Port Mapping 80>8080

RouterOS Beginner Basics
1

Hello everyone,

I am trying map an external port 80 to a 8080 port internally on a server in my network.
and tried follow http://forum.mikrotik.com/t/nat-port-mapping-question/60931/1 but without success.
Could you please see my configs and say me where i wrong.

/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=
established disabled=no
add action=accept chain=input comment=“default configuration” connection-state=
related disabled=no
add action=drop chain=input comment=“default configuration” disabled=yes
in-interface=ether1-gateway
add action=accept chain=forward disabled=no dst-address=192.168.1.56 dst-port=
8080 protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no
out-interface=Vega to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=no dst-address=178.xxx.252.100
dst-port=3389 protocol=tcp to-addresses=192.168.1.56 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=178.xxx.252.100
dst-port=80 protocol=tcp to-addresses=192.168.1.56 to-ports=8080

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

2

Does the device at 192.168.1.56 have its default gateway set correctly?

btw - the forwarding filters look a bit odd - I don’t see a “drop all” at the end…

3

That is the default firewall and it has it’s drop rule. The default firewall protects the router (input chain).

You don’t need the last filter rule. Does your ISP block port 80?

4

Yes, i double checked it, all settings on the host is Ok, also RDP to this host is Ok.
‘drop all’ disabled because I tried connect with disabled/enabled rules in different combinations. (magic is possible :slight_smile:


I enabled default “drop rule” and disabled last “forward” rule.
My ISP assures me that they don’t block any ports. (i can establish coneection via telnet to 178.xxx.252.10:80)

Connection scheme:
ISP --PPPoE–178.xxx.252.100 : Mikrotik : 192.168.1.1 – local area:192.168.1.56

Corrected filter rule config:

/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=
established disabled=no
add action=accept chain=input comment=“default configuration” connection-state=
related disabled=no
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=ether1-gateway
add action=accept chain=forward disabled=yes dst-address=192.168.1.56 dst-port=
8080 protocol=tcp

Thank you.

5

Try forwarding a different port to the web server - e.g. 81 going to 8080 and see if that works in an external browser (http://a.b.c.d:81/).

If it does you probably have something else picking up port 80 on the router…

6

You are right, something keeps 80 port…
I enabled Service port 80 and tried connect - nothing.
I reappointed port from 80 to 81 and voila, i can connect to routr’s admin interface.
So, it left to find what keeps port.

7

Depending on exactly how you tested remember to bear in mind that your ISP may actually be blocking port 80 despite what you were told…

Using Torch on the WAN interface would let you see what traffic is actually arriving at the router. If your ISP is not blocking port 80 traffic then something at the router end may be misdirecting port 80.

If you can’t get it resolved I suggest posting output from /export compact (with your public IP masked) so we can help.

8

Thanks to all for help.
You were right. *** ISP locked it.
(After a difficult conversation with their sapport the 80 port unexpectedly earned)