My LAN has several systems on it. One of the systems, 192.168.1.207, runs an Apache Server that only accepts http traffic. That is working fine as I have forwarded port 80 to that system. I know have a need to handle, on another system, https traffic. I will set up on this second system, 192.168.1.204, an http server capable of handling SSL traffic. i.e. it will listen on port 443 and do all the necessary work for certificate validation.
I assume that all I need do is to set up another port forwarding entry to forward all Internet traffic arriving for port 443 to the second system at port 443 or whatever port I wish to have the server code listen at.
Is the above assumption correct? Do I have to do anything else?
I am just a little confused. I assume by the NAT rule you mean the rule I set up using (winbox) IP->firewall->NAT. I am not sure what you mean by the second part of your statement ‘.. and a matching firewall rule’
Before I started this thread I had traffic from any internet source to my domain port 80 forwarded to 192.168.1.207:80. I had no corresponding firewall filter rule. AFAIK It appears to have been working perfectly.
I am now going to install the NAT rule for port 443 and the two firewall filter rules you suggest.
Could you please explain to me what the firewall filter rules do and why I need them now when I did not have any installed before?
It sounds like you have no Filters at all. That leaves your internet network open to attack. You should really at least have a basic set of filters to protect everything.
I thought that if the Router was using NAT then I was protected as the only exposed address for incoming traffic was that of my domain. I open no ports on that address, my domain address, except for 80, and now 443. You seem to know more about networking than I do, so what is incorrect in my thinking?
mikrotik filters00.png
It’s better to mentally separate NAT and Security. NAT doesn’t protect the router itself, so you’ll want to add filtering regardless of how good NAT is at protecting your internal computers. You may also find that you don’t use NAT when moving to IP6. And, for larger networks, you may want security for connections that don’t use NAT (between internal networks for example).
Coylh is is correct. NAT and security are not related. As an example, here is a pic of the rules on one of my networks. I’ve highlighted the various Drop and Reject rules. As you can see, the firewall is doing quite a bit of work dealing with all sorts of nasty packets. And this router has only been up for 2 days.
Screen Shot 2015-08-10 at 5.51.19 PM.png
My expertise is not security and networks and that is being made more obvious to me by the replies. I appreciate the time many of you have taken to assist me. I have been in the IT/Computer business since 1960 when I was 20 years old and working my first job. My specialty was computer and software design, never getting very deep into networking and security. After all in the 60’s it was not the issue it is today. Today I am involved in the development of Home Automation and Home Theater control systems mostly as a hobby but I do some consulting and system/code. I installed my first Mikrotik router in 2014 for my home and it has served me quite well. The Mikrotik community is extremely helpful. Is there something that one of you might recommend as reading to increase my knowledge base re modern networking and security practices, especially in the use of the Mikrotik routers?
I think I need to do a lot of reading. Thanks again to all for the assistance rendered.