Port forward does not work on L009

system7 · January 21, 2024, 4:47pm

Hello,

I have an RB2011 what is working properly and actually 2 days ago I bought an L009UiGS to replace the predecessor.

The environment

Suppose that, I have internet on ether1 port w/ 89.89.89.89 IP. My internet service provider allowed to me only to open the 12443 port. I have started to use the router w/ default settings. So there is not special except this.

I have a web server on 10.0.1.2, obviously it binds on 443 port. I would like to forward the requests from 89.89.89.89:12443 to 10.0.1.2:443.

My settings

The setting should be so simple. dstnat rule to forward it to the server. Actually I tried at least 50 settings from internet, included w/ and my ideas and the docs: https://help.mikrotik.com/docs/display/RKB/Port+forwarding.

This is my simplest - almost - working solution:

add action=dst-nat chain=dstnat comment="443 forward - Fig.0" dst-address-list=WAN dst-port=12443 protocol=tcp to-addresses=10.0.1.2 to-ports=443

W/ this rule, I should see my web server from outside the network, sadly I cannot! BUT if I add another rule what is for - as I know - for hairpin (to see my website inside the network)

add action=masquerade chain=srcnat dst-port=443 protocol=tcp

So, if I add these rules, after that I can see my website inside the network but not from outside. From outside the browser does not have response “Unable to connect” and the curl says:

Failed to connect to example.com port 12443 after 3000 ms: Couldn't connect to server.

What have I missed? Is anybody has an idea why it does not work? If more information needed to investigate the problem, I would try to add it.

Notes

On the predecessor router, I have the rules above, and it just works. W/ the same rules the successor does not.

add action=dst-nat chain=dstnat comment="Port forward" dst-address=89.89.89.89 dst-port=12443 protocol=tcp to-addresses=10.0.1.2 to-ports=443
add action=dst-nat chain=dstnat comment="Hairpin" dst-address=!10.0.1.1 dst-address-type=local dst-port=443 protocol=tcp to-addresses=10.0.1.2 to-ports=443
add action=masquerade chain=srcnat dst-address=!10.0.1.1 dst-port=443 out-interface=bridge protocol=tcp src-address=10.0.1.0/24

anav · January 21, 2024, 7:04pm

Quote: “What have I missed”

Answer: Dont know as you only provided a miniscule part of your config…

You have been inflicted by the new posters disease!!
I dont know what the problem but I think I know enough not to provide my configuration

Please provide full config:
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)

I have some ideas, but this should not be a guessing game, it should be an accurate response based on facts.

system7 · January 21, 2024, 8:33pm

Thank you for your answer. As I mentioned that

I have started to use the router w/ default settings.

So, I used to use a router w/ default settings, & I did not want to flood the post w/ every default settings.

Anyway… I figured out that, my internet provider is a sh*t. They opened the port w/ MAC filter. So the port was binded directly to my old router… After I wrote to them, they “fixed” the error…

anav · January 21, 2024, 11:19pm

Ahh, fixed to old mac address or something.
No worries we actually prefer to be blinded by information, its all good info and since many parts are interrelated its important to figuring out the issues.