Traffic routed to internal server not to external domain

Hi there, I have the situation here below:

My local machine needs to reach the external server on port 54320, which is a trigger of port 80.

I have an internal server in my network which has a service listening on the same 54320 port, and also I have a NAT rule on my MikroTik which redirects incoming traffic of port 54320 to its .51 ip.

I don’t understand why, when I browse on my local machine the website mydomain.com:54320, the traffic is routed to the internal server and not to the external one, as intended.

Please help! Thanks!

You forgot to include the configuration of your router.

Does your dstnat rule match against requests to the public facing IP address? (Or a particular incoming interface?)

Here you have:

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.40.3 (c) 1999-2017       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[dllfpp@MikroTik] > export
# sep/29/2017 22:28:08 by RouterOS 6.40.3
# software id = DMCP-DAAY
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 71B1060C2CCC
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=POOL-FD ranges=192.168.10.100-192.168.10.125
/ip dhcp-server
add address-pool=POOL-FD disabled=no interface=BR-LAN name=DHCP
/queue simple
add disabled=yes max-limit=0/5M name=Gaming target=192.168.10.201/32
/system logging action
set 3 bsd-syslog=yes remote=192.168.10.45
/user group
add name=SnifferService policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!pol\
    icy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp\
    "
/interface bridge port
add bridge=BR-LAN interface=ether2
add bridge=BR-LAN interface=ether3
add bridge=BR-LAN interface=ether4
add bridge=BR-LAN interface=ether5
add bridge=BR-LAN interface=wlan1
add bridge=BR-LAN interface=wlan2
/ip settings
set accept-redirects=yes
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes address=192.168.10.51/32
/ip address
add address=192.168.10.1/24 interface=BR-LAN network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.2 gateway=192.168.10.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Permit PING" protocol=icmp
add action=accept chain=input comment="Permit HTTP+WINBOX" dst-port=1080 \
    protocol=tcp
add action=accept chain=input dst-port=18291 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input dst-port=54321 protocol=tcp
add action=accept chain=input comment="Permit estabilished and related" \
    connection-state=established,related disabled=yes
add action=drop chain=input comment="DROP all packet IN" disabled=yes \
    in-interface=BR-LAN
add action=accept chain=forward comment="Permit estabilished and related" \
    connection-state=established,related
add action=drop chain=forward comment="DROP forward invalid traffic" \
    connection-state=invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN to WAN internet" out-interface=\
    ether1
add action=dst-nat chain=dstnat comment="SSH trigger 54321->22" dst-port=54321 \
    protocol=tcp to-addresses=192.168.10.1 to-ports=22
add action=dst-nat chain=dstnat comment="MASTER WinBox" dst-port=34001 \
    protocol=tcp to-addresses=192.168.10.1 to-ports=18291
add action=dst-nat chain=dstnat comment="MASTER Webui" dst-port=34002 protocol=\
    tcp to-addresses=192.168.10.1 to-ports=1080
add action=dst-nat chain=dstnat comment=PiHole dst-port=8086 protocol=tcp \
    to-addresses=192.168.10.2 to-ports=80
add action=dst-nat chain=dstnat comment=Antifurto dst-port=5004 protocol=tcp \
    to-addresses=192.168.10.225 to-ports=5004
add action=dst-nat chain=dstnat comment="Caldaia - Centralina - WEB" dst-port=\
    7901 protocol=tcp to-addresses=192.168.10.41 to-ports=80
add action=dst-nat chain=dstnat comment="Caldaia - Centralina - FTP" dst-port=\
    7902 protocol=tcp to-addresses=192.168.10.41 to-ports=21
add action=dst-nat chain=dstnat comment="Caldaia - PompaDiCalore - WEB" \
    dst-port=7903 protocol=tcp to-addresses=192.168.10.42 to-ports=80
add action=dst-nat chain=dstnat comment="Caldaia - PompaDiCalore - FTP" \
    dst-port=7904 protocol=tcp to-addresses=192.168.10.42 to-ports=21
add action=dst-nat chain=dstnat comment=SnifferService dst-port=54320 protocol=\
    tcp to-addresses=192.168.10.51 to-ports=54320
add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=BR-LAN \
    protocol=tcp src-address=192.168.10.0/24
/system clock
set time-zone-name=Europe/Rome
/system logging
set 0 action=remote
set 1 action=remote
set 2 action=remote
set 3 action=remote

Cheers!

I suspect you need to add more matching rules against your dstnat entries, or make sure those rules only get tested for traffic entering from your external interface.

Correct. To rules like this:

add action=dst-nat chain=dstnat comment=SnifferService dst-port=54320 protocol=\
    tcp to-addresses=192.168.10.51 to-ports=54320

you need to add the incoming interface on which they should be applied (ether1 in this case)

Rule has now been modified like this:

add action=dst-nat chain=dstnat comment=SnifferService dst-port=54320 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.10.51 to-ports=54320

…and it works!

Thanks to all for your fast replies!

Uhm…no.
I just realized that with the “in interface” I am now able to reach correctly the external server on port 54320, but I’m not able anymore to reach my internal server if requesting it with the ddns provided by mikrotik.
I have seen this Hairpin Nat rule https://wiki.mikrotik.com/wiki/Hairpin_NAT and tried to set it up correctly (you can surely find the hairpin nat rule in my /export here above) but this doesn’t work very well…

Can you still help?
Thanks!

You get your internal server and it is not good, then I explain how you get the external server and that works
and now you complain you don’t get the internal server anymore?
I’m afraid I don’t understand it at all…

Let’s clear out the situation.

Internal Server’s ip: 192.168.10.51
Internal Mikrotik Router’s ip: 192.168.10.1
External Server’s ip: 0.0.0.0 (example)

At first:
When browsing on adress 0.0.0.0:54320 I am forwarded to 192.168.10.51:54320

After your advice (adding ether1 as in-interface on NAT rule):
When browsing on adress 0.0.0.0:54320 I am correctly forwarded to 0.0.0.0:54320, but when browsing 192.168.10.51:54320 my browser just hangs until I have the no_response error.

Basically if I add the in-interface I can reach the external server and I am no longer routed to the internal server. If I take away the in-interface I can reach my internal server (via direct ip or ddns) but whatever domain I browse with :54320 at the end, my router directs me to my 192.168.10.51 server.

Is it a little bit clearer?

Just wan’t to let you know I got the same problem and looking for a solution!