NAT (dstnat) for port 443 - port changing?

fbitterlich · Wed Apr 27, 2022 7:33 pm

I'm using my hAP (RouterOS 6.49.6) to protect a single web server, using dstnat forwarding only traffic on ports 80 and 443. Port 80 works as expected, however connections over https (port 443) fail on the client side (curl says "SSL23_GET_SERVER_HELLO:unknown protocol"). Some quick research shows that this can happen if the incoming connection at the webserver is on a port other than 443. So I suspect that somehow the connection to x.x.x.x:443 is landing at a different port on the webserver.

My NAT rules are pretty simple:

/ip firewall nat print  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=dstnat action=dst-nat to-addresses=y.y.y.y to-ports=80 protocol=tcp dst-address=x.x.x.x dst-port=80 log=no 
      log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=y.y.y.y to-ports=443 protocol=tcp dst-address=x.x.x.x dst-port=443 log=no 
      log-prefix=""

(x.x.x.x is the public WAN address of the hAP, and y.y.y.y the internal address of the webserver on the LAN interface.)

Unfortunately the Torch tool does not show anything about how the traffic is "translated" by destnat, what the final destination port is and such.

Any ideas what could be going on here or how to debug this?

rextended · Wed Apr 27, 2022 7:46 pm

Result of

/ip service export

?

NAT (dstnat) for port 443 - port changing?

NAT (dstnat) for port 443 - port changing?

Re: NAT (dstnat) for port 443 - port changing?

Who is online