I have a web server running on 192.168.88.2 listening at port 80, I would like to do a port forwarding on my RouterOS 2011UAS-2HnD.
For example my public IP is 2.3.4.5, I would like to forward 2.3.4.5:8080 to 192.168.88.2:80, I have created a dstnat rule which forwarding protocol=tcp, dst-port=8080 toaddress=192.168.88.2, toport=80.
Then I visit http://2.3.4.5:8080/, my browser shows “Error Connection refused”, and I found from the URL bar, actually the address is changed to http://2.3.4.5:80/, however port 80 is not allowed from the public side, I believe this is the reason caused the issue.
You test this from WITHIN your own network ? You have HAIRPIN NAT configured ? Without this your test will not work.
Did you try from the real “outside” ? (eg. using 4G Phone or something)
Correct hairpin nat is required when people IN THE SAME SUBNET as the server are trying to access the server via the WANIP of the router.
Its much easier to access the server directly by its LANIP address but apparently is not always the case.
What is needed is to know if your WAN connection is dynamic or static?
(1) Regardless of that there is one source nat rule for the hairpin functionality that we have to include that works in both cases. add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
(2) For the default or regular source nat rule (use a. masquerade for dynamic wanip, use b. srcnat for static/fixed wanip)
a. add chain=srcnat action=masquerade out-interface=WAN
b. add chain=srcnet action=src-nat out-interface=WAN to-address=WANIP
(3) For the required destination nat rule the simple case is for the fixed WANIP as its known. add chain=dstnat action=dst-nat dst-address=FIXEDWANIP dst-port=80 protocol=tcp
to-addresses=192.168.88.2
(4) For the required destination rule in the complex case wanip dynamic we have to be tricky. Since we don’t know how to identify directly the incoming WANIP, we get around that with the dst-address-type local which says the destination address is on the router. We also state that the destination address is not the subnet (which leaves the router interface and thus the wanip). add chain=dstnat action=dst-nat dst-port=80 protocol=tcp d st-address=!192.168.88.1
dst-address-type=local to-addresses=192.168.88.2
If you enter address with port 8080 and it changes to 80 in browser’s address bar, then you need to fix your webserver, because redirection comes from there. Dstnat is transparent, it can’t do that.