Simple Port Forwarding

barrygordon · March 5, 2020, 4:59am

I am running router OS 6.45.7 on an RB750GL. For some reason port forwarding has stopped working. It was working sometime in the past. Iam only trying to allow traffic to the PC running my web server. The web server is running on port 80. The router is at 192.168.1.1. There are no Vlans or anything else of an advanced nature. The router is running a DHCP server and that is working fine.

I have two firewall NAT entries:

Chain=srcnat; Out Interface=ether1-gateway; Action=Masquerade ;
Chain=dstnat; Protocol=6 (tcp); Dst. Port=80; Action=dst-nat; To Address=192.168.1.207; To Ports=80;

I can access all the sites on the Internet with no issues. If I give a browser on my LAN the address 192.168.1.207 it finds the page with no problem
If I give a browser (either on or off my LAN) my URL it never is able to connect.
My ISP does not block port 80 (or so they claim)

Everything looks correct to me, but it is not working. Any help greatly appreciated. I would really like to understand what is going on.

k6ccc · March 5, 2020, 5:56am

Lookup hairpin NAT.

jvanhambelgium · March 5, 2020, 6:02am

Without 3e rule it could never have worked from the outside.

Chain=srcnat; Out Interface=ether1-gateway; Action=Masquerade ;
Chain=dstnat; Protocol=6 (tcp); Dst. Port=80; Action=dst-nat; To Address=192.168.1.207; To Ports=80;
3) Chain=forward; Protocol=6 (tcp) ; Dst Port=80 Action=Accept ; To Address=192.168.1.207; To Ports=80;

(Offcourse you could make rule 3 more “generic” so it will work for all future other port-mappings)

Testing from INSIDE your LAN pointing to either the public-IP of your router or some URL-service requires the setup of hairpin as mentioned before.

barrygordon · March 5, 2020, 3:22pm

I will look into hairpin NAT
I amusing winbox version 3.20. It does not offer the option for Chain=forward. If I just enter it it accepts it. When I go to action it does offer Action=accept but there are no options to do anything except log . It does not present fields for To Address nor for To Port.

I am confused.

k6ccc · March 5, 2020, 3:28pm

WinBox is fine. Forward chain is a normal chain in the firewall rules - not on the NAT tab (which will normally be srcnat and dstnat).

anav · March 5, 2020, 4:23pm

hairpin nat config short and sweet…
We need the usual Source NAT rule and a second Source NAT rule (hairpin) for tracking purposes…
Traffic going out the router
Traffic from within the LAN going to the LAN but directed through the router interface vice lanip directly to lanip

/ip firewall nat
add action=masquerade chain=srcnat comment=“HairpinNAT” src-address=192.168.1.0/24 dst-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“NAT” out-interface=WAN

The usual Destination NAT rule
add action=dst-nat chain=dstnat comment=“PF- From WAN” dst-port=80 protocol=tcp in-interface=ether1 to-addresses=192.168.1.207

is modified to permit both LAN to WAN and LAN to LAN traffic that are both aimed at the ROUTER interface. One should note that in-interface=eth1 cannot be used as it does not apply to any LAN initiated traffic to the server (via wanip). This example covers the harder case of a dynamic WANIP!
add action=dst-nat chain=dstnat comment=“PF-Lan&Wan” dst-port=80 protocol=tcp dst-address=!192.168.1.1
dst-address-type=local to-addresses=192.168.1.207

In other words, one is stating, for any destination nat request targetting port 80, protocol tcp
a. that is destined for any IP address except the LAN gateway:
b. that destination IP described at a., HAS TO BE assigned one of the routers interfaces (which includes wan)

This is how we get around the problem of a dynamic WANIP. If we knew the static WANIP, then it would be easier…
add action=dst-nat chain=dstnat comment=“PF-Lan&Wan” dst-port=80 protocol=tcp dst-address=staticwanip
to-addresses=192.168.1.207

Small note: If the destination port does not change (no port translation before hitting the fw) then to-ports is implied and the entry is not required.