Hi

I have the following rules in my firewall to allow Outlook Web Access to an Exchange Server inside the network:

1 ;;; HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=443
protocol=tcp src-address=!10.5.50.0/24 dst-port=443

2 ;;; RWW
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=4125
protocol=tcp dst-port=4125

The trouble is that other computers on 192.168.0/24 network cannot connect to secure websites using HTTPS.

Can anyone suggest a fix?

The quick fix is an entry in "/ip dns static" for the secure site, using the 192.168.1.10 address. Locanet users will use this dns, and wan users will use the normal dns server resolution.

Not sure how this would work! The client is also using a Small Biz server which handles local DNS requests.

OK. Then the not-so-quick. You will need to remove the "src-address" setting in the HTTPS dstnat and add a local masquerade.

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.1.0/24

Works for me. This is called a "hairpin nat" on the forum if you want to search for other posts.

If I delete HTTPS rule how will port 443 forward to the correct internal destination?

1 ;;; HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=443
protocol=tcp src-address=!10.5.50.0/24 dst-port=443

I use something like this:

1 ;;; HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=443
protocol=tcp dst-port=443

Is there a reason you exclude the 10.5.50.0/24 net?

I've changed the original port forwarding rule to:

1
chain=dstnat action=dst-nat to-addresses=192.168.1.99 to-ports=21
protocol=tcp dst-address=!192.168.1.3 dst-address-type=local
dst-port=21

192.168.1.3 being the router address. It seems to work on my testing setup.

The reason for excluding 10.5.50.0/24 is that there is a hotspot network on another interface and port 443 wasn't working there either.

With the new rule it seems to work.

I already have a masquerade rule on the router.