Port forwarding apache

RouterOS Forwarding Protocols
1

Hello, I am trying to forward ports to apache (and some other services, such as plex, VPN, etc.) but with no success. When I am inside the lan or VPN apache I can connect to apache with public IP adress (or domain). But when I am outside of Lan it is not posible. It does not work even if I turn off all firewall rules. When I turn them off I can directly connect to routerboard web GUI.

Here is my log from IP Firewall:
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=
established,related
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add action=log chain=input limit=5/1m,5
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=
established,related
add chain=forward dst-port=1723 protocol=tcp
add chain=forward protocol=gre
add chain=forward dst-port=32400 protocol=tcp
add action=log chain=forward limit=5/1m,5
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=drop chain=forward comment=“default configuration”
connection-nat-state=!dstnat connection-state=new in-interface=
ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=213.192.30.62 dst-port=
protocol=tcp to-addresses=192.168.88.2 to-ports=80
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat dst-address=192.168.88.2 dst-por
out-interface=bridge-local protocol=tcp src-address=192.168.88.
add action=dst-nat chain=dstnat dst-address=213.192.30.62 dst-port=
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.8
to-ports=1723
add action=dst-nat chain=dstnat dst-address=213.192.30.62 in-interf
ether1-gateway protocol=gre to-addresses=192.168.88.2
add chain=srcnat
add action=dst-nat chain=dstnat dst-address=213.192.30.62 dst-port=
protocol=tcp to-addresses=192.168.88.2 to-ports=32400


Please help, thank you!

2

Is the Apache server using the routerboard as its default gateway? If it is then you don’t have to SRC NAT the traffic egressing to the LAN.

To forward you generally need:

  1. DST NAT rule
  2. Allow traffic to DST NATed address in forward chain
    3A)Target to be using routerboard as gateway (generally preferable) or,
    3B)Masquerade the traffic egressing to the internal network (potentally higher security risks)