RB750:Filter Rules and NAT blocking outgoing browser traffic

RouterOS Beginner Basics
1

Hello all. I’m using a RB750 with RouterOs 5.16.

My setup is very simple. The LAN ip-range is 192.168.0.0/24 and I have applied this filterrules and NAT. See below

It’s just plain vanilla with a rule to open for incoming traffic on port 80 to my http-server with the ip-address of 192.168.0.99.

The problem is that the outgoing web browser does not work. If I disable the second NAT statement (/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp to-address=192.168.0.99 dst-port=80 to-port=80) my browser traffic from my LAN to my WAN works fine, but then the incoming traffic to my http-server is blocked.

It seems to only affect my http-traffic, as mail and other protocols are working fine.

Can someone help me ?

Here’s my script

#Router and internal network protection, internal servers, LAN is friendly
 /ip firewall filter
 add chain=input   action=drop   connection-state=invalid                            comment="Disallow weird packets"
 add chain=input   action=accept connection-state=new         in-interface=ether2-master-local comment="Allow LAN access to the router itself"
 add chain=input   action=accept connection-state=established                        comment=" ^^ that originated from LAN"
 add chain=input   action=accept connection-state=related                            comment=" ^^ that originated from LAN" 
 add chain=input   action=accept protocol=icmp                                       comment="Allow ping ICMP from anywhere"
 add chain=input   action=drop                                                       comment="Disallow anything from anywhere on any interface"
 add chain=forward action=drop   connection-state=invalid                            comment="Disallow weird packets"
 add chain=forward action=accept connection-state=new in-interface=ether2-master-local comment="Allow LAN access to move through the router" 
 add chain=forward action=accept connection-state=established                        comment=" ^^ that originated from LAN" 
 add chain=forward action=accept connection-state=related                            comment=" ^^ that originated from LAN"
 add chain=forward action=accept protocol=tcp dst-port=80                            comment="Add a filter exception for port mapped server"
 add chain=forward action=drop                                                       comment="Disallow anything from anywhere on any interface"
 
# Port Forward (map) to an internal LAN server.
/ip firewall nat    add chain=srcnat  action=masquerade out-interface=ether1-gateway                                    comment="Turn on masquerading"
/ip firewall nat    add chain=dstnat  action=dst-nat protocol=tcp to-address=192.168.0.99 dst-port=80 to-port=80 comment="Create an incoming port map rule"

/Bjørn-Willy Arntzen, Norway

2

Specify in-interface=ether1-gateway on your dst-nat rule.

3

Thanks, that fixed it :sunglasses:

/bwa