I’ve recently started working with a MikroTik router. But when attempting to renew my SSL certificate through LetsEncrypt the packets get stuck behind the mikrotik router.
Those are my current NAT rules:
[admin@SKP-Router1] > /ip firewall nat print all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
1 ;;; 80
chain=dstnat action=dst-nat to-addresses=10.254.254.3 to-ports=80
protocol=tcp src-address-list=!Debian Update
dst-address-list=!Debian Update dst-port=80 log=no log-prefix=""
2 ;;; 443
chain=dstnat action=dst-nat to-addresses=10.254.254.3 to-ports=443
protocol=tcp src-address-list=!Debian Update
dst-address-list=!Debian Update dst-port=443 log=no log-prefix="123"
3 ;;; 14967
chain=dstnat action=dst-nat to-addresses=10.254.254.3 to-ports=14967
protocol=tcp dst-port=14967 log=no log-prefix=""
But when requesting renewal of my certificate, it wont connect at all due to that port 80 and 443 has been forwarded to the server running the webserver. Which results in the dst address being set to a local address instead of the remote one.
If need my infrastructure looks like this:
WAN (217.116.xxx.xxx) → MTIK Router (10.254.254.1 /28) → VM Server (10.254.254.3 /28)