Page 1 of 1

Port forwarding

Posted: Sat Oct 28, 2017 10:26 am
by letnab
Hi all.
I try to forward 80 port to internal server.
For start I tried this command:
ip firewall nat add chain=dstnat dst-address=xx.xx.xx.xx protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.29 to-ports=80
but it's not work.
After that i tried to add rule use winbox:
Image
Image
but it's not work too.

Firewall rules:
[admin@MikroTik] > /ip firewall export
# oct/28/2017 10:01:44 by RouterOS 6.35
# software id = 356A-NAW9
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=beeline src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=192.168.1.0/24
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp to-addresses=192.168.1.12 to-ports=3389
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.12 to-ports=3389
add chain=srcnat
add action=src-nat chain=srcnat dst-address=192.168.1.12 dst-port=3389 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.1
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=80 protocol=tcp to-addresses=192.168.1.29 to-ports=80
For interface version:
 [admin@MikroTik] > /ip firewall export
# oct/28/2017 10:01:44 by RouterOS 6.35
# software id = 356A-NAW9
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=beeline src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=192.168.1.0/24
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp to-addresses=192.168.1.12 to-ports=3389
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.12 to-ports=3389
add chain=srcnat
add action=src-nat chain=srcnat dst-address=192.168.1.12 dst-port=3389 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.1
add action=netmap chain=dstnat in-interface=beeline dst-port=80 protocol=tcp to-addresses=192.168.1.29 to-ports=80
RDP is working fine. Http is not working.
why is this happening? What am I doing wrong?

Re: Port forwarding

Posted: Mon Oct 30, 2017 11:58 am
by evince
Hello, check if HTTP server is not running on your board : /ip service

Re: Port forwarding

Posted: Thu Nov 02, 2017 11:12 am
by Falklan
I presume this is what you are attempting.

https://wiki.mikrotik.com/wiki/Hairpin_NAT

Re: Port forwarding

Posted: Fri Nov 03, 2017 9:16 am
by Anumrak
If in this rule ip firewall nat add chain=dstnat dst-address=xx.xx.xx.xx protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.29 to-ports=80, the xx.xx.xx.xx is global IP and you you want to access to server from outside, then you doing all right. If you want to access this server from the inside, then you need to manage Hairpin NAT.

Re: Port forwarding

Posted: Mon Nov 06, 2017 4:53 pm
by krunical
If in this rule ip firewall nat add chain=dstnat dst-address=xx.xx.xx.xx protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.29 to-ports=80, the xx.xx.xx.xx is global IP and you you want to access to server from outside, then you doing all right. If you want to access this server from the inside, then you need to manage Hairpin NAT.
Agreed with Anumrak

If it has been overlooked id also confirm the ip you are trying to access on the WAN side is publically routable.

Re: Port forwarding

Posted: Wed Nov 08, 2017 7:32 pm
by giorgiop
Wouldnt something like the following work?
add chain=dstnat action=dst-nat to-addresses=192.168.1.29 to-ports=80 protocol=tcp dst-port=80 in-interface=beeline ?

I tried a while ago redirecting the requests to my MT (testing some FW rules) and managed to see the login although i asked for a different page