Hello, everyone!
The issue is in the title, and it drives me mad. I've searched all over the internet and tried every solution I could find with no success.
I originally needed to open port 80 for a small web-app I have been trying to set up. Through numerous attempts to do that I tried 8080, 8888, etc., and now I ended up with dst-nat rule on port 49999. It does work for my local clients, due to Hairpin NAT, but remote machines are getting timeouts.
192.168.88.100 is where my http-server is hosted
Things I've tried so far:
dst-nat on 192.168.88.100 port 49999 with my public IP as dst-address,
dst-nat on 192.168.88.100 port 49999 with my PPPoE as in-interface
dst-nat on 192.168.88.100 port 49999 with my WAN as in-interface
netmap on 192.168.88.100 port 49999 with all aforementioned combinations
and numerous other tricks and tweaks
Please, I need help.
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 bridge_local
1 D 100.64.68.8/32 94.229.236.4 mts-pppoe
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ;;; WAN
ether1 ether 1500 1598 2028 CC:2D:E0:17:BC:CC
1 RS ether2-master ether 1500 1598 2028 CC:2D:E0:17:BC:CD
2 S ether3 ether 1500 1598 2028 CC:2D:E0:17:BC:CE
3 RS wlan1 wlan 1500 1600 2290 CC:2D:E0:17:BC:D0
4 R ;;; defconf
bridge_local bridge 1500 1598 CC:2D:E0:17:BC:CD
5 R mts-pppoe pppoe-out 1480
[admin@MikroTik] >> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
2 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
3 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
4 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
5 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
7 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
8 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
9 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
10 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
[admin@MikroTik] >> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=mts-pppoe log=no log-prefix="" ipsec-policy=out,none
1 chain=dstnat action=netmap to-addresses=192.168.88.100 to-ports=49999 protocol=tcp dst-port=49999 log=yes log-prefix=""
2 chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.100 out-interface=bridge_local dst-port=49999 log=no
log-prefix=""
3 chain=srcnat action=src-nat to-addresses=192.168.88.1 protocol=tcp src-address=!192.168.88.0/24 dst-address=192.168.88.100 dst-port=49999 log=no
log-prefix=""