Hi i have problem.
I am trying to run apache2 on a public ip address. I set it to router forwarding. However, I still have a problem and I can't see apache on the public IP. It works on the internal without any problems. The port scan shows me that it is filtered and closed.
I have both antivirus and firewall defender suspended on my computer. What more can I do?
I also tried port mapping and it gave me an error. I am attaching the pictures.
https://imgur.com/a/DgFTBnt
Re: Apache on public IP ( Forwarding )
First, please post the images here instead of on an external site.
The rule states an inbound interface whose name is "all wire..." - is that your internal (LAN) or external (WAN) interface? Given that the masquerade rule has an outgoing interface of "pppoe-...", I suspect the in-interface you set in that rule is your internal interface and not the external, in which case you have to change it (See below).
Also, What default route does your server have? I see you have two interfaces, which one is used for the return packets? The firewall and NAT are stateful and expect things to come back the same way they were sent.
Stupid question, but do you have a firewall rule that allows the traffic to your internal server (note: using the real IP, not the external)?
Lastly, if you try from the inside using the external IP, you will need to set up a hairpin NAT, which I do not see in your configuration.
Regarding the source NAT: the in-interface describes the interface which receives the packet prior to translation. In the case of a source-nat to present stuff to the Internet, the in-interface is the Internet side.
Can you send the output of the following commands, and please put that between "code" tags.
The rule states an inbound interface whose name is "all wire..." - is that your internal (LAN) or external (WAN) interface? Given that the masquerade rule has an outgoing interface of "pppoe-...", I suspect the in-interface you set in that rule is your internal interface and not the external, in which case you have to change it (See below).
Also, What default route does your server have? I see you have two interfaces, which one is used for the return packets? The firewall and NAT are stateful and expect things to come back the same way they were sent.
Stupid question, but do you have a firewall rule that allows the traffic to your internal server (note: using the real IP, not the external)?
Lastly, if you try from the inside using the external IP, you will need to set up a hairpin NAT, which I do not see in your configuration.
Regarding the source NAT: the in-interface describes the interface which receives the packet prior to translation. In the case of a source-nat to present stuff to the Internet, the in-interface is the Internet side.
Can you send the output of the following commands, and please put that between "code" tags.
Code: Select all
/ip firewall filter export
/ip firewall nat export
/interface list export
Re: Apache on public IP ( Forwarding )
first of all i want to thank you for your time.
The thing is that I have a linux apache2 on my machine. On Windows and on Kali Linux, I am connected to the same WiFi network with an external WiFi adapter. I am adding more pictures to give you information.
The ip/firewall/nat table is changed from the internet provider and a static ip address is added.
It still doesn't work.
sorry, I can't control some things.
I will send more information if necessary.
here are images and exports
The thing is that I have a linux apache2 on my machine. On Windows and on Kali Linux, I am connected to the same WiFi network with an external WiFi adapter. I am adding more pictures to give you information.
The ip/firewall/nat table is changed from the internet provider and a static ip address is added.
It still doesn't work.
sorry, I can't control some things.
I will send more information if necessary.
here are images and exports
Code: Select all
/ip firewall nat export
# 2024-02-04 22:31:43 by RouterOS 7.11.2
# software id = **ELIDED**
#
# model = RBD52G-
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-address=**ELIDED** dst-port=80 protocol=\
tcp src-port="" to-addresses=192.168.0.125 to-ports=80
add action=dst-nat chain=dstnat dst-address= **ELIDED** dst-port=8080 \
protocol=tcp to-addresses=192.168.0.125 to-ports=8080
add action=dst-nat chain=dstnat dst-address= **ELIDED** dst-port=3000 \
protocol=tcp to-addresses=192.168.0.125 to-ports=3000
Last edited by tangent on Mon Feb 05, 2024 12:32 am, edited 1 time in total.
Reason: Elided PII
Reason: Elided PII
Re: Apache on public IP ( Forwarding )
Thanks for posting here.
