Opening port 80 and 443 prevent me from browsing sites ?

Yordan1 · Sun Jun 19, 2022 4:59 pm

Hello.
I'm trying to open port 80 and 443 to my small web server, yet if I do it in NAT section - I am unable to browse sites in my LAN
What could causing this issue ?

 /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1 X  ;;; Web Server .50:80
      chain=dstnat action=dst-nat to-addresses=192.168.0.50 to-ports=80 protocol=tcp dst-port=80 log=no log-prefix="WEB SERVER >" 

 2 X  ;;; Web Server .50:443
      chain=dstnat action=dst-nat to-addresses=192.168.0.50 to-ports=443 protocol=tcp dst-port=443 log=no log-prefix="WEB SERVER 443"

Znevna · Sun Jun 19, 2022 5:14 pm

"opening ports" isn't the same thing as DST-NAT, and you're doing it wrong.
Your rules are accurate with the topic.
Since any request to port 80 or 443 from anywhere to anywhere will be dst-natted to your little webserver.
Fix your rules.
Add dst-address=your.public.ip to both of them.

own3r1138 · Sun Jun 19, 2022 5:51 pm

I think the IP services WWW and WWW-SSL should be disabled too.

Znevna · Sun Jun 19, 2022 5:54 pm

Having them enabled doesn't stop the dst-nat rules from working.

sindy · Sun Jun 19, 2022 5:57 pm

I think the IP services WWW and WWW-SSL should be disabled too.

It's not necessary, dst-nat rules act before the packet reaches the point in routing where its destnation address is compared to own ones of the router. So you can keep www and www-ssl of the router itself accessible for clients in LAN, and still port-forward what arrives to ports 80 and 443 somewhere else for clients in the internet.

own3r1138 · Sun Jun 19, 2022 6:17 pm

@sindy
Thank you for your clarification. However, once I wanted to issue a certificate for the web server behind the MT hosted via VM, WWW prevented the verification of the certificate.

Znevna · Sun Jun 19, 2022 6:20 pm

Unrelated.

sindy · Sun Jun 19, 2022 6:29 pm

once I wanted to issue a certificate for the web server behind the MT hosted via VM, WWW prevented the verification of the certificate.

But that did not depend on whether the www and www-ssl services were enabled or disabled on the router itself, did it?

The server certificate must be issued for the IP address or FQDN to which the client is connecting, because that's what the client verifies.

If you use Let's Encrypt to obtain a server certificate and periodically renew it, port 80 must be forwarded to the same server like port 443, because Let's Encrypt verifies the applicant's address by communication with a daemon listening at port 80. So I can theoretically imagine that Let's Encrypt attempts to use port 443 if it fails to establish a session to port 80, but it sounds unlikely to me. Never tried that, though.

Yordan1 · Sun Jun 19, 2022 6:50 pm

As a noob I am confused now.

to have my server inside the lan exposed ports 80 and 443 i shall do what ?

Znevna · Sun Jun 19, 2022 6:53 pm

What I've said in the first reply above.
To each of your two dst-nat rules, add dst-address=your.public.ip.here
AS EXPLAINED IN THE MANUAL https://help.mikrotik.com/docs/display/ ... inationNAT
K.

own3r1138 · Sun Jun 19, 2022 6:57 pm

@sindy
I had this problem when the Let's Encrypt was introduced to RouterOS. I issued a certificate for my router.
Yes, I disabled the www on the MT router, and the VM certificate was verified immediately.

mkx · Sun Jun 19, 2022 7:02 pm

The subtitles to post #2 by @znevna: your dst-nat rules are too greedy as shown in the post. Keep in mind that for router no interface is special and it doesn't have a clue that you only want to dst-nat traffic originating from internet but not traffic originating ftom your LAN. You have to tell it explicitly ... either as @znevna recommends in the last line of mentioned post or add in-interface-list=WAN as it seems your firewall is still in the line of defaults: This way has a drawback because it doesn't allow LAN hosts to work with server via public IP (suggestion by @znevna is a step in that direction but misses another src-nat rule to be complete). If your WAN IP address is not static, then my suggestion might be better.

mkx · Sun Jun 19, 2022 7:04 pm

@sindy
I had this problem when the Let's Encrypt was introduced to RouterOS. I issued a certificate for my router.
Yes, I disabled the www on the MT router, and the VM certificate was verified immediately.

