Hello all,

I know that this port forwarding questions have been asked over and over again, but in 2 days I could not find the right answer nor managed to solve my issue. Here is the problem:
1. ether1 ( WAN ) has IP 192.168.0.20 and is connected to another router and goes to internet.
2. ether2 ( LAN ) has IP 192.168.1.1 and is connected to my PC that has IP 192.168.1.2

On my PC I am running web server with IP and port 192.168.1.2:8000. I need to access this web server from outside on port 81 like this 192.168.0.20:81 -> 192.168.2.2:8000.
All forwarding has been done as written in the wiki but is seems if the WAN port is different from the internal port the web server is not accessible. If I change the WAN port to be the same as the LAN, 8000, all works just fine and you can access the web server. I have no idea why and it seems I could not find any such problem that has been answered with a clear solution. Bellow is my full config and some other information. Any help is welcome because I kind of given up...
Using torch tool I can see that the 192.168.1.2:8000 send packets to 192.168.1.1:XXXX but in the browser when opening url http://192.168.0.20:81 I get the message "192.168.0.20 didn't send any data - ERR_EMPTY_RESPONSE"

And these entries in the log Best regards,
Koki

Please excuse my persistence as I did not get any replay I am just bumping this up. I just can't believe that any cheep home router can forward to different ports and mikrotik with all its millions options can not. Maybe there is a bug..?

Regards,
Koki

Forwarding ports to different ones is nothing, RouterOS can do that and much more. And your config looks ok, it should work.

You're testing from same LAN where server is, so normally I'd say you need hairpin NAT, but you effectively done that by your unconditional masquerade rule (which is generally wrong, because when you do it with remote internet clients, server won't be able to see their original addresses; but for your testing it helps). And if you really see something coming from 192.168.1.2:8000 to 192.168.1.1:XXXX, it means that dstnat was successful and communication works in both ways.

So it's probably something on web server, it may not like different port number or address than it's configured for (client sends request with header "Host: 192.168.0.20:81").

Thank you for your replay Sob. I was starting to think I will never get someones attention
Actually I am trying to access from different LAN. The WWW server is on 192.168.1.2:8000, and I am trying to access from subnet 192.168.0.X. , where the RB750 WAN is.
Here is a setup I tried.
- ROUTER ASUS RT-AC66U - WAN: PUBLIC IP > LAN : 192.168.0.0/24
- RB750 WAN port is connected to ASUS and has IP 192.168.0.20
- RB750 LAN is 192.168.1.0/24
- PC with WWW is on 192.168.1.2:8000 - no problems to access it directly from Chrome on the same PC or any other PC connected to 192.168.1.0/24 network
- Another PC connected directly to ASUS router network 192.168.0.0/24 . That PC has IP 192.168.0.208. It will not connect, no matter what settings I use on the DSTNAT rule. DST_IP, Interface no matter what....
I have reset the RB750 maybe 10 times for the last 3 days and reconfigured it. I have connected it directly to my ISP and tried all this but with my public IP. I have upgraded to the OS V6.43rc. It will not work, as long as the external port is different form the internal port. The moment I change the ext port to be the same as the inter. port ( 8000 ) it opens the WWW index without problems.
Maybe is some bug? It should work as per all the tutorials, but it does not. I will try another www server based on apache, lets see if it will wok with it...I am totally lost here...

Re.
Koki

I think your unconditional masquerade is doing it's job, it is masquerading the server output and changing the header to router IP, meaning the browser error is very clear as it did not get data from (..).20.

I have just tested with another web server ( apache ) and it worked just fine. It seems as Sob said my Abyss Web server is the reason. I cant believe I've just wasted 3 days of my life and did not tried another web server!?!?! Now I have to discover why Abyss is not working. Anyway, thanks for the help Sob, was your idea that tipped me that the server might be the problem.

Best regards,
Koki

@BRMateus2: It doesn't work like that. Any NAT doesn't just change all packets, it works with connections and for reply packets, source and destination addresses are correctly changed back to what was originally used. So when dstnat changes destination from WAN to LAN address, reply packet will have LAN address as source, but router will rewrite it back to WAN address when it sends it out to internet. Same for srcnat, outgoing connection from internal device will have it's LAN address as source, srcnat changes it to WAN address, but replies from internet servers coming to WAN address will be redirected back to internal device's LAN address.

@koki: Ooops, sorry, I mixed up the addresses. But in that case, you can fix your masquerade rule without any harm. Add out-interface=ether1 and it will only masquerade outgoing connections. Web server will then see original client addresses (now all clients look as if they come from 192.168.1.1).

@Sob, Yes I fixed that already and as per some mikrotik security experts is always good to set the src-address to your LAN network so the SRCNAT rules will look like this
Re.
Koki

It depends.

For srcnat, if it's supposed to be protection against bouncing spoofed packets from WAN back to internet, with your router as new source, it's not the best one. Such packets can easily have 192.168.1.x as source. It doesn't hurt, but I'd rather block them in "/ip firewall filter". Not that it would concern you much, when the router is behind NAT.

For dstnat, src-address=192.168.1.0/24 won't work well for connections from internet, unless your Asus router also has such broad masquerade as you had, which it most likely doesn't. And in-interface=WAN generally also isn't the best, because it breaks connections to public address from LAN (hairpin NAT). But again, not a problem in your case with router behind NAT. If you'd need that, either the Asus would do what's needed, or you'd need another dstnat rule anyway.

Many thanks for the information, I will not mishap next time as I didn't understand fully what was going on in an unconditional masquerade - I only use with configured out-interface-list, so thinking without that generated that big error of mine.

Good day @Sob!