Page 1 of 1

Port Forwarding to Web on LAN of RB2011

Posted: Tue May 14, 2019 10:33 pm
by rghkeys
I have been using Mikrotik Routers for several years and have not experienced this issue yet.
Running 6.44.3
I have an embedded device that uses a web page for configuration and uses the standard Port 80
Inside the LAN, I am able to enter the internal IP address and the login page appears.
I normally would use an alternate port outside on the WAN to access this webpage. IE: Port 81 on the WAN side maps to Port 80 on the inside
When I experienced the issue of the page not being accessed, I did a simple port forward Port 80 to Port 80 - it still could not be accessed.
I also tried different external Ports to be mapped back to the internal port 80 just for testing, still will not work.

I have several other devices that have port forwarding on this router and they work great. I have followed the same steps for this device and it will not work.

If this internal embedded device only has the correct IP address, but as an erroneous Gateway IP address, would that explain the device not connecting through the Router, but does connect on the LAN. Not sure if this is the case yet.

If this is the case, is there a work around to properly make this available on the WAN side, even temporarily.

The Mfg of the equipment needs to have direct access to this device for remote changes, after that happens, the port forward will be disabled.

Any other ideas?

Re: Port Forwarding to Web on LAN of RB2011

Posted: Wed May 15, 2019 2:19 pm
by mkx
If the device has incorrect gateway, then it's quite understandable that communication with clients from other networks (including internet) doesn't work.
Another possibility is that device has some kind of firewall blocking access from clients outside its own subnet (less likely).

Both problems can be worked around by constructing another src-nat rule:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=<LAN IP of the gadget> \
    comment="masquerade connections towards misconfigured device"
The rule above will change src-address to its own so device will see connections as if originating from the router itself ... which should work around both above mentioned issues. I'm using action=masquerade, but action=src-nat to-address=<router's LAN IP address> would do the same (some would prefer it so).

The rule above will masquerade src-address for all connections going through router (either from WAN or from some other LAN subnet) including connections that might get initiated from devices in the same subnet but connecting to router's WAN address (and mapped port) - the so called hair-pin NAT.

Re: Port Forwarding to Web on LAN of RB2011

Posted: Fri May 24, 2019 1:17 am
by rghkeys
Just a follow up, I tried to reply shortly after your answer was posted, but the Forum was down.
Your answer did work!