Community discussions

MikroTik App
 
letnab
just joined
Topic Author
Posts: 1
Joined: Sat Oct 28, 2017 10:13 am

Port forwarding

Sat Oct 28, 2017 10:26 am

Hi all.
I try to forward 80 port to internal server.
For start I tried this command:
ip firewall nat add chain=dstnat dst-address=xx.xx.xx.xx protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.29 to-ports=80
but it's not work.
After that i tried to add rule use winbox:
Image
Image
but it's not work too.

Firewall rules:
[admin@MikroTik] > /ip firewall export
# oct/28/2017 10:01:44 by RouterOS 6.35
# software id = 356A-NAW9
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=beeline src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=192.168.1.0/24
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp to-addresses=192.168.1.12 to-ports=3389
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.12 to-ports=3389
add chain=srcnat
add action=src-nat chain=srcnat dst-address=192.168.1.12 dst-port=3389 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.1
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=80 protocol=tcp to-addresses=192.168.1.29 to-ports=80
For interface version:
 [admin@MikroTik] > /ip firewall export
# oct/28/2017 10:01:44 by RouterOS 6.35
# software id = 356A-NAW9
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=beeline src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=192.168.1.0/24
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp to-addresses=192.168.1.12 to-ports=3389
add action=netmap chain=dstnat dst-port=3389 in-interface=beeline protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.12 to-ports=3389
add chain=srcnat
add action=src-nat chain=srcnat dst-address=192.168.1.12 dst-port=3389 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.1
add action=netmap chain=dstnat in-interface=beeline dst-port=80 protocol=tcp to-addresses=192.168.1.29 to-ports=80
RDP is working fine. Http is not working.
why is this happening? What am I doing wrong?
 
evince
Member
Member
Posts: 331
Joined: Thu Jul 05, 2012 12:11 pm
Location: Weiswampach - Luxemburg
Contact:

Re: Port forwarding

Mon Oct 30, 2017 11:58 am

Hello, check if HTTP server is not running on your board : /ip service
 
User avatar
Falklan
newbie
Posts: 25
Joined: Tue Aug 08, 2017 3:15 pm
Location: Louisiana

Re: Port forwarding

Thu Nov 02, 2017 11:12 am

I presume this is what you are attempting.

https://wiki.mikrotik.com/wiki/Hairpin_NAT
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Port forwarding

Fri Nov 03, 2017 9:16 am

If in this rule ip firewall nat add chain=dstnat dst-address=xx.xx.xx.xx protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.29 to-ports=80, the xx.xx.xx.xx is global IP and you you want to access to server from outside, then you doing all right. If you want to access this server from the inside, then you need to manage Hairpin NAT.
 
User avatar
krunical
just joined
Posts: 8
Joined: Thu Nov 06, 2014 10:57 am
Location: South Africa

Re: Port forwarding

Mon Nov 06, 2017 4:53 pm

If in this rule ip firewall nat add chain=dstnat dst-address=xx.xx.xx.xx protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.29 to-ports=80, the xx.xx.xx.xx is global IP and you you want to access to server from outside, then you doing all right. If you want to access this server from the inside, then you need to manage Hairpin NAT.
Agreed with Anumrak

If it has been overlooked id also confirm the ip you are trying to access on the WAN side is publically routable.
Theres no place like 127.0.0.1
BTC: 1BTPtqpfcjEXSpxDi7fgGsfo5et21TTYiq
 
giorgiop
newbie
Posts: 25
Joined: Tue Oct 17, 2017 8:58 pm
Location: Chania, Crete, Greece

Re: Port forwarding

Wed Nov 08, 2017 7:32 pm

Wouldnt something like the following work?
add chain=dstnat action=dst-nat to-addresses=192.168.1.29 to-ports=80 protocol=tcp dst-port=80 in-interface=beeline ?

I tried a while ago redirecting the requests to my MT (testing some FW rules) and managed to see the login although i asked for a different page

Who is online

Users browsing this forum: hyusube, matiss and 60 guests