Note that you haven't posted all I asked.
Regarding your test, I suspect you are trying from the same network as your server is on. This cannot work as is, as this needs hairpin NAT.
For all to work correctly, your NAT rule should look like this. Replace <PUBLIC IP> with your actual public IP.
On the server, make sure port 80 is listening (ss -atn)
Note that you haven't posted all I asked.
Regarding your test, I suspect you are trying from the same network as your server is on. This cannot work as is, as this needs hairpin NAT.
For all to work correctly, your NAT rule should look like this. Replace <PUBLIC IP> with your actual public IP.
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.125
add action=dst-nat chain=dstnat dst-address=<PUBLIC IP> dst-port=80 protocol=tcp\
to-addresses=192.168.0.125 to-ports=80
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=8080 \
protocol=tcp to-addresses=192.168.0.125 to-ports=8080
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=3000 \
protocol=tcp to-addresses=192.168.0.125 to-ports=3000
Re: Apache on public IP ( Forwarding )
I'm sorry, but the admin edited and deleted the things you requested from me.
I don't know how else to give you that information.
I had a given public ip address there
80.87.200.xxx
I checked the apache server on another public ip address (97.120.95.XXX).
I don't know how else to give you that information.
I had a given public ip address there
80.87.200.xxx
I checked the apache server on another public ip address (97.120.95.XXX).
Re: Apache on public IP ( Forwarding )
Shouldn't port 80 be enabled and started in the IP service list? In the photo I sent you, only port 8291 is open.
Re: Apache on public IP ( Forwarding )
No, this is list of services provided by router (port 80 is used for WebFix ... since you're using WinBox, you probably don't need WebFig). NAT has no relation with the list on this screen shot.Shouldn't port 80 be enabled and started in the IP service list? In the photo I sent you, only port 8291 is open.
Re: Apache on public IP ( Forwarding )
I noted that your WAN type is pppoe. Typically that is a dynamic IP, not static.
Please confirm if your IP indeed does not change.
If it indeed static, vingjfg dst-nat rules are correct. I personally prefer a wider hairpin nat rule,
to account for potentially more servers and users involved. To- ports are not required if same as dst-ports.
Finally if static, then a more accurate sourcenat rule is also provided, although the other works fine as well and some would say,
the masquerade approach is better in multiple WAN scenarios as if one WAN fails, the old connection are cleared faster with sourcenat.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-address=WANIP-static
add action=masquerade chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 comment="hairpin nat rule"
add action=dst-nat chain=dstnat dst-address=<PUBLIC IP> dst-port=80 protocol=tcp\
to-addresses=192.168.0.125 t
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=8080 \
protocol=tcp to-addresses=192.168.0.125
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=3000 \
protocol=tcp to-addresses=192.168.0.125
Please confirm if your IP indeed does not change.
If it indeed static, vingjfg dst-nat rules are correct. I personally prefer a wider hairpin nat rule,
to account for potentially more servers and users involved. To- ports are not required if same as dst-ports.
Finally if static, then a more accurate sourcenat rule is also provided, although the other works fine as well and some would say,
the masquerade approach is better in multiple WAN scenarios as if one WAN fails, the old connection are cleared faster with sourcenat.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-address=WANIP-static
add action=masquerade chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 comment="hairpin nat rule"
add action=dst-nat chain=dstnat dst-address=<PUBLIC IP> dst-port=80 protocol=tcp\
to-addresses=192.168.0.125 t
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=8080 \
protocol=tcp to-addresses=192.168.0.125
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=3000 \
protocol=tcp to-addresses=192.168.0.125
Re: Apache on public IP ( Forwarding )
As @mesquite and @mkx said plus:
Let's check from the server out.
On the server, can you get the output of the following?
Let's check from the server out.
On the server, can you get the output of the following?
Code: Select all
ip addr
ip route list