Answer the question
In order to leave comments, you need to log in
M
M
MadDeee2021-04-07 14:50:06
MadDeee, 2021-04-07 14:50:06
How to forward Mikrotik ports?
There is a MikroTik rb2011UiAS-2HnD router. Just today it was unpacked and started to install. The Internet has appeared in the entire organization, everything is OK, but it’s impossible to forward the port to our server where the site is installed (port 80)
There is an external IP 94.24.253.22 (Eth 1)
a hub with many connections is connected to Eth 2, including the site
AND internal (where the site is located) 10.102.10.32 Climbed
on the Internet, did everything according to the instructions. I don't understand what I'm doing wrong. I did everything as it should, at first access via an external IP led to the web interface of the router, but I fixed it and changed the port. It seems that everything was done correctly, but the site does not open. Help, I don't know where to dig anymore... I'm ready to provide any screenshots from the sections
6 answer(s)
@dtmse
@CityCat4
Something like that.
It reads like this - "if the packet came to IP 1.2.3.4, to port 80 or 443 via the ether1 interface, then forward it to the address 10.4.1.1 on the same port"
@Protosuv
@graf_Alibert
#And raise it higher
# NAT rule
D
Dmitry, 2021-04-07 @dtmse
Usually, this requires two rules to be written (at least with settings generated via Quick Set). You did one thing (actually port forwarding in IP -> Firewall -> NAT). The second rule must be written in IP -> Firewall -> Filter, in the forward chain, it must allow traffic from the external interface to the server's internal IP address on the desired port, and be higher than the default rule that prohibits traffic from the external interface to internal interfaces or ip addresses.
C
CityCat4, 2021-04-07 @CityCat4
/ip firewall nat
add action=dst-nat chain=dstnat comment="Allow any to our webserver" dst-address=1.2.3.4 dst-port=\
80,443 in-interface=ether1 protocol=tcp to-addresses=10.4.1.1Something like that.
It reads like this - "if the packet came to IP 1.2.3.4, to port 80 or 443 via the ether1 interface, then forward it to the address 10.4.1.1 on the same port"
A
Alexey, 2021-04-08 @Protosuv
We have already written above what is needed in addition to the port forwarding rule, it is necessary to register in the forward chain so that the system passes traffic that satisfies the condition:
- incoming address / port on the external interface
- destination = your server
I advise you to temporarily (!) add logging to each rule ( the log checkbox in Winbox, or the log and log-prefix parameters in the console) and add a prefix so that you can see the traffic from the log and track the execution of the rule. You can also reset traffic counters to see how specific rules work to increase this counter.
G
graf_Alibert, 2021-04-15 @graf_Alibert
The 80th port on Mikrotik is occupied by the web interface by default, therefore:
# Change the port of the web interface and generally turn it off
/ip service set 2 port=8080 disabled=yes
# Rule allowing connection from outside
/ip firewall filter
add action=accept chain=forward comment=WEB dst-address=10.102.10.32 \
dst-port=80,443 protocol=tcp#And raise it higher
/ip firewall filter move [find comment="WEB"] 0# NAT rule
/ip firewall nat
add action=netmap chain=dstnat comment=WEB dst-port=80,443 \
in-interface=ether1 protocol=tcp to-addresses=10.102.10.32
Similar questions
R
V
R
Roman Kharchenko2019-08-15 04:29:34
Are there any software/websites for practicing networking?
2Reply
S
T
tartarelin2019-08-20 19:04:04
Why does the route that works on Pfsense not work on Keenetic Giga?
0Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question