Hi,
New user here, just bought the Hap AX3 but i’m struggling with the port foward. I did a port foward in IP->Firewall->NAT. for the port 80 everything is good and i get the port open, but for the 443 i cannot have this port open to the outside, i doubled checked everything but still not working.
Can you guys please help?
Looks like its working has traffic??
How are you testing?
Where is your config?
/export file=anynameyouwish ( minus router serial# and any public WANIP information).
Some lite reading → https://forum.mikrotik.com/viewtopic.php?t=179343
screenshots fortune teller is a day off today
You want to forward to what/where? Which service/device are you trying to reach from internet?
Lite?? 
Sorry, has i said, new to Mikrotik. I came from Unifi
Here’s the config, pretty plain i think:
# may/18/2023 14:02:32 by RouterOS 7.9
# software id = YLSJ-3B4R
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = XXXXX
/interface bridge
add admin-mac=48:A9:8A:BC:95:47 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Portugal .mode=ap .ssid=XXX disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Portugal .mode=ap .ssid=XXX disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=XXXX
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.1.254/24 comment=defconf interface=bridge network=10.1.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf dns-server=10.1.1.254 gateway=\
10.1.1.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.1.1.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Port80 dst-port=80 in-interface-list=\
WAN protocol=tcp to-addresses=10.1.1.200 to-ports=80
add action=dst-nat chain=dstnat comment=Port443 dst-port=443 \
in-interface-list=WAN protocol=tcp to-addresses=10.1.1.200 to-ports=433
add action=dst-nat chain=dstnat comment=Wireguard dst-port=51820 \
in-interface-list=WAN protocol=udp to-addresses=10.1.1.251 to-ports=51820
add action=dst-nat chain=dstnat comment=Nextcloud dst-port=8100 \
in-interface-list=WAN protocol=tcp to-addresses=10.1.1.251 to-ports=8100
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Lisbon
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The design of my network is and ISP Router with DMZ to the Hap Ax3, no configurations on the ISP router.
ether1 is the WAN connection (ISP->Mikrotik)
I’m trying to hit my nginx server in the ip 10.1.1.200
I’ve check the ports with portchecker.co, the port 80 and 8100 are open, the 51820 and 443 are not open. The service on the 51820 works good. The only port that is not forwarding is 443.
No need to hide private IP addresses, including ranges and in your case a pRIVATE WANIP, its not public!!!
(1) Recommend you change your forward chain rules slightly
From:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
(2) Confirming that external users are putting the WANIP of the ISP router IP:Port#
and probably using a dyndns name to access your servers ( could be your IP Cloud address for example ).
(3) Why do you have a wireguard interface identified in port forwarding table???
I dont see any other wireguard settings???
(4) Why is upnp enabled??
(5) Since you get a fixed LANIP on the ISP Router LAN. This is also the WANIP of the hapax3 and thus a fixed private IP.
You have IP DHCP client setup so does is really only useful if the WANIP changes from time to time, i doubt it as the port forwarding on the ISP router needs a fixed IP.
Thus recommend
Remove IP DHCP client
ADD IP address
add address= A.B.C.D.E/24 interface=ether1 network= A.B.C.D.0 ( where A.B.C.D.E is your mt WANIP )
ADD ROUTE
add dst-address=0.0.0.0/0 gateway=A.B.C.D.1 routing-table=main
Then your dst-nat rules look like ( to port not required if same as dst-port ):
add action=dst-nat chain=dstnat comment=Port80 dst-port=80 dst-address=A.B.C.D.E
protocol=tcp to-addresses=10.1.1.200
(5) Remove this old default dns rule…>
/ip dns static
add address=10.1.1.254 comment=defconf name=router.lan
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
With regard to your issue, I understand that IPSEC has its own internal routing priority and thus
I have no idea why local MT server traffic is intermittent ???
I also dont see any ipsec input chain rules on the router… how are you doing ipsec??
Hey,
1 - where/how can i add those comands?
2 - i’m trying to access a domain that is hosted on 10.1.1.200:443
3 - i have wireguard configured on another machine, maybe later i’ll do it directly on the router, but for now it will stay on a VM machine because its working good.
4 - UpNp is enabled so i can get some router information in a management console.
5 - from the ISP router i set DMZ to the hapax3 mac address. so i’ll get the same IP from the ISP router everytime.
About ipsec, sorry but i’m not familiar with that, cannot anwser
My bad about ipsec, was confused with another post, looking at too many.
Forward chain rules are found at IP FIREWALL FILTER RULES
added the lines you refered and deleted the other but still the same. I cannot access my domain in port 443. This was working pretty straight forward with the unifi console, but i’m struggling a lot with this mikrotik.
Is it possible that your ISP is blocking port 443?
Don’t think so, it was working good with Unifi and previously with OpenWRT..something is wrong with these mikrotik configuration.
Just did a factory reset and forward only port 443 and still the same, cannot reach the server. Something is missing and i cannot understand what it is.
Wait, I see a mistake here.
to-ports=433?
It is supposed to be 443
don’t know where to hide anymore…I’ve been trying to fix this for 1 week and didn’t notice this mistake…thank you!
A way to avoid similar mistakes is not to set “to-ports” when it’s supposed to be the same as dst-port … if to-ports is not set, then ROS won’t change it in passing packets.