Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Post Reply
 
Warrentyexpired
just joined
Topic Author
Posts: 4
Joined: Tue Feb 28, 2023 10:51 pm

Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Wed Mar 01, 2023 4:49 pm

Here is my setup. I have a Netgear cable modem connected to ethernet port 1 of my MikroTik hAP ac2 router. That them goes from ethernet port 2 to a netgear unmanaged switch. Then from the switch it branches off to my my AP, my Tv, and my home server. Here is my Hap 2ac config. It's basically just the default config.
Code: Select all
# feb/28/2023 14:26:05 by RouterOS 6.49.7
# software id = TPJJ-GKHK
#
# model = RBD52G-5HacD2HnD
# serial number = HD20xxxxx
/interface bridge
add admin-mac=18:FD:74:8F:0F:EF auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united states" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=NachoWifiSucker \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=NachoWifiSucker5 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=<PASSWORD>
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.100 client-id=\
    ff:d4:f5:37:c5:0:1:0:1:2b:26:27:0:fc:4d:d4:f5:37:c5 mac-address=\
    FC:4D:D4:F5:37:C5 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
My server is running various services like proxmox, nextcloud, photoprism, and Nginx reverse proxy. I would like to be able to access nextcloud and photoprism from the internet. I have my own google domain that is pointing to my public ip address. I can ping my domain and its resolving to my public ip address. Now I need help forwarding traffic to the Nginx reverse proxy. Which Im assuming means I need to forward ports 80 and 443 to the machine running the reverse proxy. I had this all setup and running properly on a digital oceans droplet vps to test setting it up outside my home network.

I need some guidance on what to do next. I've done port forwarding before, but not on a router this sophisticated.
Last edited by BartoszP on Wed Mar 01, 2023 7:19 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
Top
 
User avatar
baragoon
Member
Member
Posts: 306
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:
Contact baragoon

Re: Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Wed Mar 01, 2023 8:54 pm

Code: Select all
/ip firewall nat add action=dst-nat chain=dstnat dst-address=WAN_IP dst-port=80,443 protocol=tcp to-addresses=LAN_SERVER_IP
Top
 
Warrentyexpired
just joined
Topic Author
Posts: 4
Joined: Tue Feb 28, 2023 10:51 pm

Re: Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Wed Mar 01, 2023 9:26 pm

I don't have a static public IP address though. It changes every once in a while (months sometimes). Will I need to re-run the command every time it changes? Also will forwarding 80 and 443 interfere with any other devices on my network? I don't think it should, I just wanna make sure its not gonna mess with my wifes work laptop and there vpn.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Wed Mar 01, 2023 9:41 pm

It is fine to have DST NAT set up like this:
Code: Select all
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=80,443 protocol=tcp to-addresses=LAN_SERVER_IP
WAN interface list is already used in firewall and NAT rules.

This setup has a gotcha: it doesn't work if you want to connect to WAN IP address (and have DST NAT working) from within LAN. Neither does the rule by @baragoon on its own (it needs another SRC-NAT rule), but the rule in my post can't be used in this case.

If DST-NAT rule is done properly (i.e. it's not greedy due to properly set dst-address or in-interface or some other selector properties), then it won't interfere with other traffic (e.g. access to web pages on internet from LAN).
Top
 
Warrentyexpired
just joined
Topic Author
Posts: 4
Joined: Tue Feb 28, 2023 10:51 pm

Re: Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Thu Mar 02, 2023 2:12 pm

This setup has a gotcha: it doesn't work if you want to connect to WAN IP address (and have DST NAT working) from within LAN. Neither does the rule by @baragoon on its own (it needs another SRC-NAT rule), but the rule in my post can't be used in this case.
I'm gonna assume this is when to use a hairpin nat? I followed a youtube video that had me make an address list for LAN and WAN then set up port forwarding and a hairpin nat and that worked with opening a test 9000 port. I can access it via internet and internal network.
If DST-NAT rule is done properly (i.e. it's not greedy due to properly set dst-address or in-interface or some other selector properties), then it won't interfere with other traffic (e.g. access to web pages on internet from LAN).
If you wouldn't mind could you explain what you mean by "not greedy"

This is what i did and got working for port 9000. I have it disabled at the moment because it was just for testing.
Code: Select all
add action=dst-nat chain=dstnat comment="Open Port 9000" disabled=yes \
    dst-address-list=WAN dst-port=9000 protocol=tcp to-addresses=\
    192.168.88.102 to-ports=9000
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Thu Mar 02, 2023 4:37 pm

This setup has a gotcha: it doesn't work if you want to connect to WAN IP address (and have DST NAT working) from within LAN. Neither does the rule by @baragoon on its own (it needs another SRC-NAT rule), but the rule in my post can't be used in this case.
I'm gonna assume this is when to use a hairpin nat? I followed a youtube video that had me make an address list for LAN and WAN then set up port forwarding and a hairpin nat and that worked with opening a test 9000 port. I can access it via internet and internal network.
I was commenting my own config example ... which avoids setting WAN IP address (you're saying it's dynamic albeit with low rate of changes) but comes with mentioned gotcha which indeed is about hairpin NAT.

If DST-NAT rule is done properly (i.e. it's not greedy due to properly set dst-address or in-interface or some other selector properties), then it won't interfere with other traffic (e.g. access to web pages on internet from LAN).
If you wouldn't mind could you explain what you mean by "not greedy"
Taking your rule and making it greedy ... also changed port to some very well known one to make the point:
Code: Select all
add action=dst-nat chain=dstnat comment="Open Port 443" dst-port=443 protocol=tcp to-addresses=192.168.88.102
It will affect every connection which targets port 443 (HTTPS) regardless DST IP address ... which means all internet servers as well. And that's what I call "greedy" rule.
You may get away with greedy rule for a non-standard port (e.g. 9000) because LAN users normally won't try to access that port on WAN side. But if they will, they'll have problems with that particular WAN server and it would not be trivial to pinpoint the problem as being caused by DST NAT rule ...

So yes, your example is "not greedy" ... but has problem that you have to maintain the "WAN" address list. If you can do it automatically (e.g. script run by scheduler every 2 minutes which takes actual WAN IP address and adds it to WAN address list with timeout set to say 10 minutes so that obsolete entries get removed automatically) that's fine, it would get stale if you had to update it manually. So if you will update WAN address list automatically, this is IMO fine solution and allows pretty easily to implement hairpin NAT.
Top
 
Warrentyexpired
just joined
Topic Author
Posts: 4
Joined: Tue Feb 28, 2023 10:51 pm

Re: Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Sat Mar 04, 2023 6:50 pm

Thanks for the help mkx! I have forwarding working and my reverse proxy is doing its thing. Been running for 2 days and no issues with any other device on my network. Next step is to figure out how to script adding the Wan address to the address list when it eventually changes. Thanks again!
Top
 
User avatar
baragoon
Member
Member
Posts: 306
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:
Contact baragoon

Re: Fairly fresh setup. Need help forwarding ports to a reverse proxy.

Sat Mar 04, 2023 7:53 pm

Enable ip cloud and add your xxxxxxx.sn.mynetname.net to address list
Top
Post Reply

Who is online

Users browsing this forum: netwpl, w0lt and 11 guests
  4. RouterOS
  5. Beginner Basics