If you wanted to get certificate for the router, then, yes, letsencrypt needs to access http service on your router. But doesn't have anything to do with dst-nat we're discussing in this topic ...

own3r1138 · Sun Jun 19, 2022 7:15 pm

@mkx
I apologize if it is out of this topic. On the other hand, I think you didn't read all the posts on this topic. #3

Yordan1 · Sun Jun 19, 2022 7:17 pm

Thank You guys for having patience with noobs like me.

I think it is working, but I think i need "hairpin nat" in order to see my domain from inside the network.
am I correct ?

sindy · Sun Jun 19, 2022 7:20 pm

Yes, but it may be a better option to put the server to a dedicated subnet.

Yordan1 · Sun Jun 19, 2022 7:22 pm

Yes, but it may be a better option to put the server to a dedicated subnet.

:O ok.. if it is .. but now i have no idea.. could you give me short instructions or something.. not to mess something ?

Znevna · Sun Jun 19, 2022 7:23 pm

Yes, documentation: https://help.mikrotik.com/docs/display/ ... HairpinNAT
And a somewhat harder to read one because anav doesn't know how to use code blocks viewtopic.php?t=179343
But you probably just need

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 dst-address-type=!local src-address=192.168.0.0/24 src-address-type=!local

sindy · Sun Jun 19, 2022 7:31 pm

could you give me short instructions or something..

If the server is connected directly to an Ethernet interface of the 2011, you'd remove that interface from the bridge, assign an IP address like 192.168.37.1/24 to it, and change the address of the server to 192.168.37.2/24, gateway 192.168.37.1 (or set up the full DHCP server suite - /ip pool, /ip dhcp-server network, /ip dhcp-server on the 2011 and let the server act as a DHCP client if you want to do all the network configuration on the Mikrotik side). Then, you would change the to-address of the dst-nat rule to 192.168.37.2.

Yordan1 · Sun Jun 19, 2022 7:38 pm

Yes, documentation: https://help.mikrotik.com/docs/display/ ... HairpinNAT
And a somewhat harder to read one because anav doesn't know how to use code blocks viewtopic.php?t=179343
But you probably just need
Code: Select all
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 dst-address-type=!local src-address=192.168.0.0/24 src-address-type=!local

Done it.. seems like it does works.. yet i am not understanding how, since i dont see my server address involved ( 192.168.0.50 )..
Aside - Thank You very much Znevna ! <3

Znevna · Sun Jun 19, 2022 8:01 pm

It's a subnet-wide rule in case you need more ports forwarded and have them hairpinned too.
You could complicate your life and use something like this instead:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.50 dst-port=80 protocol=tcp src-address=192.168.0.0/24 src-address-type=!local
add action=masquerade chain=srcnat dst-address=192.168.0.50 dst-port=443 protocol=tcp src-address=192.168.0.0/24 src-address-type=!local

And then add rules for every other port forwarded and for every other IP
Or you could use just one rule without specifying the ports, or the protocol ....whatever fits your needs.

Yordan1 · Sun Jun 19, 2022 8:24 pm

Oh lords. Thank You very much Znevna !!!

Znevna · Sun Jun 19, 2022 8:33 pm

But to understand WHY it works, read the links I've mentioned above. I'm not good at explaining.

mkx · Sun Jun 19, 2022 8:33 pm

@mkx
I apologize if it is out of this topic. On the other hand, I think you didn't read all the posts on this topic. #3

I've read all the posts (including your #3) and I fully agree with post #4 (which mirrors my own experience).

Opening port 80 and 443 prevent me from browsing sites ? [SOLVED]

Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ? [SOLVED]

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Re: Opening port 80 and 443 prevent me from browsing sites ?

Who is online