I have configure NAT to forward port 80 to my ip server and when i check from canyouseeme it’s say: Connection Refused.
I have configure with the same way before 2 month and works great but now i don;t have idea why don;t work.
What other changes have you made that might have caused this result??
A complete config will help.
/export hide=sensitive file=myconfigfile
Based on screenshot, the dst-nat rule has some traffic on it. As the dst-nat happens in prerouting chain it means at least some traffic is hitting your router.
In addition, you said that error is “connection refused”. However, if NAT or firewall is incorrect, the “canyouseeme.org” will show:
Error: I could not see your service on XXX.XXX.XXX.XXX on port (80)
Reason: Connection timed out
If connection has been refused (not timed out), it proves that there is some device responding on your port 80. Personally I would guess that there is some problem with your HTTP server or some other device is responding instead of your HTTP server.
I agree with Anav, that complete config might be helpful (just to rule out mistake in your config) He just had a little typo so correct command is like this:
/export hide-sensitive
You can of course replace any personal info (public IP etc…). There is no point in replacing private IPs. Nobody can hack you with these as they are not unique.
Said that, I would really suggest to check if you are sending the traffic to correct IP and port of the HTTP server and if your HTTP server will accept communication from non-LAN addresses.
Maybe you can provide info about your HTTP server?
[admin@MikroTik] > /export hide-sensitive
# jan/31/2019 17:33:39 by RouterOS 6.43.8
# software id = 1**W-H**7
#
# model = 95*Ui-**D
# serial number = 68C*******DB
/interface bridge
add admin-mac=**:**:6B:52:**:58 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-52735C \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=1**.191.1**.1**/29 interface=ether1 network=1*5.1*1.16*.12*
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward dst-address=1*5.1*1.1**.1** dst-port=80 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none
add action=dst-nat chain=dstnat dst-address=1**.1**.1*4.1** dst-port=80 \
protocol=tcp to-addresses=192.168.88.251 to-ports=80
/ip route
add distance=1 gateway=1*.1**.1**.1**
/system clock
set time-zone-name=Europe/Tirane
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I replace public ip with * symbol.
Thank you in advance.
Why do you have DHCP client enabled on ether1 when you have static setup as well?
Looking at your config you can remove this static DNS rule.
You have DNS servers already set 8.8.8.8 etc and you have your bridge network pointing to 192.168.88.1 for DNS.
/ip dns static
add address=192.168.88.1 name=router.lan
Everything else up to firewall rules looks normal.
Comments:
-
Remove untracked, only used for specific purposes in conjunction with raw rules.
-
I work on the premise of a last rule that ALL is dropped if not explicitly allowed. Thus I do not worry if I have forgotten to drop some traffic I am not even aware of, being a basic user.
I also prefer not to give the LAN total access to the router from a security standpoint but instead I only need to give the LAN access for DNS.
I also provide the necessary access for the admin to reach the router (winbox etc). I also prefer this notation because its clear to me or whomever is looking
at your code what is a and what isnt allowed. Less assumptions!! -
Same comment on untracked for the forward chain filter rule.
-
If you are not doing VPN I think you can disable the ipsec rules, vice removing as you may need them down the line.
-
This is the problem with your config…
add action=accept chain=forward dst-address=15.11.1.1** dst-port=80 protocol=tcp**
Lets look at your WANIP more closely
add address=1.191.1**.1**/29** interface=ether1 network=15.11.16*.12*
add action=accept chain=forward dst-address=15.11.1.1**** dst-port=80
add action=dst-nat chain=dstnat dst-address=1.1**.14.1*** dst-port=80
I think you can understand I am a bit confused as what is being attempted due to 3 conflicting WANIPs???
In any case the first thing to do is get rid of your firewall filter rule for port 80!
You already have a rule that applies/allows destination packets.
So lets concentrate on making sure the NAT rule is correct!!
- Slight modification to your masquerade rule required.
Discussion on dst nat rules
One needs a general firewall filter rule to allow destination packets through the firewall.
These packets are handled by the NAT in prerouting before the forward filter chain and thus when an externally originated packet arrives at the router it is first inspected to see if the destination port, matches a NAT rule and if so, then the router knows which private IP it is intended for behind the router. Then the packet arrives at the firewall and it matches our rule that destination packets are allowed to be forwarded and off it goes.
The rule you use in general is valid but i will post the one I use right after so that you an compare…
The main difference is that your dropping traffic whereas I am allowing specific traffic - similar to the input chain discussion.
I leave the dropping of traffic to the last DROP ALL ELSE rule.
/ip firewall filter
{input chain}
add action=accept chain=input comment=
"defconf: accept established,related connection-state=
established,related,
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“Allow Admin to Router”
in-interface-list=LAN src-address-list=adminaccess
add action=accept chain=input comment=“Allow LAN DNS Queries _TCP”
dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment=“Allow LAN DNS Queries_UDP”
*dst port=53 protocol=udp in-interface-list=LAN *
add action=drop comment=“Drop All Else”
Note1: You will have to create a firewall address list
add address = IP of admin computer or computers or subnet etc… list=adminaccess
Note2: Finally there is nothing wrong with your INPUT chain, its just not the way I would do it, but do remove the untracked bit.
/ip firewall filter
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related” connection-state=
established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
current rule:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
rule I use:
add action=accept chain=forward comment=
" Allow Port Forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop All Else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“source nat for lan”
ipsec-policy=out,none out-interface=eth1
current rule:
add action=dst-nat chain=dstnat dst-address=1**.1**.1*4.1** dst-port=80
protocol=tcp to-addresses=192.168.88.251 to-ports=80
proposed rule:
add action=dst-nat chain=dstnat comment=“ServerAccess_tcp” dst-port=80
in-interface=WAN protocol=tcp to-addresses=192.168.88.251
++ MKX question… What happens in the prerouting chain regarding dstnat, to specifically the packets that arrive with destination port NOT identified by the NAT rules. I assume then these are NOT marked by connection tracking as being dst connection state packets and are simply then forwarded to the firewall forward filter. Since the connection state does not show dst-nat, its not established or related, etc it would be pass to my drop rule and be blocked??