Community discussions

MikroTik App
 
tunga
just joined
Topic Author
Posts: 4
Joined: Wed Sep 23, 2020 5:34 am

how to configure https for my websites

Thu Oct 15, 2020 10:06 am

Hello,

I installed ssl for my webserver. When I use https protocol, it throws an error, "Unable to connect to server". The ssl server test from ssllabs.com, says "If failed to connect to the server, it usually happens due to firewall restrictions." I added the following 2 NAT rules for ssl, which has port of 443.


nat.png
Obviously, something goes wrong here. Please help me.
You do not have the required permissions to view the files attached to this post.
 
erlinden
Long time Member
Long time Member
Posts: 537
Joined: Wed Jun 12, 2013 1:59 pm

Re: how to configure https for my websites

Thu Oct 15, 2020 10:33 am

I would expect something like this:

add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.10.X to-ports=443

Can you explain the meaning of your rules?
First the problem, then the solution
 
Sob
Forum Guru
Forum Guru
Posts: 6116
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to configure https for my websites

Thu Oct 15, 2020 2:50 pm

You can see that the rule has some hits. So if it's just a copy of rule for port 80 (which I assume works) and only the number is different, then this one must work too and the problem is probably elsewhere (server's own firewall for example).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5413
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: how to configure https for my websites

Thu Oct 15, 2020 2:57 pm

/export hide-sensitive file=anynameyouwish

A full view of the config is best to determine what may be blocking the traffic.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
tunga
just joined
Topic Author
Posts: 4
Joined: Wed Sep 23, 2020 5:34 am

Re: how to configure https for my websites

Sat Oct 17, 2020 9:00 am

to erlinden
I added the last two rules (3 and 4) for port 443. The third rule is exactly what you wrote, and the fourth rule is for the local connection to the server.

to Sob
Yes, I copied rules for port 80, only changed port number to 443. My web server's firewall is open for port 443.
ports.png
to Anav
I exported the configuration of the router as you suggested. Here it is.
problem443.rsc
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 6116
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to configure https for my websites

Sat Oct 17, 2020 8:24 pm

Do you test it from LAN? Rule for port 80 has in-interface-list=all (which is useless, because it always matches, so you don't need to add it at all), but for 443 you have in-interface-list=WAN, so it will work only from internet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5413
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: how to configure https for my websites

Sat Oct 17, 2020 8:31 pm

(1) /ip address
add address=192.168.100.1/24 comment=defconf interface=ether2 network=\
192.168.100.0

should be
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
192.168.100.0

(2) I don't understand your destination nat rules.
Do you have a fixed WANIP (static) if so the dstnat rules are normally in the format

add action=dst-nat chain=dstnat dst-address=fixedWANIPaddress dst-port=80 \
protocol=tcp to-addresses=192.168.100.4 to-ports=80 (note: dont need to-port if same as dst-port)

If you have a dynamic IP the usual setup as follows
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=80 \
protocol=tcp to addresses=192.168.100.4

(3) In terms of source nat rules, did you want to be able to reach servers from users on the same LAN as the server but via your wanip address (loopback) vice simply using the LANIP of the server??
In the meantime keep this rule its default and cant go wrong.
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

However the other two sourcnat rules makes no sense to me and you should describe what you are trying to accomplish with them
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: achiu, Bing [Bot] and 36 guests