Port forwarding issue

amdil · February 27, 2025, 12:26pm

I have the following problem.
Configuration:

Incoming traffic goes from ISP 192.168.x.1 to my WAN interface 192.168.x.5.
But the default gateway on MT is set to 192.168.y.10 (firewall) and then it’s going to ISP 192.168.x.1
I need to expose the LAN www server 10.x.x.10 to the internet only for the selected public address e.g IP 1.1.1.1 on port 8000.
I see incoming traffic on MT WAN but the www server does not respond.

/ip firewall nat
add action=dst-nat chain=dstnat comment=“DST-NAT2WWW”
dst-address=192.168.x.5 dst-port=8000 in-interface=WAN protocol=tcp
src-address=1.1.1.1 to-addresses=10.x.x.10 to-ports=8000

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.y.10 pref-src=192.168.y.5 routing-table=main

I guess that missing is a static route only for that traffic but I’m not sure how to do it correctly.

amdil · February 27, 2025, 9:57pm

I added a diagram to make the configuration more readable.

panisk0 · February 28, 2025, 6:56am

change this port and check the rule counters, if it counts there may be a problem somewhere else

/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT2WWW" \
dst-address=192.168.x.5 dst-port=8000 in-interface=WAN protocol=tcp \
src-address=1.1.1.1 to-addresses=10.x.x.10 to-ports=[b]8443[/b]

the entry in the routing table is incorrect and unnecessary

Ca6ko · February 28, 2025, 7:37am

I would add the following route

/ip route
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.x.1

amdil · February 28, 2025, 12:30pm

thanks for the ideas, unfortunately none of them helped.
Currently, all outgoing traffic to the internet goes through the firewall, that’s why there is an entry in the routing table.

anav · February 28, 2025, 3:13pm

I do not understand your diagram. How is one device the ISP and yet you get internet from a device on the far right.

The only thing I can think of is MGTW is a the mikrotik device but not sure, it has a vlan that tags incoming WWW traffic from where, an ISP modem>?>>
takes that traffic to get terminated on the ISP router, which then provides internet to the upper firewall and then…

Sorry, no capiche

Ca6ko · March 1, 2025, 12:32pm

I understand that all settings should be done on the ISP router.

vingjfg · March 4, 2025, 7:36pm

So based on your explanations, the issue is that the traffic goes from ISP router directly to MTGW one way, and from MTGW to FW the other way: the FW gets half a connection and drops it.

You have two possible ways forward:

Change your network so you have ISP ↔ FW ↔ MTGW, in which case the “FW” will do the translation from 192.168.x.5:8000 to 10.y.z.10:8443
Use policy-based routing (PBR) on the MTGW so the return traffic goes directly from MTGW to ISP.

The former is mostly reorganization and readdressing, nothing fancy nor difficult. The latter is all configuration changes, the easiest is to provide a full configuration export with the sensitive bits removed.