DST-NAT for port tcp/80 on Mikrotik router

ng flag

I am trying to redirect the incoming traffic to tcp/80 of the public IP interface of Mikrotik router to the internal server with reverse proxy.

No matter what I do, the NAT rule does not work with tcp/80 as dst-port. If I change it to the tcp/8080 or any other port, it starts working.

With tcp/80 as dst-port, it seems like the packet can reach the target machine but the replies won't make it back.

/ip firewall filter print

Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1 X  ;;; vacuum-logging
      chain=forward action=log src-address= log=yes log-prefix="VACUUM"

 2    ;;; Allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194

 3    ;;; Allow HTTP
      chain=input action=accept protocol=tcp in-interface=pppoe-out1 dst-port=80 log=yes log-prefix="IN_HTTP_ALLOW"

 4    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 5    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 6    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 7    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=

 8    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface=pppoe-out1 log=no log-prefix="DROP"

 9    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

12    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

14    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

 1    chain=dstnat action=dst-nat to-addresses= to-ports=8080 protocol=tcp in-interface=pppoe-out1 dst-port=80 log=yes log-prefix="NAT_HTTP"

The original post on NetworkEngineering that redirected me to here...

Nikita Kipriyanov avatar
za flag
what is the firewall on the server? How "it seems", did you try capturing packets on server?
djdomi avatar
za flag
welcome, Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers. please read this step by step and also see [ask]
ng flag

I found out the root cause - the ISP was blocking traffic on TCP 80 and 443.

The reason I did not find out right away is that they were not blocking it in a way that all incoming packets would be dropped. I could reach the router and packets were "dstnatted" to the destination, they the reply packets left the router... but those were dropped by ISP.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.