I am trying to forward the usual http and https ports to a webserver inside my network from the WAN interface.
I am getting the SYN packet to arrive on the webserver and the SYN/ACK to be sent but the router will block the response.
I have created the NAT rule using the following fields:
Chain: dstnat
protocol: tcp
dst port: 80,443
in-interface: pppoe-wan
action: dst-nat
to addresses: 10.0.2.251 (my webserver LAN ip address)
However if I try to forward port 90 (WAN) to port 80 (on my webserver) for example, it works.
As if there was already a rule regarding ports 80, 443 and 22 (I’ve also tried to forward the ssh port and same thing happened)
I only have 2 dst-nat rules, one for this webserver on ports 80,443 and one on my unifi NVR on port 7443 (which works)
Regarding the firewall rules, I have the debconf rules automatically added + my L2TP IPSec rules (for ipsec protocol + UDP port 500, 1701, 4500) and that’s it.
I have even created the forward rule in the firewall section to accept packed arriving on the WAN interface on ports 80, 443 to be forwarded to address 10.0.2.251 with no difference.
I am aware that the NAT rule should automatically set that rule but I did that just in case…
Last, I’ve tried disabling temporarily the rules which were dropping connections to see if it would make any difference but none.
I am trying myself to access my Server from home.
I have a VPN access to my office network.
Within the internal network, it works, webserver is accessible.
From the internet, it won’t work.
Using tshark on my webserver which is BTW a Proxmox Debian 10 VM, I can see the packets coming in, and being acknowledged but it seems the router is dropping the SYN/ACK somehow.
If I forward port 90 to port 80 on my VM, it then works.
I don’t have any machine with a graphical interface turned on to access that webpage in my office network.
I am not there, I can only access it through IPSec VPN.
However I have an amazon VPS on which I did remote connect and try to telnet the 2 ports with the same issue.
Using tshark again, I am seeing loads of TCP Retransmission packets initiated from my webserver.
First of all you should probably not be using work vpn for personal business.
Secondly one has no clue of the security setup of the business connectivity in or out is a crapshoot.
SO instead of wasting our time, get a friend to connect from a NORMAL connection on the outside, and let us know if that works first.
First of all, you seem to be an expert and I am not, so pleas en-light me on why I should not be using a work VPN for a personal business if I want to?
Secondly, I gave you the entire config of my router and told you that it was directly connecting to a Debian VM on a Proxmox Server.
If someone friendly enough (which is definitely not your case) is willing to ask me some other questions on the topology on my network, I am very happy to answer those questions.
SO, if you are irritated by my post, I just encourage you to GTFO and let me be.
Oh and I forgot, I already said I was trying from a VPS which is not on the same network, not to mention I also tried accessing my Server with the VPN connection disabled (yeah we can turn on/off Road warriors connections to test, don’t you know the EXPERT?!)
Go out and have a walk, you seem to be needing it.
If you like help you should not reply in this way.
He was saying that both VPS (using Telent) and VPN are not normal use to access website and makes tings more complicate.
Your config looks Ok. Try to set router to 100% default config and just add the dst-nat for port 80.
Then someone on the outside, not VPS, not VPN should try to open the website using a normal PC with a normal browser.
Does this mean the HTTP/HTTPS service “ports” are still active ? Did you also added that only internal IP’s are allowed to call these www & www-ssl services?
(www & www-ssl services)
I wonder if they muck up somehow?
Dunno, just guessing.
In my config anyway, any of these ports are strictly limited to my internal LAN-range.
In your config below service “www” and “www-ssl” are missing, so I assume they are just enabled? And not limited from where you can consult them ?
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
set api-ssl disabled=yes
I am really not willing to reply in this way, but having someone telling me that I am wasting his time is not pleasant to hear.
People should learn to be polite. If I am wasting people’s time, then just don’t answer me, no big deal.
I have tried using my mobile phone which is on a 4G network (Wi-Fi off) and the same thing was happening.
A telnet should be good enough to test a connection I believe (at least the TCP handshake).
Also having the VPN disconnected act as if I was a stranger to the network and it should execute the NAT rule normally.
Here is a screenshot of the connections state and it seems that the router never sees the SYN/ACK coming, isn’t it? https://postimg.cc/ZWhXBdZz
That was my thought. Since the router use them, I was wondering if the rules related to them were overriding the NAT rules, especially since my test on port 90 (WAN interface) redirected to port 80 (on my Webserver) was working.
EDIT: http is enabled on the router but https isn’t. ssh port was changed to 2222, though when I did try forwarding port 22 to my webserver, same thing happened.
Trying port 443 from the outside does not work either with the same TCP Retransmission happening,
It could still be the proxmox server which is acting up but I’ve checked the firewall rules and everything is off, on both the host and the VM.
Did you add some logging to all drop rules so at least in the RouterOS logs you see when & why packets are dropped ??
What about the “counters” you can which counter is “going up” when you try ???
Perhaps one of these default rules you have drop packets marked “invalid” ? and for some reason you hit that rule ?
After all, it’s a firewall right?
I can see the NAT rule counter going up but I haven’t set on the logs for drop rules.
Reason being is that I have temporarily disabled all of these and tried and it didn’t make any difference.
Can I log all the packets coming from an IP/HW Addr on the Mikrotik?
I would like to know if the SYN/ACK reaches the router or is never leaving my Server.
Otherwise, I guess I’ll have reset completely the router and set it up from scratch.
Though we are in lockdown at the moment so I can’t reach my office for a week or more.
There is full blown packet capture in there under tools, so I guess you can simple capture anything on all ports of you device and filter against the MAC of your server for example. Then you can see something SYNACK-alike arrives…
Or use “Torch” and filter the MAC of the server.
Your server is directly connected to the Mikrotik or is there some other switch/device in between ?
