Packets for port 80 disappear before reaching NAT or filtering

Hi all,

I hope this isn’t too obvious of a question to answer but short of pulling my hair out I’ve resigned to asking for some assistance.

I’ve been trying to set up a nginx reverse proxy on my network to host a couple web applications, and I’ve been successful setting it up on atypical ports as for some reason traffic destined for port 80 never seems to come through. Doesn’t even seem to hit the firewall, never see a packet from WAN targeting port 80. Testing with webfig on port 80 I can reach it internally, never externally. Set webfig to 20080, can reach it on WAN and LAN.

I have disabled the default “drop all not coming from LAN” which works, as I can reach that webfig on 20080 when it’s disabled and vice-versa.

My ISP swears blue in the face that the ports are unblocked, although I’m not entirely convinced - although neither am I sure enough to start arguing with one of their engineers.

The obvious answer is that the ports are blocked, but to give the benefit of the doubt to my ISP and assume that I have made a mistake, is there anything else I could be missing? Is there a way I can reliably test where the port is blocked? Full config is below.

# 2024-07-27 13:59:13 by RouterOS 7.15.1
# software id = VNHA-G4W2
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = <SN>
/interface bridge
add admin-mac=48:A9:8A:EE:1B:DA auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.secondary-frequency=disabled \
    .skip-dfs-channels=10min-cac configuration.country="United States" .mode=\
    ap .ssid=MikroTik-EE1BDE disabled=no security.authentication-types=\
    wpa2-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.chains=0,1 .country="United States" .mode=ap .ssid=\
    MikroTik-EE1BDF-2GHz .tx-chains=0,1 disabled=no \
    security.authentication-types=wpa2-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country="United States" datapath.bridge=bridge disabled=no name=cfg1 \
    security.authentication-types=wpa-psk,wpa2-psk ssid=MikroTik-EE1BDE
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
    
    
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes interfaces=all package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1 \
    name-format=cap radio-mac=00:00:00:00:00:00
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.0.0.11 client-id=1:ec:5c:68:90:4:15 mac-address=\
    EC:5C:68:90:04:15 server=defconf
add address=10.0.0.39 client-id=1:10:e7:c6:36:28:f5 mac-address=\
    10:E7:C6:36:28:F5 server=defconf
add address=10.0.0.45 client-id=1:52:54:0:8e:a3:7b mac-address=\
    52:54:00:8E:A3:7B server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="accept HTTP" dst-port=8080,80,20080 \
    log=yes log-prefix=80acc protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    log-prefix=icmp protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=dropwan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface-list=WAN \
    to-addresses=<WAN IP>
add action=dst-nat chain=dstnat dst-address=<WAN IP> dst-port=8080 \
    protocol=tcp to-addresses=10.0.0.39 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=<WAN IP> \
    dst-port=80 protocol=tcp to-addresses=10.0.0.39
/ip service
set www port=20080
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
    
    
/system clock
set time-zone-name=Australia/Melbourne
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hi,

I think you could start by checking the counters on the dst-nat rules, and see if they increment.
(They happen early in the firewall)

Typically they will only increment once for each new connection.
If they are incrementing, you need to check the 10.0.0.39 (I assume nginx)

Perhaps if not incrementing double check wan ip value matches actual ip on ether1.


On an unrelated side note, Mikrotik have changed the following default.

/ip firewall connection tracking
set udp-timeout=10s

it is now 30s I think, (10s seemed to cause issues)

I think you could start by checking the counters on the dst-nat rules, and see if they increment.
(They happen early in the firewall)

Typically they will only increment once for each new connection.
If they are incrementing, you need to check the 10.0.0.39 (I assume nginx)

Hi, thanks for the reply.

Unfortunately no increment on the dst-nat rule with port 80. Amongst all my testing it never incremented for port 80, but did for all the other ports that worked.

Perhaps if not incrementing double check wan ip value matches actual ip on ether1.

Can confirm it does match.

On an unrelated side note, Mikrotik have changed the following default.

/ip firewall connection tracking
set udp-timeout=10s

it is now 30s I think, (10s seemed to cause issues)

Thanks for the heads up, I’ll change it

Managed to resolve the issue, completely not Mikrotik related.

ISP was at fault, had to reapply the rule change and suddenly port 80 was now hitting the firewall and being forwarded.

Will go ahead and mark this one resolved.

A couple of thoughts,

The following statement doesn’t really seem helpful given your current results, but anyway:
Mikrotik doesn’t by default do hairpin Nat (you need to add the appropriate src-nat rule), so if you are testing from inside your network it will likely not work.

You could download tcproute (windows) and use it to do a traceroute to your external ip address.
(You need to have winpcap/pcap installed, eg. with Wireshark)

https://elifulkerson.com/projects/tcproute.php
Please scan it before use…

Then see where a tcptraceroute to port 80 stops.
vs a tcptraceroute to a working port vs a normal tracert

With luck if it shows anything useful, it might give you something to point at your ISP.

I used the following for a trial:

tcproute -i 4 -w 300 -d -p 80 google.com
Ensuring gateway address (192.168.95.1) is in arp… OK!

Using the following values:

Local IP: 192.168.95.198
Local MAC: xxxxxx
Gateway MAC: xxxx
Remote IP: 142.250.70.142

Tracing route to google.com:80
1 34 ms 192.168.95.1 TimeExceeded
2 13 ms 192.168.xx.1 TimeExceeded
… removed
8 19 ms 142.250.230.159 TimeExceeded
9 20 ms 142.250.70.142:80 Synchronize, Acknowledgment (port open)

I understand this, testing internally was only proving that port 80 over LAN was not blocked. I was mostly doing testing with the webfig portal with a laptop being hot-spot off my phone, as to give me an external address in. Felt like balancing dinner plates though! Constantly changing NAT rules, service ports, disconnecting and reconnecting hotspots, checking the packets on said NAT rules.

You could download tcproute (windows) and use it to do a traceroute to your external ip address.
(You need to have winpcap/pcap installed, eg. with Wireshark)

https://elifulkerson.com/projects/tcproute.php
Please scan it before use…
[..]

I run Linux unfortunately lol. But you are 100% right, I could have been a bit more creative with packet capture to test for sure, definitely a learning experience. I appreciate the advice

Thanks for the “lol”, I started to feel sorry for you.

Anyway, a proper “tcptraceroute” exists for linux (at least debian-based, e.g. ubuntu) and it really is an invaluable tool for checking availability of a particular (TCP) service, normal ICMP (or UDP) traceroute doesn’t unveil the whole truth.