I am trying to set up a firewall to route port 80 to the local host where the web server is running. A computer in the local network to Orange PI with Armbian installed. On Mikrotik i set the nat rule chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80 protocol=tcp dst-port=80 log=no log-prefix=“”. Everything works fine except for the Armbian package manager APT. When I turn off the firewall rule, the ATP works fine. Instead of Mikrotik I installed a regular TP-Link and redirected port 80. On TP-Link everything works fine. APT and redirection.
The rule is too greedy and actually captures all connections targeting port 80 (even those from LAN towards internet). You should limit that to connections arriving through WAN interface. You can do it in one of the following two ways:
add chain=dstnat action=dst-nat to-addresses=10.0.0.2 protocol=tcp dst-port=80 dst-address=<WAN IP address>
add chain=dstnat action=dst-nat to-addresses=10.0.0.2 protocol=tcp dst-port=80 in-interface-list=WAN
If your router is running recent ROS (version 6.43 or newer) and uses current default setup which relies on proper interface list membership (defined in /interface list and subtree), then the second rule in the example above would be preferred. If your WAN IP address is dynamic (you get it via DHCP client or with PPPoE client), then using the second rule is the only sustainable way of doing it.
N.b.: if port being forwarded is the same as port on target (LAN) server, you don’t have to configure to-ports attribute.
Posting although @mkx was faster, just because my response contains yet another way to do that 
Your dst-nat rule doesn’t check the dst-address so when the Armbian itself (or any other device using the Tik as a router) initiates a http session towards anywhere, it gets redirected to the Armbian’s IP as well. So add in-interface=your-wan-interface name or dst-address-type=local (or both) to your dst-nat rule and you’ll be good. And as you don’t change the port, you can also remove to-ports from the rule to speed things up 0.000001%
My understanding is, that if you only set dst-address-type=local, you loose access to webfig (web GUI for administering routerboards … in case you care, I personally use it). If you want to keep access to webfig, then you have to set in-interface (or in-interface-list) as well …
Your understanding is absolutely correct
Thanks a lot. Problem solved.
@mkx: Or you can use “dst-address-type=local dst-address=!”, assuming that you don’t need WebFig accessible from internet. Compared to in-interface=WAN, this also works well together with hairpin NAT.
I know there are plenty of ways to “skin the sheep” … I was just pointing out potential side effect if OP followed advice by @sindy as it was originally written. After one is aware of the problem, it’s quite easy to find the way around …
I think the quote is “skin the cat” one shears sheep! 
I don’t eat cats and I don’t know any other reason to skin an animal 
It seems that on the contrary, in Canada they don’t eat sheep so @anav thought you actually had in mind shearing for wool. But it’s surprising he’s used a cat as an example of an animal you would skin for food or fur.
Btw one of my biggest surprises in your country (apart from the infamous price of the 5-day highway vignette of course) was to find a stallion on the menu of a normal restaurant. Nothing bad about that, you could buy horse salami here as well still a few years ago an half of Europe was occasionally eating horse meat unconsciously a few years ago, but I’ve never seen it in a restaurant anywhere else.
Yeah, I know … I guess this is the real reason for the horse-loving Brits to leave EU 
Regarding the highway vignettes: it’s a simple tax on all those Czechs and Polaks hoarding towards summer holidays in Croatia You should be applying for a refund just because you stopped at local restaurant 
Hehe. I think I’ve spent much more on them when driving to Lj than when transiting to Croatia even though one was usually sufficient whereas for a week in Croatia one needs two (which makes the purpose so much obvious). But of course I do get the idea and even understand the reasons. Your ministry of tourism should seriously consider your suggestion that the receipt for the vignette should act as a free ticket at least to some museums. Except that the Austrians might sue you for that, like they sue Germans for the intention to compensate the price of the newly introduced vignette to own citizens by subtracting it from the road tax they have to pay
But it’s sad that the vignette pricing policy has become the first association for such a nice country and damages its reputation.
I can understand the sentiment of tourists passing by. Anyhow I’m inviting you for a beer (or if you dislike non-native beer which I would understand fully) some other beaverage when you hapoen to pass by …
I’m not as beerly as most of my fellow citizens so feeding me with beer is a waste of beer. But I like another thing I haven’t seen elsewhere yet, the blueberry juice. Unfortunately the cooperation for which I used to visit Lj has ended a few years ago so it is unpredictable when I get there next time. But if you sometimes travel northwards, I’d be glad to have a beer or something else with you here.
BTW, our highways are not famous by the vignette prices but for their ability to trap even the U.S. army