I need to do a prot forwarding between machines on the same lan:
packets from 192.168.1.0/24 machines to 192.168.1.1 on port 8080 (routerboard lan ip address) must be redirected to 192.168.1.10 on port 80 , so I tried
Because the first rule changes the destination address of the packet from client, but the source address remains unchanged, so the server’s response goeds directly to client’s address, which means that
the 'Tiks firewall never sees the response so it does not deem the connection confirmed
the client gets a response from an address different from the one to which it has sent the request, so its TCP stack won’t recognize it as a response to that request.
The second rule changes the source address of the client to the one of the Mikrotik so the server responds there, and the connection tracker in Mikrotik handles the rest.
Devices on network 192.168.1.0/24 can reach 192.168.1.1 directly and 192.168.1.10, same subnet, so on your input chain incoming interface dst-address 192.168.1.1 Lan dst port 8080 redirect to 192.168.1.10 to port 80.
Only set dst address if router has multiple lan ip so no all ip address port 8080 will redirect to 1.10:80.
If you are trying to redirect a proxy have a look at creating a wpad record you can define a dhcp id 252 with an http txt file that has a javascript function which defines proxy to use and port according to destination if its internal it’ll send directly if external will tell browser to use proxy. This way will be more effective imo since you surely already have http server won’t need to have the rule processing on the router. With router redirect you’ll have to set local exceptions on proxy or manual con client.