when requesting the web form different browsers i can see the log with the time and the specifics of the browser.
i even telne’d port 80 and requested… GET / H… that was registered ok too.
no response on the browsers though.
just for the records, this is 9xx router. i have another location with a 7xx with a similar setup, with several ports nated with no issues so far. as you may guessed i have cloned the setup with the same results.
If your server is seeing the traffic “hit it” in the logs then you need to focus on your server and the return communication. I would pull a packet capture on the server to see what you can find in the headers.
/ip services is where you disable that.
However, I can tell you that this is not the issue - dstnat happens in the “pre-routing” stage of things, so by the time the router decides where to send the packet, the destination has been changed to the internal server.
More than likely, your problem is in the configuration of the virtualhost - if it constructs URLs based on its private IP address (for instance), then the browser might be getting sent to 192.168.x.x for the remainder of the transaction, which will obviously not work from across the Internet.
If you can telnet to port 80 and get a connection on the web server, and you can see the results come back to your telnet->port80 test, then the router’s pretty much done all that it can do.
Thanks Zerobyte. I have disabled the service port 80 and got the same result.
But…
My feeling is that this is due to Telfonica modifiying the line, if that is possible, for whatever reason, like for instance discourage you to set your own personal web server.
The reason why I installed mikrotik is because the telefonica-provided router (in my case an integrated one with the ONT FTTH) blocked my pptp conections and tunnels I had to connect to the office or to my hosting. Just the very moment I replaced the router (and ONT) everything came back to life.
I know very little on the low level layers of the transport. (And for that matter on the higher layers, too). The truth, right now, what can be verified is that if you try uploads.jabber80.com on and ISP which IS NOT Telefonica FTTH (Spain) the web can be seen (the Debian web welcome). However if you try from any FTTH originated on Telefonica, then no answear from the server. The request is lost in the way from the server to the requester. And answearing to Zerobyte, when I telnet port 80 from within Telefonica I got the same behaviour than from the web: the request arrive to the server, but never go back to the requester. As said, doing the request from outside Telefonica FTTH, then everything works as expected. Even from telefonica 4G.
Know nothing on the “ins” of this. It is just what I verify: my portable conected to the wife do not work; connected through the mobile, does work. The mobile, through the wifi does not work, from the 4G does. From my bothers house (Telefonica) no answear; from this workplace, (non Telfonica) does.
I have read somewhere about mangle, but that is far beyond I can handle. I have a couple of copy-pasted rules to prioritize the voip traffic over the rest. That is all.
If you want to be certain, then disable NAT rule for port 80 and enable http service on the Mikrotik itself.
Also allow winbox from the WAN for this experiment.
If you can connect to it using Winbox from the Internet, but cannot connect to it using HTTP, then Telefonica is blocking packets from customers when the source port is 80. If they’re doing that, then your only recourse is to run the site on a non-standard port number and let users know which port to use, or perhaps if you have access to a server outside of Telefonica, it could redirect www.yourdomain.com → host-at-home.yourdomain.com:9999
Ok - so it sounds like Telefonica is not blocking port 80 traffic.
I’m going to go re-read the earlier parts of this thread to refresh my memory, and if I see anything I need to add about your configuration, then I’ll edit them into this post.
EDIT:
This is unclear to me - do you mean that if the router maps public:80 → private:23150 and then the server is listening on 23150 which it then maps back to local:80 ?
Or do you mean that no matter if you map public:80 → private:23150 / public:23150 → private:80 / public:23150 → private:2315 – all 3 cases do not give results?
Perhaps you should export your filter rules and post them here (sanitize any appearances of public IP address)
/ip firewall filter export
The forward chain rules are the ones which would apply, and only one rule drops anything (connection-state=invalid)
All else is accepted either explicitly (connection-state=established,related) or implicitly (reaches end of chain with no drops)
I’ve lost track in my mind as to what’s working/not working. I agree with you that the port number is irrelevant, so let’s just stick to port 80:
A) from other LAN hosts to LAN IP of server: yes/no ? (I think yes)
B) from other LAN hosts to WAN IP of server: yes/no? (I think no)
C) from other Telefonica customers to WAN IP of server: yes/no?
D) from elsewhere on Internet to WAN IP of server: yes/no?
Configuring hairpin NAT rules will fix B.
If C & D are both NO, then I suspect something in the server’s configuration is not quite right (it may be giving its private IP to the remote user whose browser is trying to connect to the wrong site for additional items)
If Just C is NO, then it could be that The other Telefonica IP is a neighbor, and Telefonica has client isolation enabled between neighbors.
