Port forwarding - 80

dave576 · August 26, 2015, 8:03am

Hi All,

I have a webserver behind Mikrotik and when I set the port forwarding my PC in the LAN cannot reach many sites (it can reach gmail, google, facebook though..).

wan IP: dynamic
PC: 192.168.88.254 (dhcp)
webserver: 192.168.88.5 (static)

ip firewall nat:
0    chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""
1    chain=dstnat action=dst-nat to-addresses=192.168.88.5 to-ports=80 protocol=tcp dst-port=80 log=no log-prefix=""

Is my problem in connection with Hairpin NAT?

lordkappa · August 26, 2015, 9:35am

Let’s step through what you’re asking the router to do, together.

chain=dstnat action=dst-nat

DST-Nat

protocol=tcp dst-port=80

Any packet with a dst-port of 80.

to-addresses=192.168.88.5 to-ports=80

Change its destination IP to 192.168.88.5.

Hopefully now the problem is quite clear. Think through your dst-nat rules carefully. If it helps, write out the rule on a piece of paper in plain english, like we’ve done here, so you completely understand what you’ve told the router to do.

P.S. The reason you can still reach Google, Gmail & Facebook is because they use HTTPS; and so are using port 443, not 80.

dave576 · August 26, 2015, 11:51am

Hi!

I’m afraid I don’t understand this fully.
Since I want my web server to be reachable from the internet I have to do dstnat. As my WAN IP is dynamic I can only use port number to specify the traffic. Port 80 is for the web server and I want to route that traffic toward 192.168.88.5.

When my PC is trying to connect to a site it is connecting to some IP and a destination port 80 or 443 but the source port is random (above 1024). So there is no incoming traffic towards port 80 on my mikrotik except for those who want to reach my web server.
What am I missing?

marting · August 26, 2015, 1:47pm

You need a criteria to dnat only access to the webserver. If you can´t use WAN IP because it´s dynamic, you can´t stop thinking but have to find another criteria. Multiple solutions possible: I would prefer relying on the incoming interface:

/ip firewall nat chain=dstnat in-interface=ether1-gateway protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.5

Small restriction: Accessing the webserver from inside the lan with the puplic ip won´t be possible this way.

lordkappa · August 26, 2015, 7:47pm

The problem, is that routers deal with traffic flowing in BOTH directions. The reason you couldn’t access the web was because the router was NATing any outgoing traffic destined for port 80 as well as any incoming.

As marting pointed out, you need to specify that only incoming traffic should be NAT’d.

dave576 · August 27, 2015, 7:05am

I see!

The dstnat confused me a bit. I thought the command refers to only the incoming traffic.
Everything clear now. Thanks both of you!