So, I have a server with IP address 192.168.1.145. I set up my DNS record to point to public address of my network. When trying to access it by hostname while im connected on cable or lan inside my network, I can access it, but, when im on some other network(mobile), I cannot access it.

I have set up nat rule with:
chain: dstnat
protocol: tcp
Dst Port: 80
Action: dst-nat
ToAddresses: 192.168.1.145
To Ports: 80

How can I troubleshoot this?

You are attempting to do it via the firewall.
But normally there is already a special functionality available on routers called port-forwarding. Ie. forward the destinationPort to a localIP:destinationPort
Forwarding a range of ports is possible to.
What router do you use?

So, I have a server with IP address 192.168.1.145. I set up my DNS record to point to public address of my network. When trying to access it by hostname while im connected on cable or lan inside my network, I can access it, but, when im on some other network(mobile), I cannot access it.

I have set up nat rule with:
chain: dstnat
protocol: tcp
Dst Port: 80
Action: dst-nat
ToAddresses: 192.168.1.145
To Ports: 80

How can I troubleshoot this?

Your dnat entry looks good, but you might also need an entry in the FORWARD chain.
How can you troubleshoot this ?
1) For the dstnat rules, enable LOGGING and see if you hit it
2) In general in the LOGS see if you have any drops.
3) IF the remote server is a Linux box, with a simple "tcpdump" you at least can see IF something arrives!
4) Post you complete config (other will suggest this too) using (something like export compact hide-sensitive)

You might be hitting other rules or something, impossible to help you without some piece of config.

Hello.

I have the same issue with my Mikrotik.
I'm trying with no luck to forward port TCP 80 to my local apache server, from my local network everythings works fine but I can't connect from internet.
When I change the Dst. port to something else e.g. 81 than it's starting to work fine.
I run on my server tcpdump and saw that my server is reciving SYN packiet but the SYN ACK from my server is not returning.
I have the latest version 6.46.6 (x86), I tried alsow on blank new routerboard with clean software, I alsow tried to disable www service, open all ports on firewall but nothing helps
Can it be some simple bug?

@jero111, if you have a personal firewall on your web server machine, check also its rules: you must open port 80/tcp for incoming requests.
In case your own web surfing machine has a personal firewall then of course port 80/tcp for outgoing traffic must be opened.
And on the router, port 80/tcp to both directions must be opened.
And obviously: you must of course connect to your public IP from the WAN. See for example https://whatismyipaddress.com/

So, I have a server with IP address 192.168.1.145. I set up my DNS record to point to public address of my network. When trying to access it by hostname while im connected on cable or lan inside my network, I can access it, but, when im on some other network(mobile), I cannot access it.

I have set up nat rule with:
chain: dstnat
protocol: tcp
Dst Port: 80
Action: dst-nat
ToAddresses: 192.168.1.145
To Ports: 80

How can I troubleshoot this?

Your dnat entry looks good, but you might also need an entry in the FORWARD chain.
How can you troubleshoot this ?
1) For the dstnat rules, enable LOGGING and see if you hit it
2) In general in the LOGS see if you have any drops.
3) IF the remote server is a Linux box, with a simple "tcpdump" you at least can see IF something arrives!
4) Post you complete config (other will suggest this too) using (something like export compact hide-sensitive)

You might be hitting other rules or something, impossible to help you without some piece of config.

Upon inspection of the logs, if I hit it from my local network, I see loggings, and I see that it is working as expected, so, website loads. Apache firewall is configured to allow port 80 to listen for incoming connections as well.

This is my dump:

