Port forwarding is not working

Enigma · December 29, 2009, 2:19pm

Hi,
I’m new here, so please help me.
I want to forward 80 port to an internal web server.
I have a WAN connection with dynamically assigned IP address (but this IP address is quite permanent , the same IP address has allready assigned for couple of monthes)

There is a current configuration:

IP ADDRESSES:
0 172.16.3.254/24 172.16.3.0 172.16.3.255 ether2
1 D 78.xxx.xxx.xxx/18 78.xxx.xxx.0 78.xxx.127.255 wan

IP FIREWALL NAT:
0 chain=dstnat action=dst-nat to-addresses=172.16.3.3 to-ports=80 protocol=tcp dst-address=78.xxx.xxx.xxx in-interface=wan dst-port=80
1 chain=srcnat action=masquerade out-interface=wan

What I’m doing wrong? Or what I have to do else?

Thank You.

DannyZ · December 29, 2009, 4:48pm

u’re up to host web page (server) on dynamic external IP? If it so, u should use dynamic dns client, otherwise you will not be able to host your web page. As far as i know, maybe im wrong about FW rules - add action=accept chain=accept_list comment=“Forward HTTP to webserver” dst-address=0.0.0.0/0 dst-port=80 protocol=tcp

did u check this http://wiki.mikrotik.com/wiki/Home_Firewall

Enigma · December 29, 2009, 5:46pm

Yes I know that, but as I have mentioned, IP address has not been changed for two month.

Thank You for the link, I have checked it and now my configuration is (BUT IT IS STILL NOT WORKING):

[admin@MikroTik] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Forward HTTP to webserver
chain=accept_list action=accept protocol=tcp dst-address=172.16.3.3
dst-port=80

[admin@MikroTik] /ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=172.16.3.0/24

1 chain=dstnat action=dst-nat to-addresses=172.16.3.3 protocol=tcp
dst-address=78.xxx.xxx.xxx in-interface=ether1 dst-port=80

kirshteins · December 30, 2009, 6:50am

Are you testing from local or public network, or both? Is this forwarding rule “counting” packets? In case you are using bridge you have to enable

/interface bridge settings set use-ip-firewall=yes

Enigma · December 30, 2009, 6:59am

Thank You for your answer.

I’m testing from both. From internal network the web page is reachable.

Yes, packets are “counting”.

Bridge is not configured.

kameelperdza · December 30, 2009, 10:10am

What i would have done is to add internal webserver to your dns server. So when when users request that webste then it will automatically use port 80.

For example if you are using router1 as your dns server.

/ip dns static add address=xxx.xxx.xxx.xxx name=www.google.com

Enigma · December 30, 2009, 10:31am

I don’t understand how it is related to my problem.

kirshteins · December 30, 2009, 11:42am

Ensure that connection tracking is enabled. Also you can try not to use in-interface parameter for this rule.

Is it reachable using 78.xxx.xxx.xxx?