Community discussions

 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

NAT WebFig access

Tue Dec 29, 2015 9:40 pm

I tried to get access to my WebFig on port 2443.
;;; Router HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.10.101 to-ports=2443 protocol=tcp dst-port=2443 log=yes log-prefix="WebFig" 
but this is not working
20:37:18 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:1344->192.168.10.10
1:2443, len 52 
20:37:21 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:1344->192.168.10.10
1:2443, len 52 
20:37:27 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:1344->192.168.10.10
1:2443, len 48 
20:37:34 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:19354->192.168.10.1
01:2443, len 52 
20:37:37 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:19354->192.168.10.1
01:2443, len 52 
20:37:42 firewall,info WebFig dstnat: in:ether1-gateway out:(none), src-mac 00:d0:cb:00:00:05, proto TCP (SYN), 31.61.141.158:19354->192.168.10.1
01:2443, len 48 
Inside network (LAN) I have access to webfig https://192.168.10.101:2443

Please help me to find reason and get access to WebFig outside my network
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: NAT WebFig access

Tue Dec 29, 2015 10:15 pm

Why not just set the port in IP services instead of running it on a standard port but doing dstnat to bend the connections into that port? It seems to be a bit over-complicated.

Then you just put an input chain rule that allows dst-port=2443 from in-interface=wan

EDIT: Your log excerpt leads me to believe that you've got that same port mapped to 192.168.10.10 earlier in your dstnat chain....
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: NAT WebFig access

Tue Dec 29, 2015 10:35 pm

I have done your suggestions and changed webfig port from services to just 443.
I have checked from LAN and all works fine on port 443.
I have disabled NAT rule and add new one in firewall input filter:
;;; WinFig
chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=2443 log=yes log-prefix="WebFig-Firewall" 
but from outside same result ;-( cant get this service

I can't see after that any logs from prefix "WebFig-Firewall"

Regarding 192.168.10.10, please look at logs and you will see not ...10.10 just 192.168.10.101, this addres is first after my cable router with DMZ to all ports to second Mikrotik.

proto TCP (SYN), 31.61.141.158:1344->192.168.10.101:2443, len 52
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: NAT WebFig access

Tue Dec 29, 2015 11:12 pm

I didn't mean that you had to change to port 443......

In services, you can set the server to run on whatever port you like, even 2443.
/ip service set [ find where name=www-ssl ] port=2443
If you do that, then the ssl service is now running directly on 2443 without needing any NAT rules.
(disable any dstnat rules about the webfig port 2443 or 443)

Then your input rule that you posted should work properly. (note that it's still showing port 2443 in your reply)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: NAT WebFig access

Tue Dec 29, 2015 11:56 pm

Thank's, I got your point ;-)

Now is working ;-)

Who is online

Users browsing this forum: Google [Bot] and 81 guests