Problem with port forward

Error · February 10, 2017, 2:47am

I recently bought a Mikrotik RouterBoard hEX for my home network. First mission was to get an old router to work as a AP and after some tries I got that to work. After that it was on to getting my server online. What I need to do is a standard portforward of port 80 and port 443. But I just seem to fail. Internally my server is up and my web application shows. So the problem is not in the server. But after alot of googling I’m still confused. From my experience what I should do is something along this guide: http://www.icafemenu.com/how-to-port-forward-in-mikrotik-router.htm

That I’ve tried, it does not work. Port 80 is shut as ever. I’ve also found threads that suggests building firewall rules in combination with the above mentioned. That didn’t work ether.

Now I’m a bit out of ideas. My router is for now in standard configuration with the exception of the firewall–>NAT change in the giude.

Firewall:

[admin@MikroTik] /ip firewall filter> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

7 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1

Change to NAT:

[admin@MikroTik] /ip firewall filter> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=192.168.10.110 dst-port=80 log=no

What I’m I going wrong? Why doesn’t this work? Any ideas? Thankful for any help!

Cheers,
Error

pukkita · February 10, 2017, 9:15am

Go to IP > Services, most probably webfig (the web based management UI) is enabled. Select www and disable it so that that port isn’t used.

Do you get your WAN IP from your ISP using PPPoE?

Error · February 10, 2017, 11:12am

I’ve disabled www in IP->Services. I get my public ip-address from my ISP via DHCP. It’s still not working thought.

evince · February 10, 2017, 3:13pm

There i a mistake in your NAt rule :

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=192.168.10.110 dst-port=80 log=no

Shoud be

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=xxx.xxx.xxx.xxx dst-port=80 log=no

Where xxx.xxx.xxx.xxx is your WAN IP. Or if you have a dynamic IP, you can use in-interface instead.

Regards,

Sob · February 10, 2017, 6:46pm

For the record, this is not necessary. You can have both service on router and port forwarding using same port and they can exist together. Where “exist together” means that dstnat will “steal” packets before they can reach service on router, i.e. dstnat will win. But you can do dstnat selectively, e.g. only from WAN, so connections to port 80 from LAN can go to WebFig on router and connections to port 80 from internet can be forwarded to some internal webserver.

Error · February 11, 2017, 5:53am

Thanks alot! Now the port is open! But it’s still not working thought. For some reason I can access the server via 192.168.10.110 but not thought my public ip address. Any ideas as to what is still configured wrong?

Fixes config:
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=85.230.11.34 dst-port=80 log=no log-prefix=“”

Thanks! Good to know!

evince · February 11, 2017, 12:51pm

Hello, your webserver is now reachable, i can display it. If you want to open from your local network, you will need HAIRPIN http://wiki.mikrotik.com/wiki/Hairpin_NAT

Regards,

dgnevans · February 12, 2017, 9:20am

also try adding

dst-address-type=local

to your dst nat rule. What srcnat rule do you have in place.

Error · February 12, 2017, 10:52pm

Thanks alot! I’ll look into HAIRPIN!

What does this do? And do I need srcnat? As of now the only srcnat rule is the one that is configured by default.

Sob · February 13, 2017, 1:59am

dgnevans · February 13, 2017, 5:58am

Are you trying to access your public ip on port 80 from with the lan that the router is controlling.
you still need srcnat for devices on your lan to access the internet.
My understanding the with the dst-address-type=local is if the server is connected to a local port you should have this in.
To test your dstnat from the same network you should use something like tunnel bear to appear that you not on your network.

Sob · February 13, 2017, 11:07pm

No, it doesn’t have anything to do with server connected to local port. It does what the name says - it matches target address, if it’s an address assigned to any interface on router.

Normally, when you want to forward port from public address 1.2.3.4 to some internal address, and the public address is static, you simply add dstnat rule with dst-address=1.2.3.4. That’s the best way, because it catches what it should and only that, nothing more.

But you can’t do this when your public address is dynamic (from DHCP, PPPoE, …). Well, you could, with a script that would update address in dstnat rule, but that’s not very practical. You need to match something else. Popular way is to use in-interface=WAN. It works, but it’s not entirely correct, because it matches anything that happens to come via WAN interface, no matter what the target address is. If you have only one address anyway, you’ll probably never notice. But if you for example had a public subnet routed to you (e.g. 2.3.4.0/24), such rule would catch traffic to all addresses. In reality, combination of DHCP address and routed subnet is unlikely, but I don’t have better example now.

Better way is dst-address-type=local. It will match 1.2.3.4 (because it’s local), but it won’t match any of 2.3.4.0/24 (except the one that you’ll probably assign to internal interface as gateway for others).

But there can be different problem, forwarding e.g. port 80 from public address and also having web administration on 192.168.88.1:80 won’t work together. That’s because 192.168.88.1 is also local and will too forward all connections to internal server. The way to solve this is to use dst-address-type=local together with exception dst-address=!192.168.88.1.

dgnevans · February 14, 2017, 12:52pm

Hey Sob
Thanks for the heads up. Sometimes the WIki’s do not explain it as well as you have.