I’m having some issues with my basic http port forward. I have an http server that I’m trying to expose to the external network. Internally I can pull pages up just fine/fast, but externally the page takes forever to load sometimes and sometimes it is fast. I’m assuming it is a router issue since on my internal network everything loads great. I’ve been messing with different settings to try and get this working, but it still seems like I get spotty response trying to access it externally.
I just upgraded to routeros 4.10, but that didn’t help. I ran a packet sniffer on the web server and I can see packets getting through immediately after I make the request. In the Nat/Connections statistics, the external connection appears multiple times in a incremental port pattern. It also states “tcp wait” in the status column for each of these connections.
I feel like the connection doesn’t completely get established, drops, and then gets recreated again. Eventually one gets established and then goes through, but to the user the page seems like it isn’t loading.
/ip firewall nat print
chain=srcnat action=masquerade out-interface=ether1-gateway
chain=dstnat action=dst-nat to-addresses=192.168.103.102 to-ports=0-65535
protocol=tcp dst-address=24.1.84.0/23 in-interface=ether1-gateway
dst-port=80
Is there only one ip assigned to your public interface? Check for 192.168.88.1/24. I use this.
/ip firewall nat
add chain=srcnat action=src-nat src-port=80 to-ports=80 src-address=192.168.103.102 to-addresses=xx.xx.xx.xx
add chain=dstnat action=dst-nat dst-port=80 to-ports=80 dst-address=xx.xx.xx.xx to-addresses=192.168.103.102
Replace xx.xx.xx.xx with your public ip. Move to the top of the list with “move”. Any other srcnats (multiple public ips) or masquerade (single public ip) should be below these in “/ip firewall nat”. Order is important.
BTW, welcome to the forum!
ADD: Forgot one thing. I go to “/ip service” on the core router and disable www.
I shutdown the www service, I re-ordered the rules and put in my external ip in. Still the same behavior…
Any other ideas?
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=24.x.x.x to-ports=80 protocol=tcp src-address=192.168.103.102 src-port=80
1 chain=dstnat action=dst-nat to-addresses=192.168.103.102 to-ports=80 protocol=tcp dst-address=24.x.x.x in-interface=ether1-gateway
dst-port=80
2 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway
If you disable the srcnat/dstnat rules and enable www, can you get the Webbox login page from the internet? Are you certain port 80 is not blocked by your ISP? If the ports are open on your router, and show closed or stealthed in the ShieldsUp check, then it is probably your ISP.
https://www.grc.com/x/ne.dll?bh0bkyd2
Just eliminating the possibility that may be interfering.
The port is accessible externally, from a user perspective it just takes forever for the page to pull up.
Shields up also verified that port 80 was open.
I know some of this is out of scope of the this forum, but I’m just thinking out loud here.
-
Apache problems - I turned off hostname lookups thinking that maybe it was having a hard time looking up hosts. I have a feeling that it isn’t apache b/c internally it works great.
-
ISP packet filtering - this can’t be it either. I’m on Comcast, I’m positive they aren’t blocking port 80.
-
DNS issues? - I think I’m on to something here… I just did a just-ping.com on my url and half of the resolutions are pointed to the incorrect ip. I’m sure this is what is causing the issue.
Thanks for the help.
Then it sounds like dns. I use Apache internally with just about the same rules and it works ok.
ADD: Insure you have “/ip dns” set correctly, primary and secondary. And “allow-remote-requests=yes”.