Community discussions

MikroTik App
 
sarantoo
just joined
Topic Author
Posts: 6
Joined: Sun Nov 11, 2018 5:10 pm

[SOLVED] Unable to dstnat from port 80

Sun Nov 11, 2018 5:33 pm

Hi,

I can dstnat external traffic from ports other than port 80 to my Exchange Server. But never success with port 80. I also tried setting mikrotik's webfig port to port other than 80 so it won't conflict with this dstnat rule. But still without success.

My settings below does not work unless dst-port != 80:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=internet-gateway
add action=dst-nat chain=dstnat dst-port=80 in-interface=internet-gateway protocol=tcp to-addresses=192.168.52.194 to-ports=80

/ip service
set www disabled=yes

I'm using RB850Gx2 and RouterOS 6.43.4

Please advise.
Last edited by sarantoo on Tue Nov 13, 2018 9:26 am, edited 1 time in total.
 
User avatar
evince
Member
Member
Posts: 353
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: Unable to dstnat from port 80

Mon Nov 12, 2018 12:25 pm

Hello,

Be sure you do not have any firewall rule that drops forward trafic
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Unable to dstnat from port 80

Mon Nov 12, 2018 2:44 pm

You have a wrong setup for the action, This should do:
/ip firewall nat
add action=netmap chain=dstnat dst-port=80 in-interface=internet-gateway  protocol=tcp to-addresses=192.168.52.194 to-ports=80
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to dstnat from port 80

Mon Nov 12, 2018 5:31 pm

Interesting suggestion. Lets look at the definitions........

Action to take if packet is matched by the rule:
dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters
masquerade - replaces source port of an IP packet to one specified by to-ports parameter and replace source address of an IP packet to IP determined by routing facility. It was designed for specific use in situations when public IP can randomly change (AKA dynamic wanip)
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters

I think dst-nat is the one that most closely applies to the OPs question.

A quick advice on optimal security: Try and limit the access to your port 80 server.
Do you know who requires access (by that I mean do you have a list of external WANIPs that need access) and if so create a firewall address list and then reference the list in your DSTNAT rule under advanced source address list.

Another possibility would be to change the actual server port (for example choose 8181) and then write your rule as such.
/ip nat
add chain=dstnat protocol=tcp dst-port=80 in-interface=internet-gateway action=dst-nat to-addresses=192.168.52.194 to=ports=8181

Another possiblity, if you cannot change your server port is to change your incoming port
/ip nat
add chain=dstnat protocol=tcp dst-port=8181 in-interface=internet-gateway action=dst-nat to-addresses=192.168.52.194 to=ports=80
In this case simply tell all external users do use port 8181 in their traffic.

Concur with previous poster that indicated to look at your firewall rules.
One could also post their config for review.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Unable to dstnat from port 80

Mon Nov 12, 2018 7:08 pm

@anava

You are 100% correct. My config did work and was just copied from some other working solution without investigating it.
Now when I read what you write and what other writes I do see that my setup was wrong, but did work :)
Updated my setup....
 
sarantoo
just joined
Topic Author
Posts: 6
Joined: Sun Nov 11, 2018 5:10 pm

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 6:21 am

Hi,

Many thanks for input. Progress updated after 2 days of finding:

* Tried action=netmap as per Jotne suggestion but still got the same result.
* Tried enable webfig at port 81 while also dstnat at the same port 81, everything working fine. This proves that webfig port has nothing to do with dstnat.
* Set up two network lab test using tomato based router. Every port including port 80 can be forwarded from one network to another as expected.
* Swap out mikrotik and replaced with tomato router. Got the same result, ie. every other ports can be forwarded except port 80. This may prove that something going on at ISP side. However, their initial answer state that there is no port blocking rules at their end.
* Will swap mikrotik for a lab test this evening and will post the result

PS. ISP vDSL modem is configured as bridge with static IP set in mikrotik/tomato.
 
sarantoo
just joined
Topic Author
Posts: 6
Joined: Sun Nov 11, 2018 5:10 pm

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 6:40 am

@anava

The actual requirement for this is that we're going to use Letsencrypt for our Exchange Server's certificate and by default, letsencrypt-win-simple uses http-01 validation method call via standard port 80 to validate our domain ownership. There's another validation method that use DNS (dns-01) but still it make me wonder why I can't just forwarding port 80.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 7:25 am

You can easily detect if it is your ISP or not - set up packet sniffer and filter your WAN interface and port 80. Then try to reach it from WAN. If you don't see incoming packets, most likely it is really ISP. IF you see incoming packets, there are many possibilities what could be wrong.

