I know exactly what you are trying to accomplish. The posts up until I posted have been solving a different situation. No one knows what this is called so its very hard to find in the forums, although it’s asked about once a month. “NAT ON A STICK” is what I’m going to call it because I think thats what Cisco calls it.
Think about this. Your server is 192.168.1.100. Your router is 192.168.1.1, and it also has the public IP address on the WAN interface. You are 192.168.1.200.
If you dst-nat PU.BL.IC.IP → 192.168.1.100, it will send the traffic to your server. First step has been accomplished. Now, the server gets the request and sees the reply address is 192.168.1.200. Ah ha, the server sent the traffic back DIRECTLY to your browser (not thru the router) because you are on the same subnet. Oh, but your workstation says ’ I didnt ask for anything from 192.168.1.100 ’ so it rejects it.
You need to add a src-nat rule also that masquerades the traffic coming in your private interface destined for port 80. Masquerade that traffic with your routers IP address. Now the traffic going to server will have the routers source ip, and traffic will come back to the router. Now the router can use the connection table and send it back to the original workstation.
The only caviat is that every request to that web server will look like its coming from the router. If you are relying on internal DNS and this is only a failover that’s probably acceptable.
PSSSST - Change the www service port on Mikrotik from 80 to 800 or 8080 or something else.
Sam