/interface bridge
add admin-mac=74:4D:28:04:80:65 auto-mac=no name="bridge - lan"
add fast-forward=no name="bridge - nvr"
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - gw" speed=100Mbps
set [ find default-name=ether2 ] name="ether2 - lan" speed=100Mbps
set [ find default-name=ether3 ] name="ether3 - lan - nvr" speed=100Mbps
set [ find default-name=ether4 ] name="ether4 - lan - cam" speed=100Mbps
set [ find default-name=ether5 ] name="ether5 - lan" speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface="bridge - lan" lease-time=4w2d name="dhcp - lan"
/interface bridge port
add bridge="bridge - lan" interface="ether2 - lan"
add bridge="bridge - nvr" interface="ether3 - lan - nvr"
add bridge="bridge - nvr" interface="ether4 - lan - cam"
add bridge="bridge - lan" interface="ether5 - lan"
add bridge="bridge - lan" comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=yes
/interface list member
add comment=defconf interface="bridge - lan" list=LAN
add comment=defconf interface="ether1 - gw" list=WAN
/ip address
add address=192.168.1.1/24 comment="local network" interface="bridge - lan" network=192.168.1.0
add address=192.168.2.1/24 comment="local network \"nvr, cam\"" interface="bridge - nvr" network=192.168.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="ether1 - gw"
/ip dhcp-server network
add address=192.168.1.0/24 comment="local network" dns-server=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="inbound port 80 goes to AC Dire" dst-port=80 log=yes log-prefix=task.dire protocol=tcp to-addresses=192.168.1.243 to-ports=80
add action=masquerade chain=srcnat comment="masquerade nvr network" ipsec-policy=out,none src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade local network" ipsec-policy=out,none src-address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Belgrade
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

For sure you need at least 1 rule in the FORWARD chain for the traffic returning from the webserver back out to the Internet.
In your config ... I see this rule but DISABLED ??

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes

Can you enable this rule and try again ?

For sure you need at least 1 rule in the FORWARD chain for the traffic returning from the webserver back out to the Internet.
In your config ... I see this rule but DISABLED ??

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes

Can you enable this rule and try again ?

I did, but same thing, from local it works, from outside it doesn't.

For sure you need at least 1 rule in the FORWARD chain for the traffic returning from the webserver back out to the Internet.
In your config ... I see this rule but DISABLED ??

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes

Can you enable this rule and try again ?

Tried also the input and output, but same thing still persists

I think your device does HW-offloading. In this case not all packets reach the "/ip firewall filter" rules (actually it seems only packets destined or sourced to/from that device only are handled by that firewall, not any packets from and to other devices in your LAN or WAN).
I recently have experienced same problem with a CRS3xx device. It's not a bug, rather is so by design. One has to study the HW capabilities/features and the internals of the device.
Deactivating HW-offloading would help, but this makes the device very slow, as then the packets get processed by the CPU, no more by the fast ASIC chip...
See also the postings under this recent discussion viewtopic.php?f=13&t=160576#p790285 . There are also some further links to docs/wiki pages in the postings.

You know what's interesting? This rule:
takes all tcp connections to port 80, no matter what the destination address is, and forwards them to 192.168.1.243. So if you have public address on the router and someone connects to it from outside, it will forward connection to internal server, i.e. it should work (nothing is stopping it, if you have everything in "/ip firewall filter" disabled). But it will also break all outgoing tcp/80 connections from LAN to internet. Something I'd expect you'd notice and mention. And yes, it can work from inside, because you created (probably unintentionally) hairpin NAT with your srcnat rule.

@jero111, if you have a personal firewall on your web server machine, check also its rules: you must open port 80/tcp for incoming requests.
In case your own web surfing machine has a personal firewall then of course port 80/tcp for outgoing traffic must be opened.
And on the router, port 80/tcp to both directions must be opened.
And obviously: you must of course connect to your public IP from the WAN. See for example https://whatismyipaddress.com/

Of course I have disabled firewall and alsow tried on onother machine, nothin works.
I still wonder why everyone else port is working perfectly?

@jero111, if you have a personal firewall on your web server machine, check also its rules: you must open port 80/tcp for incoming requests.
In case your own web surfing machine has a personal firewall then of course port 80/tcp for outgoing traffic must be opened.
And on the router, port 80/tcp to both directions must be opened.
And obviously: you must of course connect to your public IP from the WAN. See for example https://whatismyipaddress.com/

Of course I have disabled firewall and alsow tried on onother machine, nothin works.
I still wonder why everyone else port is working perfectly?

Another possibility could be that maybe your ISP does not allow port 80 to inside But this is very unrealistic.
Try port-forwarding another port, for example port 12345/tcp to localwebserver:80/tcp .
And from webbrowser in WAN give http://your_public_IP:12345/

And: if you are connected to the WAN via VPN, then maybe there lies the error.
If you post your public IP then we can test it for you via regular web.

Btw, recently I read that some web browsers no longer allow http, so try also another webbrowser; FireFox should be ok...

