Community discussions

MikroTik App
 
MrEastwood
just joined
Topic Author
Posts: 7
Joined: Thu Mar 28, 2019 6:10 pm

HELP: access external web page:port

Wed Apr 07, 2021 9:37 pm

I'm getting "This site can't be reached, ERR_CONNECTION_TIMED_OUT" when trying to access a web page located at an external address www.site.com:2222
I cannot ping www.site.com from my PC or the router which is an RB750 firmware v6.48.1
If I check downforeveryoneorjustme, the site is up and running.

I'm not so good with the terminal so Winbox instructions would be appreciated. I've read dozens upon dozens of tutorials and the Mikrotik manual on port forwarding and I don't seem to be able to get anywhere. I have set up Firewall, NAT, General: Chain dstnat, protocol 6 tcp, dst port 2222, in interface ether1-gateway. Under Action I have Action= dst-nat, To addresses my local workstation static IP 192.168.xx.xx, To ports 2222

EDIT: I've also attempted everything with local PC firewall turned off just to make sure it isn't that.

Does not work, get error as above in 1st line.
Help would be appreciated, I have a customer waiting on me of course...
 
2frogs
Long time Member
Long time Member
Posts: 640
Joined: Fri Dec 03, 2010 1:38 am

Re: HELP: access external web page:port

Wed Apr 07, 2021 11:06 pm

Reading your post, it seems you are actually attempting to reach an internal server using the external address. Using an in-interface in this situation will not work. You need to use dst-address=external-ip (best practice with static ip) or dst-type=local dst-address=!router-ip (works with dynamic ip). You also need the hair-pin nat you tried.
 
User avatar
jvanhambelgium
Member
Member
Posts: 427
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: HELP: access external web page:port

Wed Apr 07, 2021 11:34 pm

If you indeed are testing from the internal LAN trying to connect to the public FQDN AND this server has the same internal IP as your test-machine I think the hairpin should be put in place :
In the NAT-section, put this in the SRC-NAT section

add action=masquerade chain=srcnat comment="Mikrotik Hairpin NAT" dst-address=x.x.x.x/24 log=yes log-prefix=IPV4-HAIRPIN protocol=tcp src-address=x.x.x.x/24
(x.x.x.x being your internal LAN-range on which webserver + testing-server reside, eg. 192.168.1.0)

Then you proably need to cleanup the DNAT entry, because you cannot specify the INPUT interface.
Put something like this. I assume here that "the Internet" connects on TCP/2222 but your actual internal server is running on TCP/80 ?? If it is internally running on the same port, you can leave the "to-port" field off
Not too sure if you have static fixed public IP on the router ?

add action=dst-nat chain=dstnat comment="DNAT TCP-2222 " dst-address=WAN_IP dst-port=2222 log=yes log-prefix=IP4-DNAT-TCP2222 protocol=tcp to-addresses=172.29.45.251 to-port=80

And offcourse make sure the FORWARD chain also has a that that it allowed DNAT packets coming in from the "LAN" of "Bridge" side.
So something like

add action=accept chain=forward comment="HAIRPIN : Accept any packet with valid DNAT entry" connection-nat-state=dstnat connection-state=established,related,new in-interface=Bridge log-prefix=IPV4-FORWARD-BRIDGE-DNAT

With these you should be good I guess.Logging is for you to decide ; at least enable it until it works, then you can disable logging.
 
msatter
Forum Guru
Forum Guru
Posts: 2085
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: HELP: access external web page:port

Thu Apr 08, 2021 1:20 am

I am a bit puzzled by the dst-nat. You write that an external test-site can connect so it must be a external server somewhere on the internet.

Then you you use src-nat or masquerade

simplest is in nat add the line:
add action=masquerade chain=srcnat dst-port=2222 protocol=tcp
You want to replace your local source address with the external address of your router and so use src-nat. If you run a server in your local network and want to grant access to that server from the outside then use dst-nat. So source is traffic going away from you and destination is traffic coming to you. Connection tracking takes care of the returning or leaving traffic so you don't have to think about that.

As jvanhambelgium is describing. You can run a internal server and you want also access to that then you use a hairpin to grant also you access to that server.

Not all sites answer to ping attempts so could be the cause you get no replies.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
MrEastwood
just joined
Topic Author
Posts: 7
Joined: Thu Mar 28, 2019 6:10 pm

Re: HELP: access external web page:port

Thu Apr 08, 2021 6:39 pm

Issue resolved, thanks for your help.

Who is online

Users browsing this forum: No registered users and 49 guests