Port forwarding not working in lan

RouterOS General
1

Sorry if I have missed something essential, I only recently started using mikrotik routers.
I was trying to setup port forwarding and got it to work, but only when using it outside of my network, when I try to access it in my own network it doesn’t work.
I also noticed that the web panel can be accessed on both local and external addresses, but not outside the network, can that be related?

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no 
      log-prefix="" ipsec-policy=out,none 

 1    ;;; http
      chain=dstnat action=dst-nat to-addresses=192.168.0.127 to-ports=3000 
      protocol=tcp dst-address=(my external ip) in-interface-list=WAN dst-port=80 
      log=no log-prefix=""

edit:
Forgot to add the hairpin nat rule:

 2    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
      dst-address=192.168.0.127 out-interface=bridge log=no log-prefix=""
2
  1. Ensure port forwarding rule is more flexible, than the default rule..
    Remove the current default forward chain rule that covers incoming from WAN and dstnat with a block rule, and

Replace with
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat
add chain=forward action=drop comment=“drop all else”

  1. Rule has too many components (extra noise)
    1 ;;; http
    chain=dstnat action=dst-nat to-addresses=192.168.0.127 to-ports=3000
    protocol=tcp dst-address=(my external ip) in-interface-list=WAN dst-port=80
    log=no log-prefix=    “”

Should be
1 ;;; http
chain=dstnat action=dst-nat to-addresses=192.168.0.127 to-ports=3000
protocol=tcp dst-address=(my external ip) dst-port=80 log=no log-prefix=“”

3

Thank you, that worked well it seems like. just in case here is the firewall rules, if there is a problem here.

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes 
      connection-state=established,related log=no log-prefix="" 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 
      log=no log-prefix="" 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN log=no log-prefix="" 

12 X  ;;; internet traffic
      chain=forward action=accept in-interface-list=LAN out-interface-list=WAN 
      log=no log-prefix="" 

13 X  ;;; port forwarding
      chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="" 

14 X  ;;; drop all else
      chain=forward action=drop log=no log-prefix=""
4

I only comment on complete configs… Glad its working for you now.

5

Oh, here are also the NAT rules for completion:

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
      dst-address=192.168.0.127 out-interface=bridge log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" 
      ipsec-policy=out,none 

 2    ;;; http
      chain=dstnat action=dst-nat to-addresses=192.168.0.127 to-ports=3000 
      protocol=tcp dst-address=(external ip) dst-port=80 log=no log-prefix=""
6

Change the first NAT rule, the hairpin nat rule, to this.
add chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.0/24