Port foward for https and http

cazz · Thu Dec 21, 2017 11:03 pm

Hi
This is my first post here

I have buy MikroTik RouterBoard that with help of a friend have make it work in my home network.
I have even got port forward for http to work to one of my webserver

so when I write http://domain.se it go to 192.168.1.5 that run a apache server on linux.
I use

Chain=dstnat, Protocol=tcp, Dst-Port=80, Action=dst-nat, To-Addresses=192.168.1.5, To-Ports=80

but now I have two problem

Problem 1)
When I trying to connec to a subdomain that I http://subdomain.domain.se it was going to same IP address but I have config the apache server with Proxypass to another webserver.
It have work with my old router so I don't know why it does not working now.

Problem 2)
I have make same settings for https

Chain=dstnat, Protocol=tcp, Dst-Port=443, Action=dst-nat, To-Addresses=192.168.1.8, To-Ports=443

but I can't connect to that apache2 server

Like I say, I have got it to work with the old router (a old netgear) but have problem to get it to work with my new router

I most have done something wrong or forgot something but not sure what.

Anumrak · Fri Dec 22, 2017 3:14 pm

Are you trying to connect to servers from outside or from inside of LAN?

cazz · Fri Dec 22, 2017 5:17 pm

Thanks for the replay

well I did find out today when I was not at home that it works greate when I'm not inside my LAN.
So when I'm not trying to connect from my computer that is connect to my home LAN then everythings works fine.
but when I try to connect frome inside the LAN I get error.

Strange??

cazz · Thu Dec 28, 2017 9:43 pm

More strange here
With a friend of my I got and set a static DNS in my MikroTik so http://domain.se go to 192.168.1.5
But I use Nextcloud and it does work with https://domain.se and I get a error when I try from my LAN to connect to nextcloud but is ok when I go outside my network.
So https://domain.se from LAN = ERROR
https://domain.se from outside my LAN = OK

ErfanDL · Thu Dec 28, 2017 10:50 pm

port 80 is reserved by mikrotik webfig web admin. Change your server port 80 to 81

Sent from my C6833 using Tapatalk

insane · Thu Dec 28, 2017 10:53 pm

That’s the solution https://wiki.mikrotik.com/wiki/Hairpin_NAT

cazz · Fri Dec 29, 2017 12:27 am

Have disable Mikrotik webadmin
Hmm thanks

is a little strange that I have to NAT my self inside my own LAN

cazz · Fri Dec 29, 2017 1:35 am

A little update
I dont know how but I got it to work with my domain.se (still not https).
I guess it have something with the static DNS I have set.

But I can't connect to a subdomain like subdomain.domain.se
the subdomain go to same server but then proxy to another webserver that I have in my LAN.

as always I have no problem to connect from outside my LAN.

Going to see what more I can do, is funny but strange problem

matiaszon · Fri Dec 29, 2017 2:44 pm

Hairpin NAT is what you need.
Delete/disable all rules regarding port 80 and 443 from your Firewall, and add these:

/ip firewall nat
add action=dst-nat chain=dstnat comment="WWW server http" dst-address=YOUR_PUBLIC(ISP)_IP_HERE dst-port=80 protocol=tcp to-addresses=192.168.1.5
add action=masquerade chain=srcnat dst-address=192.168.1.5 dst-port=80 out-interface=YOUR_LOCAL_INTERFACE_HERE(bridge?) protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.5 to-ports=80

add action=dst-nat chain=dstnat comment="WWW server https" dst-address=YOUR_PUBLIC(ISP)_IP_HERE dst-port=443 protocol=tcp to-addresses=192.168.1.5
add action=masquerade chain=srcnat dst-address=192.168.1.5 dst-port=443 out-interface=YOUR_LOCAL_INTERFACE_HERE(bridge?) protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.5 to-ports=443

cazz · Fri Dec 29, 2017 3:30 pm

Thanks, got LAN and WAN to work with HTTP now

But now I have no access to HTTPS from WAN or LAN??

Going to try something more but have one question about the config

if I pick

action=masquerade

then I can't write any
to-addresses or to-ports

Did have to see if the other webserver still working and it does 192.168.1.8 (I did change the 192.168.1.5 to 192.168.1.8 for the HTTPS in the config)

/UPDATE
I have try a little and found something strange.
I have also a CSGO server that run on 27015 and I did copy both config for HTTP and just change the IP and port to 192.168.1.12 and 27015
When I now try to connect to the server from CSGO console

connect domain.se

it try to connec to 192.168.1.5
even if I try with domain.se:27015

/UPDATE 2
Have notice that if I ping from my LAN my domain it go to 192.168.1.5 even if I have disable forwarding and remove it from Static DNS.
Have also look inside my hosts file but that looks fine so something is not right.

cazz · Sat Dec 30, 2017 8:44 pm

Hi again
I did find this thread about same problem and I got it to work with DNS Proxy
viewtopic.php?t=95152
I only did this (but did change to my routers IP address)

Finally, assign the Mikrotik's LAN IP as the DNS server in your internal DHCP (IP > DHCP-Server > Networks > 192.168.2.0/24 > DNS Servers: 192.168.2.1

is that a good way to go?
or is that some kind of security risk?

cazz · Sun Dec 31, 2017 2:24 am

ok I think I have found the problem
When I did add the name and address in the static DNS everything works fine.
But I was just trying and now when I going to run in real I change the IP of the server to the right now, I did go to static DNS and change the IP to the right one but still when I ping it go to the old IP address??
Even when I flush the Cache it still go to the old IP??

/UPDATE
Did use

ipconfig /flushdns

Port foward for https and http

Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Re: Port foward for https and http

Who is online