Accessing a server from outside network

dabardabar · Wed Sep 29, 2021 2:09 pm

Hello, I am stuck with something that I assume is trivial and has been asked and done a million times, but I just have no luck doing it.

I would like to access my server at 192.168.88.200 from external networks - i.e. enable traffic on port 80.

I keep trying various combinations, but I have no idea what I am doing wrong.

The port 80 is not blocked by the ISP.

I have (temporarily, for testing purposes) disabled Firewall on the server.

I keep messing around with NAT rules, but none show any progress, and occasionally sometimes I lock myself out of the router and cant access 192.168.88.1 anymore, for example after this command:

/ip firewall nat add protocol=tcp dst-port=80 chain=dstnat action=dst-nat to-addresses=192.168.88.200 to-ports=80

Out of curiosity, what happens after configuring like that, why can't I access the interface anymore? I am assuming that it's because it runs on port 80, and I am redirecting that traffic away from that to my server, but there is no return information coming from the server so I dont see anything in my browser?

I have checked a dozen of forum topics, some saying that they can access their servers from external networks, but not from internal (so they need a NAT hairpin).
Others are saying that they can enter their public IP from external network, but it's taking them to router login (which is fine too, at least some progress, but I can't even accomplish that).

What I have currently tried is also disabling any firewall rule with "drop" action, just to let all packages in (for testing purposes only), also adding a NAT entry, but no joy whatever I do..

FWIW, when I try and access 192.168.88.200 (the server) from the local network, it works, so I don't think it to be the culprit.

Any guidance, what should be my next step? I am guessing it's something rather trivial, but I have no idea what?

Here is the firewall configuration log:

[admin@MikroTik] > /ip firewall 
[admin@MikroTik] /ip firewall> filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 2 X  ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 

 5 X  ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack 
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

10 X  ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

11 X  ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
      
      
[admin@MikroTik] /ip firewall> nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=dstnat action=accept protocol=tcp dst-address=192.168.88.200 dst-port=80 log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

anav · Wed Sep 29, 2021 2:13 pm

/export hide-sensitive file=anynameyouwish

dabardabar · Wed Sep 29, 2021 2:26 pm

Here it is

[admin@MikroTik] > /export hide-sensitive 
# sep/29/2021 13:25:39 by RouterOS 6.48.4
# software id = D2TR-90EF
#
# model = RB2011UiAS-2HnD
# serial number = D5AB0C82D46C
/interface bridge
add admin-mac=48:8F:5A:9C:A5:BC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=NetworkProfil supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=NetworkProfil ssid=".: Network 2.4 GHz :." wireless-protocol=\
    802.11
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=accept chain=dstnat dst-address=192.168.88.200 dst-port=80 protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1

anav · Wed Sep 29, 2021 2:37 pm

(1) Why are these two rules disabled??
Especially the second rule which prevent anyone from the internet accessing your LAN. TURN IT ON!!!!! DANGER!!!!

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN

(2) Your destination nat rule is in the totally wrong format. THe action is destination nat NOT ACCEPT (accept is used firewall rules), further the rule requires identifying the incoming interface either by in-interface (dynamic WANIP) or by the dst-address (if you have a static WANIP). The to-address portion is for the server IP on the LAN.
/ip firewall nat
add action=accept chain=dstnat dst-address=192.168.88.200 dst-port=80 protocol=tcp

TO
/ip firewall nat
add action=dst-nat chain=dstnat comment="port forward for server" dst-port=80 protocol=tcp \
in-interface-list=WAN to-addresses=192.168.88.200 {note dont need to port if same as dst-port}

dabardabar · Wed Sep 29, 2021 3:35 pm

Thanks for the warnings, as I said I only tried turning them off as a part of testing to see if it would change anything, they are now back on.

About the destination rule, I took that command somewhere from the forums.

I removed that rule now.

I have now tried entering your command, but still have no luck accessing anything:

The command I used is:

/ip firewall nat add action=dst-nat chain=dstnat comment="port forward for server" dst-port=80 protocol=tcp in-interface-list=WAN to-addresses=192.168.88.200

Btw, I have a dynamic IP, but I don't think it matters as I am trying with my current ip (from what's my ip)?

Current configuration is:

# sep/29/2021 14:33:54 by RouterOS 6.48.4
# software id = D2TR-90EF
#
# model = RB2011UiAS-2HnD
# serial number = D5AB0C82D46C
/interface bridge
add admin-mac=48:8F:5A:9C:A5:BC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=NetworkProfil supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=NetworkProfil ssid=".: Network 2.4 GHz :." wireless-protocol=\
    802.11
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="port forward for server" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.200
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1

erlinden · Wed Sep 29, 2021 3:38 pm

If you don't have NAT loopback configured, port forwarding will be only testable from outside of your network.

dabardabar · Wed Sep 29, 2021 3:41 pm

Yeah I thought that might be an issue, I am testing it from my cellphone using mobile data but still no joy unfortunately

dabardabar · Wed Sep 29, 2021 3:43 pm

Btw to add, is there a way to check if the Mikrotik router even receives the request?

There is an ISP's bridged router in between, maybe it is the one causing the issue?

