Port mapping with PPTP as internet uplink

akasaka · February 12, 2017, 1:57pm

Hello everyone.

I have just bought a Mikrotik Routerboard 941-2nD. It has WebFig v6.38.1 (stable) and RouterOS 6.34.

My ISP uses an unencrypted PPTP VPN to connect to the Internet.
I have a static IP and a web server inside my house that I would like to make available on the Internet.
I’ve tried all different ways of mapping ports that I could find on google to no avail. (specifying pptp-out1 as my inbound interface)

My firewall settings are as follows (default but I disabled some):

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no 
      log-prefix="" 

 3 XI  ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=no log-prefix="" 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

 6    ;;; Allow http connection to webserver from outside
      chain=forward protocol=tcp dst-address=192.168.1.77 
      in-interface=pptp-out1 dst-port=80 

 7 XI  ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 8 XI  ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=pptp-out1 log=no 
      log-prefix="" 

 1    ;;; Forward tcp:80 to webserver
      chain=dstnat action=dst-nat to-addresses=192.168.1.77 to-ports=80 
      protocol=tcp dst-address=81.30.221.123 dst-port=80

but when I try to navigate to my site I get a “ERR_CONNECTION_TIMED_OUT”

What should I do?
It seems like I’m missing out something really obvious here…

Thanks!

Sob · February 13, 2017, 2:28am

There’s webserver (ownCloud) available on given address from outside. You probably test it from same LAN where you have 192.168.1.77. You want this info to make it work from there too (I’m starting to get tired with posting this link over and over ). Or if you have static public IP address, you can simply replace current masquerade rule with this one (but still read that page to understand what’s going on):

/ip firewall nat
add action=src-nat chain=srcnat to-addresses=81.30.221.123

Btw, you don’t need filter rule #6. Everything is allowed by default. If you remove it and instead enable rules #7 and #8, forwarded ports (all) will be still allowed. Rule #8 does block anything coming from WAN, except forwarded ports (connection-nat-state=!dstnat, “!” means “not”).

akasaka · February 13, 2017, 4:54am

Sob, thank you very much! I was a bit sleepy yesterday and couldn’t figure out that using a phone to test the web server, because the phone is not on the network, won’t work as long as the phone is on the WiFi, which is on the same network