dkr
April 24, 2022, 1:17pm
1
Hi. I am attempting to set up a web server, and for that purpose am trying to forward ports 80 and 443. After reading the docs, and trying the standard suggested DST-NAT rules, I learnt of hairpin NAT and modified my configuration appropriately. The setup is very simple and standard, with both WAN and LAN clients having to access content (at, for the rest of this question, ) served by the host behind the router (at ). This is the output of
/ip firewall export
:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=input port=2000 protocol=tcp
add action=drop chain=input port=53 protocol=tcp
add action=drop chain=input in-interface-list=!LAN port=22 protocol=tcp
add action=drop chain=input in-interface-list=!LAN port=8080 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=<static-WAN-ip> dst-port=80 protocol=\
tcp to-addresses=<local-server-ip>
These rules allow me to access the website currently hosted on the server on my LAN, but WAN nmap scans show that port 80 isn’t open, and an nmap scan of router.lan from within my LAN also shows that port 80 isn’t open, but an nmap scan of 117.247.16.191 from within my LAN shows that port 80 is open (as it should, since I’m able to access the hosted content.) Forwarding port 443 using a separate rule worked, with both WAN and LAN clients showing that the port was open, and the same goes for port 8080. What should I do to fix my configuration?
Sob
April 24, 2022, 4:11pm
2
Your NAT config is correct and should work from both inside and outside. If another rule for port 443 works, and if it’s clone of port 80 rule with only different port number, it proves that even the one for port 80 is correct. It’s also correct that router.lan doesn’t work, because I assume that it resolves to router’s internal address, but the rule is for . But “WAN nmap scans”, if that’s checking from outside (but inside too), should work.
Btw, your firewall filter if not great. Default is action=accept, so in forward chain you currently don’t block almost anything. Similar with inout chain, you block some things, but it would be safer to block everything from internet, except maybe something you want to have open. If you have remote requests enabled in IP->DNS, you’re currently open resolver, because you block tcp 53, but not udp. Check this thread (at least point 1) for ideas.
dkr
April 25, 2022, 4:22am
3
I changed my firewall rules, and have the same NAT rules, but I’m still unable to access port 80 from WAN. The results of the nmaps scan I conducted are below (Nmap scans from outside the LAN), followed by the current config:
$ nmap <static-WAN-IP>
gives:
Host seems down. If it is really up, but blocking our ping probes, try -Pn
Then,
$ nmap -Pn <static-WAN-IP>
gives:
Host is up (0.062s latency).
All 1000 scanned ports on <static-WAN-IP> are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 10.90 seconds
Config:
/interface bridge
add admin-mac=DC:2C:6E:54:85:2B auto-mac=no comment=defconf \
name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=\
pppoe-out1 use-peer-dns=yes user=\
<pppoe-user>
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=\
defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge \
network = 192.168.88.0
add address=<static-WAN-IP> interface=pppoe-out1 network=\
<network>
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server-lease
add address=<local-server-ip> client-id=\
<id> \
mac-address=<mac-add> server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
192.168.88.1 gateway = 192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" \
protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else."
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment=\
"defconf drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
"Allow internet traffic." in-inteface-list=LAN \
out-interface-list=WAN
add action=accept chain=forward comment=\
"Allow port forwarding." connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else."
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"defconf: masquerade" out-interface-list=WAN
add action=masquerade chian=srcnat dst-address=\
192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=<static-WAN-IP> \
dst-port=80 protocol=tcp to-addresses=<local-server-IP>
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=<tz>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
bp0
April 25, 2022, 5:30am
4
Hi.
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add comment=www chain=dstnat action=dst-nat to-addresses=192.168.88.10 protocol=tcp in-interface-list=WAN dst-port=80,443
add chain=dstnat action=dst-nat to-addresses=192.168.88.10 protocol=tcp dst-address=172.217.4.206 in-interface-list=LAN dst-port=80,443
add chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.10 dst-port=80,443
dkr
April 25, 2022, 7:40am
5
Tried the suggested NAT rules, but they don’t work either. Output of Nmap scan from outside LAN:
Command:
$ nmap <static-WAN-IP>
Output:
Nmap scan report for <static-WAN-IP>
Host is up (0.084s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
443/tcp closed https
Nmap done: 1 IP address (1 host up) scanned in 11.03 seconds
Config at the time of doing this:
/interface bridge
add admin-mac=DC:2C:6E:54:85:2B auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=<pppoe-user>
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=<local-server-IP> client-id=\
<client-id> mac-address=\
<mac-address> server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf:accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf:drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else."
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="Allow internet traffic." \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding." \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else."
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=www dst-port=80,443 in-interface-list=\
WAN protocol=tcp to-addresses=<local-server-IP>
add action=dst-nat chain=dstnat dst-address=<static-WAN-IP> dst-port=80,443 \
in-interface-list=LAN protocol=tcp to-addresses=<local-server-IP>
add action=src-nat chain=srcnat dst-address=<local-server-IP> dst-port=80,443 \
protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=<tz>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
anav
April 25, 2022, 11:35am
6
(1) Since you are using PPPOE as client Suggest you need to remove this line!/ip dhcp-client
(2) You seem conflicted on how to setup your DST NAT rules.
Read the user article and look for Dynamic IP options! - https://forum.mikrotik.com/viewtopic.php?t=179343
Sob
April 25, 2022, 3:03pm
7
Original dstnat rules were fine. Is it possible that your ISP does some filtering of incoming traffic? Even the first nmap is weird, you accept all icmp and yet it complains that ping doesn’t work.