Port forwarding to a web server

qewqew · May 28, 2018, 3:39pm

Hi,
I almost lose it trying to get port forwarding working. Simple setup:

Web-server has 88.88.88.88 public address:

add action=src-nat chain=srcnat comment="srv to wan" out-interface=ether1 src-address=192.168.0.88 \
    to-addresses=88.88.88.88

DST-nat for 80 port

add action=dst-nat chain=dstnat dst-address=88.88.88.88 dst-port=80 protocol=tcp to-addresses=192.168.0.88 to-ports=80

Firewall rules

add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="established and related" connection-state=established,related
add action=accept chain=forward comment="established and related" connection-state=established,related
add action=accept chain=input comment="ICMP" protocol=icmp
add action=accept chain=input dst-address=88.88.88.88 dst-port=80 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.88 dst-port=80 protocol=tcp
add action=drop chain=input in-interface=ether1
add action=drop chain=forward connection-nat-state=!dstnat in-interface=ether1
add action=drop chain=forward comment="drop invalid" connection-state=invalid

I can access server from LAN by it’s IP (192.168.0.88:80), but for some reason i cant access it from internet (NMAP shows 80 port filtered).
Any help would be greatly appreciated.

qewqew · May 29, 2018, 9:44am

Tried the same set of rules for my DNS server and for 53 port it works great. Something suspicious happening i must admit :3

anav · May 29, 2018, 10:35am

What version of OS are you running?

Your source nat rule seems funny to me… try
add action=masquerade chain=srcnat comment=“srv to wan” out-interface=WAN

or
add chain=scrnat action=srcnat to-addresses=88.88.88.88

Rules need fixing, get rid of some and have a better order for firewall rules

add action=accept chain=input comment=“established and related” connection-state=established,related
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“ICMP” protocol=icmp
add action=drop chain=input in-interface=WAN *******
add action=accept chain=forward comment=“established and related” connection-state=established,related
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat in-interface=WAN

************ not sure why you have this but I would do it this way.
add action=accept chain=input in-interface=LAN source-address-list=admin comment=“Allow admin to access router”
add action=drop chain=input comment=“Drop everything else on input side”

/ip firewall address list
add IP1 name=admin
add IP2 name=admin
or add subnet
or add a range

Finally you need dstnat rules… example
/ip nat
add action=dst-nat chain=dstnat comment='IDENTIFY EXTERNAL PURPOSE" dest-address=88.88.88.88 dst-port= 80 protocol=tcp to-addresses=192.168.0.88

qewqew · May 30, 2018, 6:54am

@anav Thanks, seems like it’s working like a charm.
OS is 6.41, planned to update to latest bugfix release.
One question, server is not accessible when i’m trying to reach it from LAN with assigned public address 88.88.88.88. Is this behavior expected with 1-1 NAT or i messed up something else? :3

Edited: There are no issues at all when i’m trying to access it from different ISP, only from with scheme LAN PC → Web-server WAN address → NAT (WAN to LAN)-> Web-server LAN address.

sindy · May 30, 2018, 8:23am

Look for “hairpin NAT”. The client with address X.X.X.C (LAN) sends a request to 88.88.88.88, the request is dst-nated to server’s actual X.X.X.S (also LAN), but source address remains X.X.X.C. So the server responds to the request towards X.X.X.C, but since it is in the same subnet as its own X.X.X.S, it sends it directly rather than via Mikrotik, so the source address of the response remains X.X.X.S. The client ingores it because it expects a response from 88.88.88.88.

So add another src-nat rule, something like
action=src-nat chain=forward src-address=X.X.X.0/mask dst-address=X.X.X.S protocol=tcp dst-port=80 to-addresses=X.X.X.1

Modify the blue parts as per your actual configuration, X.X.X.1 is Mikrotik’s own address in the LAN subnet.

manelfl · May 30, 2018, 12:42pm

Hi.
But the destination ip address request by ip in X.X.X.0/mask is 88.88.88.88, no?
So, dst-address should be 88.88.88.88, no?

sindy · May 30, 2018, 1:44pm

No, because at the point on the packet path where the suggested rule is placed, the dst-address is already translated. This picture gives you all the details.

qewqew · May 30, 2018, 2:17pm

Splendid, gonna dive right in! Thank you for your help guys.