I’ve setup a dstnat to access a webserver behind the router from the internet. Something is wrong.
Layout is:
internet
|
ISP router
Port forwarding setup for port 80, 1194 to mikrotik’s ‘WAN’ IP.
|
192.168.0.0 subnet
|
mikrotik router, WAN: 192.168.0.27
|
internal subnets, see attached rsc
webserver running at 10.1.111.2
The webserver is accessible from a 10.1.0.0 client.
The webserver can access the internet fine. Generally internet access works fine.
The webserver is INaccessible from a 192.168.0.0 client. Requesting http://192.168.0.27.
Of course then the webserver is INaccessible from the internet.
openvpn access from the internet works fine.
When trying to access the ISP routers WAN IP, port 80, the mikrotik NAT “HTTP serving” rule counter increases, so the router gets the packet.
The LOG has an entry:
Message dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac ****, proto TCP (SYN), 45.134.144.212:47012->192.168.0.27:80, len 40
mkx beat me to it while I was typing…
Unless I missed something (certainly possible), you have a firewall rule to allow the server LAN to access the internet, but nothing to allow the Internet to access the server LAN. The common way to accomplish that is something like this:
/ip firewall filter
add action=accept chain=forward comment="Accept all that is DST NATed" \
connection-nat-state=dstnat connection-state=new
This will allow destination NAT traffic through the firewall.
If desired, you can specify interfaces or interface lists.
The easy rule which is specifically for dstnat is better, don’t listen to the two previous clowns ( said affectionately of course ) that want to try and stick two rules in one default rule whereas its simpler to understand
and cleaner to separate them.
One has to be careful also when talking about how the server is accessed.
Your dstnat rule is fine ( assuming added firewall rule ) for most cases.
a. LAN users accessing server via the local server LANIP
b. External users coming in from the WAN side, using the WANIP and if dynamic, then some domain dyndns URL type name ( such as the Mikrotik IP cloud name for example ).
Where your setup falls short is for LOOPBACK, in MT vernacular hairpin nat.
For local LAN users to use the server via the URL, dyndns name, we have other considerations to account for.
Best that you read this before tackling… https://forum.mikrotik.com/viewtopic.php?t=179343
Which two rules are “sticked together” in the rule both @k6ccc and myself posted? As far as I understand (not far enough obviously) it’s only one rule but with very narrowly selected packets on which it is effective.
The new avatar has depleted the # of brain cells at your disposal.
A. block all traffic from WAN
B. allow dst traffic from WAN
Great for newbie using default rules but should be modified once the config starts changing…
Because the default rules imply allow everything except what one states should be blocked, it works for someone not making changes or for someone that doesnt yet understand rules.
However its much better to then change the firewall concept to block everything by deafult and ONLY allow traffic needed. Much easier to define.
Hence remove the default rule and replace with
Needed traffic rule 1
Needed traffic rule 2
Needed traffic rule 3
Drop all else.
Needed rules are typically
lan to wan
admin to all subnets
port forwarding
+++++++++++++++++
Drop all else.
////////////////////////////////////////////////////////////
I hope I have replenished/stimulated the empty brain cells.
Next time, and its much safer to respond with; "Brilliant, couldn’t agree more!
PS. Llama’s eat cats for brekfast, except Italian cats, they give me indigestion!
Oh, common, try harder. Disect the rule, posted by @k6ccc and me and show which part of this rule contains traces of case A from your list above. And don’t bring up default rule … not after you called us “clowns” in post #5 above.
