Hello.
I’m trying to open port 80 and 443 to my small web server, yet if I do it in NAT section - I am unable to browse sites in my LAN
What could causing this issue ?
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 X ;;; Web Server .50:80
chain=dstnat action=dst-nat to-addresses=192.168.0.50 to-ports=80 protocol=tcp dst-port=80 log=no log-prefix="WEB SERVER >"
2 X ;;; Web Server .50:443
chain=dstnat action=dst-nat to-addresses=192.168.0.50 to-ports=443 protocol=tcp dst-port=443 log=no log-prefix="WEB SERVER 443"
“opening ports” isn’t the same thing as DST-NAT, and you’re doing it wrong.
Your rules are accurate with the topic.
Since any request to port 80 or 443 from anywhere to anywhere will be dst-natted to your little webserver.
Fix your rules.
Add dst-address=your.public.ip to both of them.
It’s not necessary, dst-nat rules act before the packet reaches the point in routing where its destnation address is compared to own ones of the router. So you can keep www and www-ssl of the router itself accessible for clients in LAN, and still port-forward what arrives to ports 80 and 443 somewhere else for clients in the internet.
@sindy
Thank you for your clarification. However, once I wanted to issue a certificate for the web server behind the MT hosted via VM, WWW prevented the verification of the certificate.
But that did not depend on whether the www and www-ssl services were enabled or disabled on the router itself, did it?
The server certificate must be issued for the IP address or FQDN to which the client is connecting, because that’s what the client verifies.
If you use Let’s Encrypt to obtain a server certificate and periodically renew it, port 80 must be forwarded to the same server like port 443, because Let’s Encrypt verifies the applicant’s address by communication with a daemon listening at port 80. So I can theoretically imagine that Let’s Encrypt attempts to use port 443 if it fails to establish a session to port 80, but it sounds unlikely to me. Never tried that, though.
@sindy
I had this problem when the Let’s Encrypt was introduced to RouterOS. I issued a certificate for my router.
Yes, I disabled the www on the MT router, and the VM certificate was verified immediately.
The subtitles to post #2 by @znevna: your dst-nat rules are too greedy as shown in the post. Keep in mind that for router no interface is special and it doesn’t have a clue that you only want to dst-nat traffic originating from internet but not traffic originating ftom your LAN. You have to tell it explicitly … either as @znevna recommends in the last line of mentioned post or add in-interface-list=WAN as it seems your firewall is still in the line of defaults: This way has a drawback because it doesn’t allow LAN hosts to work with server via public IP (suggestion by @znevna is a step in that direction but misses another src-nat rule to be complete). If your WAN IP address is not static, then my suggestion might be better.
If you wanted to get certificate for the router, then, yes, letsencrypt needs to access http service on your router. But doesn’t have anything to do with dst-nat we’re discussing in this topic …
Thank You guys for having patience with noobs like me.
I think it is working, but I think i need “hairpin nat” in order to see my domain from inside the network.
am I correct ?
If the server is connected directly to an Ethernet interface of the 2011, you’d remove that interface from the bridge, assign an IP address like 192.168.37.1/24 to it, and change the address of the server to 192.168.37.2/24, gateway 192.168.37.1 (or set up the full DHCP server suite - /ip pool, /ip dhcp-server network, /ip dhcp-server on the 2011 and let the server act as a DHCP client if you want to do all the network configuration on the Mikrotik side). Then, you would change the to-address of the dst-nat rule to 192.168.37.2.
Done it.. seems like it does works.. yet i am not understanding how, since i dont see my server address involved ( 192.168.0.50 )..
Aside - Thank You very much Znevna ! <3
ok.. if it is .. but now i have no idea.. could you give me short instructions or something.. not to mess something ?