Port forwarding: in-interface (not working) vs in-interface-list/dst-address (working)?

Hello,

I am trying to port forward port 80, towards an internal PC of mine (192.168.50.50). I am using a MikroTik hap ac2, using RouterOS 6.43.14

Now, I tried the nat way of doing it (not sure if others exist), however, only 2 out of 3 options I tried work (see last part of rule):

• In-interface-list=wan:

action=dst-nat chain=dstnat dst-port=80 log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80 in-interface-list=WAN

• dst-address=mypublicip:

action=dst-nat chain=dstnat dst-port=80 log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80 dst-address=mypublicip

• in-interface=ether1

action=dst-nat chain=dstnat dst-port=80 log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80 in-interface=ether1

Out of those, the last one doesn’t work, but I’ve checked the list of services and WAN=ether1:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

This is my currently (working) configuration:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80

What am I missing that the in-interface variant doesn’t work, but the other one(s) do?

Hard to say since you didnt post your entire config and thus are missing relevant bits.
What interface is ppp0e-1 defined as??? Try that instead of eth1

It looks like you are using a pppoe-connection. That means the active pppoe-connection is an additional “interface” on your router. ether1 is only the physical link but not the interface where your router receives the traffic coming from the internet. Thats why your interface-list works (ether1 AND pppoe-out1). Rule two works because the firewall isnt matching the packet based on the incoming interface but on your ip. If your ip address changes you would need to reconfigure rule 2 since obviously the ip-address isnt matching anymore. Rule 1 (or rule 3 with pppoe-out1 as in-interface) would not require you to reconfigure anything if your ip changes.

Oh, I found it out later, but couldn’t update my post. It seems indeed, that pppoe-out1 is doing/having the traffic instead of eth1, that’s why the list works since it includes the pppoe-out1

Thanks!