Community discussions

MikroTik App
 
Error
just joined
Topic Author
Posts: 4
Joined: Fri Feb 10, 2017 4:17 am

Problem with port forward

Fri Feb 10, 2017 4:47 am

I recently bought a Mikrotik RouterBoard hEX for my home network. First mission was to get an old router to work as a AP and after some tries I got that to work. After that it was on to getting my server online. What I need to do is a standard portforward of port 80 and port 443. But I just seem to fail. Internally my server is up and my web application shows. So the problem is not in the server. But after alot of googling I'm still confused. From my experience what I should do is something along this guide: http://www.icafemenu.com/how-to-port-fo ... router.htm

That I've tried, it does not work. Port 80 is shut as ever. I've also found threads that suggests building firewall rules in combination with the above mentioned. That didn't work ether.

Now I'm a bit out of ideas. My router is for now in standard configuration with the exception of the firewall-->NAT change in the giude.

Firewall:

[admin@MikroTik] /ip firewall filter> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

7 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1

Change to NAT:

[admin@MikroTik] /ip firewall filter> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=192.168.10.110 dst-port=80 log=no


What I'm I going wrong? Why doesn't this work? Any ideas? Thankful for any help!

Cheers,
Error
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Problem with port forward

Fri Feb 10, 2017 11:15 am

Go to IP > Services, most probably webfig (the web based management UI) is enabled. Select www and disable it so that that port isn't used.

Do you get your WAN IP from your ISP using PPPoE?
 
Error
just joined
Topic Author
Posts: 4
Joined: Fri Feb 10, 2017 4:17 am

Re: Problem with port forward

Fri Feb 10, 2017 1:12 pm

I've disabled www in IP->Services. I get my public ip-address from my ISP via DHCP. It's still not working thought.
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: Problem with port forward

Fri Feb 10, 2017 5:13 pm

There i a mistake in your NAt rule :

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=192.168.10.110 dst-port=80 log=no

Shoud be

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=xxx.xxx.xxx.xxx dst-port=80 log=no

Where xxx.xxx.xxx.xxx is your WAN IP. Or if you have a dynamic IP, you can use in-interface instead.

Regards,
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with port forward

Fri Feb 10, 2017 8:46 pm

Select www and disable it so that that port isn't used.
For the record, this is not necessary. You can have both service on router and port forwarding using same port and they can exist together. Where "exist together" means that dstnat will "steal" packets before they can reach service on router, i.e. dstnat will win. :) But you can do dstnat selectively, e.g. only from WAN, so connections to port 80 from LAN can go to WebFig on router and connections to port 80 from internet can be forwarded to some internal webserver.
 
Error
just joined
Topic Author
Posts: 4
Joined: Fri Feb 10, 2017 4:17 am

Re: Problem with port forward

Sat Feb 11, 2017 7:53 am

There i a mistake in your NAt rule :

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=192.168.10.110 dst-port=80 log=no

Shoud be

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=xxx.xxx.xxx.xxx dst-port=80 log=no

Where xxx.xxx.xxx.xxx is your WAN IP. Or if you have a dynamic IP, you can use in-interface instead.

Regards,

Thanks alot! Now the port is open! But it's still not working thought. For some reason I can access the server via 192.168.10.110 but not thought my public ip address. Any ideas as to what is still configured wrong?

Fixes config:
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.10.110 to-ports=80 protocol=tcp dst-address=85.230.11.34 dst-port=80 log=no log-prefix=""

Select www and disable it so that that port isn't used.
For the record, this is not necessary. You can have both service on router and port forwarding using same port and they can exist together. Where "exist together" means that dstnat will "steal" packets before they can reach service on router, i.e. dstnat will win. :) But you can do dstnat selectively, e.g. only from WAN, so connections to port 80 from LAN can go to WebFig on router and connections to port 80 from internet can be forwarded to some internal webserver.
Thanks! Good to know!
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: Problem with port forward

Sat Feb 11, 2017 2:51 pm

Hello, your webserver is now reachable, i can display it. If you want to open from your local network, you will need HAIRPIN http://wiki.mikrotik.com/wiki/Hairpin_NAT

Regards,
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Problem with port forward

Sun Feb 12, 2017 11:20 am

also try adding
dst-address-type=local
to your dst nat rule. What srcnat rule do you have in place.
 
Error
just joined
Topic Author
Posts: 4
Joined: Fri Feb 10, 2017 4:17 am

Re: Problem with port forward

Mon Feb 13, 2017 12:52 am

Hello, your webserver is now reachable, i can display it. If you want to open from your local network, you will need HAIRPIN http://wiki.mikrotik.com/wiki/Hairpin_NAT

Regards,
Thanks alot! I'll look into HAIRPIN!

also try adding
dst-address-type=local
to your dst nat rule. What srcnat rule do you have in place.
What does this do? And do I need srcnat? As of now the only srcnat rule is the one that is configured by default.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with port forward

Mon Feb 13, 2017 3:59 am

dst-address-type (unicast | local | broadcast | multicast; Default: )

Matches destination address type:

unicast - IP address used for point to point transmission
local - if dst-address is assigned to one of router's interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of devices
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Problem with port forward

Mon Feb 13, 2017 7:58 am

Are you trying to access your public ip on port 80 from with the lan that the router is controlling.
you still need srcnat for devices on your lan to access the internet.
My understanding the with the dst-address-type=local is if the server is connected to a local port you should have this in.
To test your dstnat from the same network you should use something like tunnel bear to appear that you not on your network.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with port forward

Tue Feb 14, 2017 1:07 am

My understanding the with the dst-address-type=local is if the server is connected to a local port you should have this in.
No, it doesn't have anything to do with server connected to local port. It does what the name says - it matches target address, if it's an address assigned to any interface on router.

Normally, when you want to forward port from public address 1.2.3.4 to some internal address, and the public address is static, you simply add dstnat rule with dst-address=1.2.3.4. That's the best way, because it catches what it should and only that, nothing more.

But you can't do this when your public address is dynamic (from DHCP, PPPoE, ...). Well, you could, with a script that would update address in dstnat rule, but that's not very practical. You need to match something else. Popular way is to use in-interface=WAN. It works, but it's not entirely correct, because it matches anything that happens to come via WAN interface, no matter what the target address is. If you have only one address anyway, you'll probably never notice. But if you for example had a public subnet routed to you (e.g. 2.3.4.0/24), such rule would catch traffic to all addresses. In reality, combination of DHCP address and routed subnet is unlikely, but I don't have better example now.

Better way is dst-address-type=local. It will match 1.2.3.4 (because it's local), but it won't match any of 2.3.4.0/24 (except the one that you'll probably assign to internal interface as gateway for others).

But there can be different problem, forwarding e.g. port 80 from public address and also having web administration on 192.168.88.1:80 won't work together. That's because 192.168.88.1 is also local and will too forward all connections to internal server. The way to solve this is to use dst-address-type=local together with exception dst-address=!192.168.88.1.
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Problem with port forward

Tue Feb 14, 2017 2:52 pm

Hey Sob
Thanks for the heads up. Sometimes the WIki's do not explain it as well as you have.

Who is online

Users browsing this forum: No registered users and 23 guests