@jero111, if you have a personal firewall on your web server machine, check also its rules: you must open port 80/tcp for incoming requests.
In case your own web surfing machine has a personal firewall then of course port 80/tcp for outgoing traffic must be opened.
And on the router, port 80/tcp to both directions must be opened.
And obviously: you must of course connect to your public IP from the WAN. See for example https://whatismyipaddress.com/

Of course I have disabled firewall and alsow tried on onother machine, nothin works.
I still wonder why everyone else port is working perfectly?

Very stupid question, but you mentioned the SYN-packet arrived at your server but you never saw any SYN-ACK leaving the Apache webserver back to the client ??

"I run on my server tcpdump and saw that my server is reciving SYN packiet but the SYN ACK from my server is not returning"

DO you see this SYN-ACK packet leave the server back to the client when you test on let's say TCP/81 ?? It must because you say it works on TCP/81

Can you adapt your DNAT-rule and include the INTERFACE on which you expect the packet to arrive ? Below an example of some of my NAT-rules
I do also filter based on src-address -> Not accessible for the whole internet.

;;; NGINX-Portal-HTTP
chain=dstnat action=dst-nat to-addresses=192.168.1.243 to-ports=80 protocol=tcp src-address-list=Portal dst-address-list=WAN_IP dst-port=80 log=yes log-prefix="80_TO_NGINX"

Besides the fact that you are missing many components of your nvr network. ( ip pool, ip dhcp-server, ip dhcp-server network)
The issue may be your dstnat rule........
/ip firewall nat
from
add action=dst-nat chain=dstnat comment="inbound port 80 goes to AC Dire" dst-port=80 log=yes log-prefix=task.dire protocol=tcp to-addresses=192.168.1.243 to-ports=80
to
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp in-interface=ether1 - gw log=yes log-prefix=task.dire to-addresses=192.168.1.243

Also not sure why your sourcenat rule is setup like this.
add action=masquerade chain=srcnat comment="masquerade nvr network" ipsec-policy=out,none src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade local network" ipsec-policy=out,none src-address=192.168.1.0/24

Should work just fine with one rule!
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 - gw

Also you should get rid of this, its part of the default config that hides well
/ip dns static
add address=192.168.88.1 name=router.lan

Tried what all of you guys were saying, and exausted most of the internet, still cannot get it to work...

Tried what all of you guys were saying, and exausted most of the internet, still cannot get it to work...

But again,

"I run on my server tcpdump and saw that my server is reciving SYN packiet but the SYN ACK from my server is not returning"

DO you see this SYN-ACK packet leave the server back to the client when you test on let's say TCP/81 ?? It must because you say it works on TCP/81

Using tcpdump, if you do not see SYN-ACK leave the Apache server back to the client, your problem for sure is not Mikrotik related...

@jero111, if you have a personal firewall on your web server machine, check also its rules: you must open port 80/tcp for incoming requests.
In case your own web surfing machine has a personal firewall then of course port 80/tcp for outgoing traffic must be opened.
And on the router, port 80/tcp to both directions must be opened.
And obviously: you must of course connect to your public IP from the WAN. See for example https://whatismyipaddress.com/

Of course I have disabled firewall and alsow tried on onother machine, nothin works.
I still wonder why everyone else port is working perfectly?

Another possibility could be that maybe your ISP does not allow port 80 to inside But this is very unrealistic.
Try port-forwarding another port, for example port 12345/tcp to localwebserver:80/tcp .
And from webbrowser in WAN give http://your_public_IP:12345/

And: if you are connected to the WAN via VPN, then maybe there lies the error.
If you post your public IP then we can test it for you via regular web.

Btw, recently I read that some web browsers no longer allow http, so try also another webbrowser; FireFox should be ok...

It was as You suggested @mutluit, my ISP was blocking port 80 (due to security reasons ??), thanks for suggestion.
I'm very frustrated that I haven't checked this but it was as You said so unrealistic.
Now everything works fine.
@Vulovicv try call Your ISP alsow and ask them if they aren't blocking port 80

It was as You suggested @mutluit, my ISP was blocking port 80 (due to security reasons ??), thanks for suggestion.
I'm very frustrated that I haven't checked this but it was as You said so unrealistic.
Now everything works fine.
@Vulovicv try call Your ISP alsow and ask them if they aren't blocking port 80

Bad ISP
Did your ISP now open port 80, or are you forced to used another port?
Glad to see it finally works for you.
You should mark this issue as "solved" by clicking the button "Accept this answer".