Generally, with packet sniffer you can detect and solve step-by-step almost any issue as long as you know how the packets are supposed to behave.

edit:
/tool sniffer quick ip-address=YOUR_PUBLIC_IP port=80 
this is probably fastest way for first try.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 7:56 am

This is fine to use to see if you port is open from internet.
http://www.canyouseeme.org/
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 9:01 am

This is fine to use to see if you port is open from internet.
http://www.canyouseeme.org/
This has very limited use because it just attempts to establish a TCP connection and unless it see response, it will show "port blocked". Thing is, that it will not tell you (and it can't), why there was no response or what happened. ISP may block it. Router may block it. Router may NAT it incorrectly. Router may forward it but target device does not respond. Response may be blocked by router. Response may be incorrectly NATted. Response may be blocked by ISP. Etc, Etc...

Packet sniffing directly on the router has advantage, that you can instantly see the packet as it flows through all interfaces and bridges. You can see every occurrence, where it was received or transmitted. In forwarding case, it commonly looks like this:
(packet comes to WAN) Eth1 RX -> Bridge-Lan TX -> Eth2 TX -> (then response comes back) -> Eth2 RX -> Bridge-Lan RX -> Eth1 TX
This example is obviously for config where Eth1 is WAN interface, Bridge-Lan is LAN interface and Eth2 is slave of Bridge-Lan
If one or more steps are not visible, it clearly points to step, where error occured.
 
sarantoo
just joined
Topic Author
Posts: 6
Joined: Sun Nov 11, 2018 5:10 pm

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 9:12 am

Finally, case is closed.

After several hours of investigation including a changes of modem. They finally found the rule in their core network that block port 80 if the traffics not originate from their own network. They said it was there long time ago for remote management of their routers. They removed the rule and everything is working as it should be now.

Thanks for all your inputs!
 
sarantoo
just joined
Topic Author
Posts: 6
Joined: Sun Nov 11, 2018 5:10 pm

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 9:25 am

@vecernik87

Yes, after using packet sniffing as per suggestion, it reveals there is no packet hitting the router at port 80 at all.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 10:32 am


This has very limited use because ...
I do now this, but its a quick test to see if your rule is ok or not.
You can try to open another port than 80, eks 22 to a linux server.
If 22 is OK and 80 does not work, then you do know there are some error on the outside.
Finally, case is closed.
Nice to see you find the problem, and that they fixed it.
Often you do get to a big organisation and they do not know what you are asking about.
 
sarantoo
just joined
Topic Author
Posts: 6
Joined: Sun Nov 11, 2018 5:10 pm

Re: Unable to dstnat from port 80

Tue Nov 13, 2018 11:28 am

Often you do get to a big organisation and they do not know what you are asking about.
Before they found the cause, network engineer guy call me to confirm the appearance of our website as he can access it from their network. At that moment I know my set up was OK all along. And that make them investigate further up their core network team.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [SOLVED] Unable to dstnat from port 80

Tue Nov 13, 2018 3:05 pm

Glad to hear it worked out.
 
User avatar
JaZzSuperman
just joined
Posts: 12
Joined: Sun Oct 09, 2016 9:55 am
Location: United Kingdom
Contact:

Re: [SOLVED] Unable to dstnat from port 80

Mon Feb 04, 2019 8:39 am

Hi

Is any one having issue with netmap on the new RouterOS 6.43.8?

Im doing a dst-nat with netmap to 8.8.8.8 which worked fine in 6.43.4 and up, but has stopped working in 6.43.8 for some reason, traffic just seems to go past the rule and does not even hit it now?

Who is online

Users browsing this forum: GoogleOther [Bot] and 63 guests