Hi,
I have 951Ui-2HnD router model with RouterOS v6.44.1
Router has LAN addr 192.168.1.254 and external (static) address is xx.xx.xx.xx
Also there is a web server on 192.168.1.129
So I need to redirect port 80 to 192.168.1.129 and I still want to access my router's WebFig via port 8080.
Also I need ssh to webserver via port 22.
What I tried (IP->NAT content is attached) does not work. When I try http://xx.xx.xx.xx, I see router's WebFig instead of my site.
Please help!
NAT newbie help
You do not have the required permissions to view the files attached to this post.
Re: NAT newbie help
See IP->Services
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
Re: NAT newbie help
Don't post screenshots, post text exports, screenshots don't show everything. And at first sight, this is not how you forward ports, it should be:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=80 to-addresses=192.168.1.129
Re: NAT newbie help
So you want to be able to access the router from your WANIP (remote locations) simply by forwarding port 8080?
Re: NAT newbie help
Hmm, thanks guys, I found my mistake (actually I messed up Dst-* and To-* terms), and now router's WebFig is accessible from WAN by forwarding port 8080 to 80.
Very strange though it required setting my WAN address to dst-address field. Why it is needed in the first place? What if it was dynamic (and tied to domain name)?
Also with the similar settings I was unable to make my web server work (forwarding x.x.x.x:80->192.168.1.129:80 didn't work)
@gkk - you mean I don't need forwarding at all and just change IP->Services www record 80 to 8080? (Yes, I tried and it works!)
Very strange though it required setting my WAN address to dst-address field. Why it is needed in the first place? What if it was dynamic (and tied to domain name)?
Also with the similar settings I was unable to make my web server work (forwarding x.x.x.x:80->192.168.1.129:80 didn't work)
@gkk - you mean I don't need forwarding at all and just change IP->Services www record 80 to 8080? (Yes, I tried and it works!)
Re: NAT newbie help
It's not strange at all, you want packets coming to your public address forwarded to internal address, so that's exactly what this rule tells router to do.
For dynamic address, you have three choices:
a) "dst-address-type=local dst-address=!192.168.1.254", which matches any local address except router's LAN address.
b) Lot of people like "in-interface=<WAN>", which I'm not a fan of, because it's not correct, you don't want to forward anything that reaches your router, regardless of destination address (although in practice it's usually not a problem).
c) "dst-address-list=mypublicip" with:
But it will have small outages when the address changes, before the list is refreshed (depends on record's TTL).
If you test forwarded port to webserver from same LAN, you also need this:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
For dynamic address, you have three choices:
a) "dst-address-type=local dst-address=!192.168.1.254", which matches any local address except router's LAN address.
b) Lot of people like "in-interface=<WAN>", which I'm not a fan of, because it's not correct, you don't want to forward anything that reaches your router, regardless of destination address (although in practice it's usually not a problem).
c) "dst-address-list=mypublicip" with:
Code: Select all
/ip firewall address-list
add address=dynamic.hostname.tld list=mypublicipIf you test forwarded port to webserver from same LAN, you also need this:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
Re: NAT newbie help
Other advice.
Access your router (webconfig, winbox) externally via secure methods.
1. Recommended is via VPN
2. SSH (not sure but its probably better than nothing but DO CHANGE THE DEFAULT PORT like 33022 for example!!
3. Port Knocking is another method.............
4. ***source address list (add to all of the above if the external WANIPs are known)
**** This is very valid for port forwarding to any servers behind the LAN. Without a source address list your server ports are visible on scans (appear as closed). With a source address list, the ports are not visible on scans.
Access your router (webconfig, winbox) externally via secure methods.
1. Recommended is via VPN
2. SSH (not sure but its probably better than nothing but DO CHANGE THE DEFAULT PORT like 33022 for example!!
3. Port Knocking is another method.............
4. ***source address list (add to all of the above if the external WANIPs are known)
**** This is very valid for port forwarding to any servers behind the LAN. Without a source address list your server ports are visible on scans (appear as closed). With a source address list, the ports are not visible on scans.
Re: NAT newbie help
Thanks for advices, but first I need to fight very basic thing... Web server still not works.
Something is extremely wrong. I'm sad, because in my previous router (TP-link with DD-WRT firmware) configuring NAT was a matter of minute...
Code: Select all
/ip firewall> export
# mar/17/2019 20:13:43 by RouterOS 6.44.1
# software id = XC6V-SSRX
#
# model = 951Ui-2HnD
# serial number = 8A73095505C9
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1_wan
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.129
Re: NAT newbie help
Hmm a quick glance seems to show the setup is okay.
YOU do have two masquerade rules. consider getting rid of the non-default one for now.
(assuming you only have one WAN?)
Also Try using
for the destination nat rule, In-interface=WAN and not destination address.
YOU do have two masquerade rules. consider getting rid of the non-default one for now.
(assuming you only have one WAN?)
Also Try using
for the destination nat rule, In-interface=WAN and not destination address.
Re: NAT newbie help [SOLVED]
@anav: Go away, demon! 
If it's static, dst-adress is the right choice.
But I don't see anything clearly wrong either. Except if access to webserver would be tested from same LAN, in that case see end of my previous post. If not, do you see the counter on dstnat rule increasing?
If it's static, dst-adress is the right choice.But I don't see anything clearly wrong either. Except if access to webserver would be tested from same LAN, in that case see end of my previous post. If not, do you see the counter on dstnat rule increasing?
Re: NAT newbie help
ME?? no @Sob Go away anti-christ! LOL.@anav: Go away, demon!
But I don't see anything clearly wrong either. Except if access to webserver would be tested from same LAN, in that case see end of my previous post. If not, do you see the counter on dstnat rule increasing?
If it was static then source nat rule should be,
add action=src-nat chain=srcnat out-interface=WAN
and then that would line up with the dst address for the destination nat rule!!
Re: NAT newbie help
You are my hero and I feel lame)Except if access to webserver would be tested from same LAN, in that case see end of my previous post.
/gone reading about Hairpin...