So, I have a server with IP address 192.168.1.145. I set up my DNS record to point to public address of my network. When trying to access it by hostname while im connected on cable or lan inside my network, I can access it, but, when im on some other network(mobile), I cannot access it.
I have set up nat rule with:
chain: dstnat
protocol: tcp
Dst Port: 80
Action: dst-nat
ToAddresses: 192.168.1.145
To Ports: 80
How can I troubleshoot this?
Your dnat entry looks good, but you might also need an entry in the FORWARD chain.
How can you troubleshoot this ?
1) For the dstnat rules, enable LOGGING and see if you hit it
2) In general in the LOGS see if you have any drops.
3) IF the remote server is a Linux box, with a simple "tcpdump" you at least can see IF something arrives!
4) Post you complete config (other will suggest this too) using (something like
export compact hide-sensitive)
You might be hitting other rules or something, impossible to help you without some piece of config.
Upon inspection of the logs, if I hit it from my local network, I see loggings, and I see that it is working as expected, so, website loads. Apache firewall is configured to allow port 80 to listen for incoming connections as well.
This is my dump:
/interface bridge
add admin-mac=74:4D:28:04:80:65 auto-mac=no name="bridge - lan"
add fast-forward=no name="bridge - nvr"
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - gw" speed=100Mbps
set [ find default-name=ether2 ] name="ether2 - lan" speed=100Mbps
set [ find default-name=ether3 ] name="ether3 - lan - nvr" speed=100Mbps
set [ find default-name=ether4 ] name="ether4 - lan - cam" speed=100Mbps
set [ find default-name=ether5 ] name="ether5 - lan" speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface="bridge - lan" lease-time=4w2d name="dhcp - lan"
/interface bridge port
add bridge="bridge - lan" interface="ether2 - lan"
add bridge="bridge - nvr" interface="ether3 - lan - nvr"
add bridge="bridge - nvr" interface="ether4 - lan - cam"
add bridge="bridge - lan" interface="ether5 - lan"
add bridge="bridge - lan" comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=yes
/interface list member
add comment=defconf interface="bridge - lan" list=LAN
add comment=defconf interface="ether1 - gw" list=WAN
/ip address
add address=192.168.1.1/24 comment="local network" interface="bridge - lan" network=192.168.1.0
add address=192.168.2.1/24 comment="local network \"nvr, cam\"" interface="bridge - nvr" network=192.168.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="ether1 - gw"
/ip dhcp-server network
add address=192.168.1.0/24 comment="local network" dns-server=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="inbound port 80 goes to AC Dire" dst-port=80 log=yes log-prefix=task.dire protocol=tcp to-addresses=192.168.1.243 to-ports=80
add action=masquerade chain=srcnat comment="masquerade nvr network" ipsec-policy=out,none src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade local network" ipsec-policy=out,none src-address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Belgrade
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN