Folks,

I could really use your help. I'm trying to do something simple but doesn't seem to work.

I need to route traffic coming into the router on port 80 to my web server. I have a dynamic public address.

I have an RB433AH.

My public address is on ether1 (DHCP Client from Cable Modem) and my web server is on ether3.

I'm bridging the ether2, ether3 and wlan1 together:
[admin@RB433AH] /interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 l2mtu=1522 arp=enabled
mac-address=00:0C:42:2B:41:68
protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m

INTERFACE BRIDGE PR PATH-COST HORIZON

0 ether2 bridge1 0x 10 none
1 ether3 bridge1 0x 10 none
2 wlan1 bridge1 0x 10 none

Here are the rules in /ip firewall nat:

0 chain=srcnat action=masquerade
src-address=192.168.1.0/24

1 chain=dstnat action=dst-nat
to-addresses=192.168.1.20 to-ports=80
protocol=tcp dst-address-type=local
dst-port=80

Why is it not working? What I'm I missing?

Any help is appreciated!

THANKS much!

Why are you bridging the two interfaces that according to the rest of your explanation have public IPs on ether1 and private IPs on ether2? This doesn’t seem like a NAT issue, but a general configuration issue.

You should have a DHCP client on ether1 to grab the public IP from the cable modem. ether2 should be a standalone port with the IP address for your LAN network gateway on it. If you want, bridge ether2 and wlan0 and put the LAN address on the bridge instead, but ether1 (WAN) shouldn’t be bridged into this as it is a separate network, and therefore a separate broadcast domain.

Then the following NAT rule should work:

/ip firewall nat
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.20

fewi,

thank you for your response and time!

yes - i agree - we should not bridge ether1. We are only bridging ether2, ether3 and wlan1. ether1 is a dchp client. we can get out to the internet fine, but port 80 traffic does not hit my web server on ether3 with ip adress 192.168.1.20.

i’ve tried the rule you suggested. still no change. any other suggestions?

thanks again!

FYI - i’m running os 4.9

Have you disabled the web server on the MikroTik? The web server uses port 80 and that could be causing issues, and would be the firs thing to check if you copied the rules exactly. After that, what are your filter rules?