Although, if it is bridged, then it should pass all data through, correct?

erlinden · Wed Sep 29, 2021 3:43 pm

If you activate logging on that rule, does it get hit?

Make sure your ISP is not blocking any TCP traffic to port 80. Are you shure that a service is running (can you browse to http://192.168.88.200)?

anav · Wed Sep 29, 2021 4:05 pm

Yes, bridge mode usually means its transparent and only acting as a modem.
Just to be sure check your WANIP in the IP DHCP Client settings and compare to your IP CLOUD address ( or whats my IP in the browser).
If they are the same, then its a good bridge setup.

If not perhaps you are getting a private IP and not a bridge and then you have double nat and have to access the ISP router to do the port forwarding to your router.

dabardabar · Wed Sep 29, 2021 4:10 pm

Anav I think you are onto something here, I think I am getting a private IP.

Screenshot 2021-09-29 at 15.08.06.png

The ISP router (gateway) is at 192.168.178.1

So, what are the next steps to get a public IP there?

Does it maybe mean that the ISP router is not in bridge mode correctly?

Btw, I also had a call with the ISP customer support 2 days ago and told them to remove me from CG NAT in case that matters, having read in a lot of places that it could also be one of the culprits.

dabardabar · Wed Sep 29, 2021 4:12 pm

If you activate logging on that rule, does it get hit?

Make sure your ISP is not blocking any TCP traffic to port 80. Are you shure that a service is running (can you browse to http://192.168.88.200)?

I am not too competent with any logging but I will try to find out

About the ISP, I have checked with them and they said all ports are open.

About the service, yes, http://192.168.88.200 is accessible from LAN

anav · Wed Sep 29, 2021 4:43 pm

Okay so you need to do this.,
go to the port forward part of the ISP router
forward the port required and use the WANIP of your router as the IP that the ISP router is going to forward that traffic too
Then the settings on your router will work

dabardabar · Wed Sep 29, 2021 6:07 pm

Ding ding ding, we have a winner!

You did it again, thank you!

I have an option in port forwarding section of the router to choose a connected device and define enabled ports for it (or expose it entirely).

Now I did that, and it works.

I must admit I had thought of that, but I had also thought that it would apply only when the router is not in bridged mode, so when the computers are connected directly to it.

Is that a normal thing that it still blocks ports while put in bridge mode until explicitly allowed, or it is maybe a specific of this my ISP router model?

Btw another question, when I try accessing the public IP from the LAN, it also works as expected (shows the server).

I had a feeling that it would be showing the Mikrotik's login page and that I would have to also follow some tutorial to create hairpin NAT.

In what scenario would that be required then and why did most of the people have to do it, whereas I do not (or so it seems at least)?

(I hope you don't mind me asking, it's just I'd love to know more about all this

)

anav · Wed Sep 29, 2021 6:14 pm

Just to be clear you use the WANIP to access the server and the server responds appropriately or is just visible??
Yes I am surprized why it would work if you can.......

dabardabar · Wed Sep 29, 2021 6:50 pm

Yeah, exactly.

So, i go to whats my ip and get the public IP value.

If I enter that IP in browser on cellphone on another network (mobile network), it opens the homepage on the server and everything works (I can use it)

Also, if I enter that public IP in the browser of a computer on LAN, it again opens the homepage on the server, just as if I had entered 192.168.88.200.
-> I was expecting this scenario to open the mikrotik login page, but it opens the homepage as well for some reason

So, what does that all mean?

anav · Wed Sep 29, 2021 6:56 pm

Very strange. Im sure there is a viable explanation but it escapes me at the moment.
Probably something to do with the fact that the public IP is not on the MT router but on the ISP router...........

In other words, the external WANIP of the router is not the same WANIP the lan user is trying to reach.
(both the WAN interface and LAN interface are not on the same router so to speak)

dabardabar · Wed Sep 29, 2021 8:18 pm

Yeah, unfortunately I know even less

Anyway, I will try and use it and see how it behaves, I hope everything will be fine from now on

I assume this strange behaviour is no cause for alarm?

anav · Wed Sep 29, 2021 10:52 pm

Yeah, unfortunately I know even less

Anyway, I will try and use it and see how it behaves, I hope everything will be fine from now on

I assume this strange behaviour is no cause for alarm?

Nope your rules look good from here.

dabardabar · Thu Oct 07, 2021 12:19 pm

Just to post an update, everything has been working fine since configured, but there is a but

Suddenly, the network started behaving like we had expected it to - now when accessing the public IP from the LAN, we are presented with the RouterOS login screen, not with the website on the server.

I can't pinpoint exactly when it started happening, maybe a day or two ago, but there have been no changes made to the router and everything else is still working as expected - for example when testing from an outside connection, the server is accessed correctly.

No idea what caused this change, maybe the power ran out at some point and it rebooted and started acting like this or something like that?

And about the solution regarding this problem, what should I do to have it behave like it did earlier - so that my external IP opens the server homepage, even when used within the LAN?

Is this the moment when I have to create a hairpin NAT, for example like in this video? : https://www.youtube.com/watch?v=c0K-bXImxUY

Accessing a server from outside network

Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Re: Accessing a server from outside network

Who is online