I just bought a Mikrotik hAP AC Lite and I am trying to port forward incoming connections to the ports 80 and 443 to address 192.168.0.254 - the network is set as 192.168.0.0/24.
On this address I have a website running which is found by a domain pointing to my public address (not fixed IP). This website is accessed internally and externally using that domain (public address).
I tried to create a port forward following the wiki:
Does not worked. If I add just the port 443, when I access the website it brings me to WebFig, but if I add the port 80 the network hang in a way I have to reset the router.
So, I tried to block external access to the router:
How can I properly set up the Port Forward from ANY to 192.168.0.254, ports 80 and 443? EDIT: Or, I mean, everyone bind to external address to find the server at 192.168.0.254.
PS. Tried on v6.36.4 and v.6.37.x-current.
PS.2 Due to problems with my ISP I do not have incoming connection from WAM temporally.
I think the cause of the problem is the WebFig listening and accepting connections on Ports 80 and 443 everywhere by default, while it would need to listen just from who bind on its private address, or hostname. In my case 192.168.0.1.
If I am correct, for some, reason all connections to Port 80 and 443 are being forwarded to WebFig by default, what is not a good measure IMHO security-wise (I do not think most people want the administration service exposed to everyone). Thus, when I created the port forward to my server it began to conflict with the WebFig port forward rule. This is why the router hanged, and I personally think this behavior is a bug.
As I correct or not, I do not know how to make the port forward work on ports 80 and 443.
EDIT:
After trying to access the server using 192.168.0.254:443 and it working, I correct my past thinking: instead of WebFig is listening everywhere, it is certainly listening on external address and private address by default.
So, the correct behavior, IMO, would be:
Listen to its private address only by default, with the possibility to also listen to external address too, but the rules added later (not the default rules) should have precedence over the hard-coded rule for listening to the external address. So, on this way would not have this port-forward conflict.
Your dstnats have no filter other than port 80 and 443, so they are going to forward all traffic to those ports to ip 192.168.0.254.
Is that ip on a mikrotik router?
Add a dst-address or something else to the filter to limit it.
This is exactly what I want, all incoming tcp traffic from external address going to ports 80 and 443 on 192.168.0.254, but in practice I get the WebFig or the device hang, never the server.
The 192.168.0.254 is a FreeBSD Jail running Nginx.
Normally either a dst-address or in-interface or dst-address-type=local will do. All depends on your situation, if you’re going to set up a hairpin nat, etc.
I think the problem here was because the source address (my desktop) has an internal IP connecting to the external address to be forwarded to another internal address. Probably it should worked if the source was someone external instead.
First of all you should change default WebFig ports ( 80, 443 ) and Winbox port as well; this could be done from menu IP → Services, either from Winbox or WebFig.
Then, supposing that ether1 is your WAN and ports 2-4 are in bridge, or are making part of your internal lan in which is connected your BSD box, rules below should achive what you want ( accesing your bsd box from internet/outside on ports 80,443) :
dstnat to bsd box
/ip firewall nat
add action=dst-nat chain=dstnat comment="dstnat port 80 to bsd box" dst-port=80 in-interface=ether1 log=yes protocol=tcp to-addresses=\
192.168.0.254 to-ports=80
add action=dst-nat chain=dstnat comment="dstnat port 443 to bsd box" dst-port=443 in-interface=ether1 log=yes protocol=tcp to-addresses=\
192.168.0.254 to-ports=443
forward to bsd box
/ip firewall filter
add action=accept chain=forward dst-port=80 comment="Accept connections from outside to port 80" in-interface=ether1 log=yes protocol=tcp
add action=accept chain=forward dst-port=443 comment="Accept connections from outside to port 443" in-interface=ether1 log=yes protocol=tcp
Be sure to move this rules above any “drop” rules you have in filer,nat chains, if any. Hope it helps.
I understood that he wants that anyone who is trying to connect on either 80 or 443 ports on his public ip, which is not fixed, to be forwarded into inside local lan BSD box 9 192.168.0.254) that is running a nginx instance ( probable his website ); that was my rules about.
Regarding accesing WebFig from outside if he change default web service ( www ) from port 80 to 8000 ( an example) and disable www-ssl service from IP → Service List then he could accesing WebFig from WAn, outside, if he adds an accept rule in filter - > input chain regarding acces on port 8000, i guess
First, I reseted the device so everything is default again. Also, just to point out, the BSD box have about 12 IPs (all firewalled by PF), due to I have several Jails running there, but the only one which need to be exposed (at least for now) to the internet is the one running Nginx (Nextcloud), what is accessed by domain name.
ether1 - WAM bridge - I do not know what is the default configuration but I am assuming it is 2-5, plus WLAN.
Looking on the options above and also the Hairpin NAT on the wiki, is this?.
/ip firewall nat
add action=dst-nat chain=dstnat comment="dstnat port 80 to bsd box" dst-port=80 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.0.254 \
to-ports=80
add action=dst-nat chain=dstnat comment="dstnat port 443 to bsd box" dst-port=443 in-interface=ether1 log=yes protocol=tcp \
to-addresses=192.168.0.254 to-ports=443
add chain=srcnat out-interface=ether1 action=masquerade
/ip firewall filter
add action=accept chain=forward dst-port=80 comment="Accept connections from outside to port 80" in-interface=ether1 log=yes protocol=tcp
add action=accept chain=forward dst-port=443 comment="Accept connections from outside to port 443" in-interface=ether1 log=yes protocol=tcp
add action=masquerade chain=srcnat comment="Hairpin local nets to Servers" out-interface=bridge protocol=tcp \
src-address=192.168.0.0/24
You won’t be able to access WebFig from the WAN that way, but the LAN IP should still get you in.
I am indeed willing to have the WAM access blocked to WebFig.
One side effect of the hairpin is that the server will see all local traffic as coming from the LAN router IP. WAN traffic will show as the actual IP.
Thank you to poit out, but what is important there (Nginx) is the registered “trusted domain”. The firewall is configured to accept tcp connections from ANY.
The main problem here is the ether1 filter on the dstnats. This needs to work for the hairpin too. Since that traffic comes in from the bridge it won’t work and has to be opened back up. Either by a dst-address= or dst-address-type=local.
The problem with dst-address = IP is it’s dynamic or unkown at this point. (can use address list and dns entry maybe)
The problem with dst-address-type=local is that you lose access to webfig unless you change its port.
Just configure the forward for connections coming from WAM/Internet/External.
The DNS of the domain is handled by the DNS servers of the register, but I have NSD running here for local domain resolution. I can set the server private access (192.168.0.254) on NSD with the exactly same domain.
Local users will receive the private address of the server from Unbound, what IIRC first look on local names, but the external ones will receive the public IP.
I need to test it to see if it will bring any resolution problem in practice.
