state=!dstnat in-interface=ether1-gateway log=no
      log-prefix=""

NAT:

  0   ;;; Local Network
     chain=srcnat action=masquerade src-address=172.16.254.0/24
     out-interface=ether1-gateway log=no log-prefix=""

 1    ;;; Guest Network
     chain=srcnat action=masquerade src-address=10.0.1.0/24
     out-interface=ether1-gateway log=no log-prefix=""

 2   ;;; WebServer PortForwarding
     chain=dstnat action=netmap to-addresses=y.y.y.y to-ports=80
     protocol=tcp dst-address=x.x.x.x in-interface=ether1-gateway
     dst-port=8081 log=no log-prefix=""

As you see, i have this rule, but it isn’t work =(

;;; WebServer PortForwarding
chain=dstnat action=netmap to-addresses=y.y.y.y to-ports=80
protocol=tcp dst-address=x.x.x.x in-interface=ether1-gateway
dst-port=8081 log=no log-prefix=“”

Any suggestions?

2

add action=dst-nat chain=dstnat comment=WEB disabled=no dst-port=8081 protocol=tcp to-addresses=“your ip” to-ports=80

3

You can’t use netmap with ports AFAIK… netmap is a 1:1 stateless nat action designed to make IP x.x.x.x appear as y.y.y.y on the opposite side of the router. You should change the action to dst-nat.

4

satman1w, ZeroByte
Thanks for your interest to this topic.

about dstnat instead netmap:

Of Course i already tried dstnat - but still with no luck.

I made some changes to my config and now my rule look like this:
0 ;;; WEB
chain=dstnat action=dst-nat to-addresses=y.y.y.y to-ports=80
protocol=tcp dst-address=x.x.x.x in-interface=ether1-gateway
dst-port=80 log=no log-prefix=“”

as you see it’s simple 1:1 NAT rule and packets continue counts, but it still won’t work :frowning:

btw a also changed default Mikrotik web interface port from 80 to 8080 to avoid a conflict with my rule.

5

When I am replying with ROS command, due to complexity I don’t write out of my head. So, I did it on my router and tried it before posting.

If it does not work for you, there must be some other problem. Try to post your complete configuration maybe we’ll find out what is wrong.

Regards

6

Hi there. On order to get good answers please provide:

  • simple diagram of your topology - nothing fancy, paint would be ok
  • Are you able to access a web-server typing y.y.y.y in browser directly?
  • Is web-server already NAT-ed?
7

x.x.x.x = wan IP of Mikrotik
y.y.y.y = public IP of web server…

How does your router know that packets for y.y.y.y should be sent to it in the first place?
Have you added the y.y.y.y IP address to the WAN interface as well? (if not, then do that)

8

If x.x.x.x and y.y.y.y are completely different public addresses (like two different ISPs, or at least independent subnets), you need another srcnat rule that masquerades the source as x.x.x.x. Otherwise y.y.y.y will try to reply to client directly and it won’t work. Search wiki for “hairpin NAT”.

9

@doom: Your original post stated that xxxx and yyyy were both public IP addresses.

This configuration means that you should take packets whose destination IP is the Mikrotik (x.x.x.x) and redirect them to the public IP of the server (y.y.y.y)

If the server is behind the Mikrotik (with a private IP) then change y.y.y.y above to be the private IP of the server and change x.x.x.x to y.y.y.y

If the server is out somewhere on the Internet, then you need to use hairpin NAT on the outside interface…
Your srcnat chain in the nat table should be quite simple.

Your original posted firewall configuration shows two srcnat rules which require out-interface = ether1-gateway AND your internal IP as the source. Remove one of the two rules, and on the remaining one, get rid of the src-address requirement. If a packet is going out ether1-gateway, masquerade it. Period. If you’re trying to bounce connections to the web server off of your Mikrotik’s public IP, then your src-address=172.16.x.x requirement is the reason it was broken.

Finally, make sure your forward chain isn’t dropping the hairpin packets, and you’ll be set.