Small home network, 1 routeros v6.49.14 on an RB751G-2HnD, 1 PC and 1 24/7 server, both Windows 10 Pro, currently Windows Firewall is off on the server. I’ve installed Apache 2.4 VS17 on it and can access it from both PCs via http://localhost on the server and IP address on the PC - As I’ve not specified a port here, I assume the www server is on port 80.
Have added two Firewall>NAT dstnat rules for tcp and udp. I added the udp rule early on when trying to get it to work, made no difference and WinBox shows no traffic through it, but there is for the tcp rule. I have put both these rules above the masquerade (srcnat) rule while trying to get this to work.
The ‘Dst Address’ I added after reading my third how-to guide for V6 and that got it working for internet connections as far as the routeros www server, until then no www site could not be found.
After that I added the ‘Src Address’ but it made no difference.
During my reading of how-to’s, one said to set the ‘In Interface’ to wan, I only have a wan1, I set it to that and when I did this WinBox complained it is “linked and I should use master instead (bridge local)”, which I have done.
See attached pix for current settings.
Any ideas on what I need to do to get to the Apache server on the server from the internet?
Am happy to turn off the routeros www server, but I don’t know how to do that, if that will cause no intranet problems as I use WinBox.
I have used the binaries from https://www.apachelounge.com/download/ as they are binaries, I believe (Am I wrong BTW?), I would have to compile from the source if I wish to change the Apache settings, which is a bit hard for me.
WinBox orientated suggestions are preferred.
Thanks.
Cannot access Apache server from the internet, only get as far as the routeros www server.
You do not have the required permissions to view the files attached to this post.
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
Hi there. Can you share your current config minus the sensitive parts?
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
Yes, I could, but I'm not fully sure what you mean by config and probably how to get it.Hi there. Can you share your current config minus the sensitive parts?
Could you say how, please, pref via WinBox.
Thanks
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
In Winbox, click on the button "New Terminal". There, type the commandYes, I could, but I'm not fully sure what you mean by config and probably how to get it.
Could you say how, please, pref via WinBox.
Thanks
Code: Select all
/export file=myExportedConfig
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
I knew the 'Terminal' word was going to get mentionedIn Winbox, click on the button "New Terminal". There, type the commandYes, I could, but I'm not fully sure what you mean by config and probably how to get it.
Could you say how, please, pref via WinBox.
Thanks
In the files section, you will have a new file called myExportedConfig. Download it and copy-paste it here, using the code tags.Code: Select all/export file=myExportedConfig
I forgot I also have 2 echos, 1 phone and a hue hub, also there is one other person on the network with a laptop but I don't think they are relevant to this.
I think the problem might be in the Firewall->Filters Rules. The reason it looks such a mess is it from a newbie and has evolved over 20 years of changing requirements from someone with limited knowledge.
I've not had to play with the filter rules for say 10 years.
Code: Select all
# apr/23/2024 11:04:35 by RouterOS 6.49.14
# software id = **ELIDED**
#
# model = 751G-2HnD
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no fast-forward=no mtu=1500 name=\
bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway \
keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out1 \
use-peer-dns=yes user=**ELIDED**
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity="" wpa-pre-shared-key=**ELIDED** \
wpa2-pre-shared-key=**ELIDED**
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set \
disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower \
mode=ap-bridge security-profile=profile1 ssid=**ELIDED** station-roaming=\
enabled wireless-protocol=802.11
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=dhcp_pool1 ranges=0.0.0.2-255.255.255.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge-local lease-time=3d name=default
/queue simple
add disabled=yes max-limit=0/256k name=mor target=192.168.0.112/32
/system logging action
set 0 memory-lines=100
set 1 memory-lines=100 target=memory
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=pppoe-out1 list=WAN
/interface wireless sniffer
set multiple-channels=yes
/ip address
add address=192.168.1.253/24 interface=bridge-local network=192.168.1.0
/ip dhcp-client
add comment="default configuration" interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.1.1 **ELIDED**
add address=192.168.1.2 **ELIDED**
/ip dhcp-server network
add gateway=0.0.0.1
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.1.253 gateway=192.168.1.253 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=**ELIDED**
/ip dns static
add address=192.168.1.254 name=router
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.2
add action=accept chain=forward src-address=192.168.1.2
add action=accept chain=forward comment=->PC1 src-address=192.168.1.1
add action=accept chain=forward comment=11 dst-address=192.168.1.1
add action=accept chain=forward src-address=192.168.1.2
add action=accept chain=forward disabled=yes src-address=192.168.1.191
add action=accept chain=forward comment=Down dst-address=192.168.1.0/24 \
src-address=0.0.0.0/0
add action=accept chain=output dst-address=192.168.1.0/24 src-address=\
0.0.0.0/0
add action=accept chain=forward comment="Forward up & down"
add action=accept chain=output comment=Output
add action=accept chain=forward comment=PC2 dst-address=0.0.0.0/0 \
src-address=192.168.1.2
add action=accept chain=forward dst-address=192.168.1.2 src-address=0.0.0.0/0
add action=log chain=forward comment="Forward bbbb" log-prefix=bbbb
add action=accept chain=forward
add action=passthrough chain=forward connection-state=established
add action=log chain=forward in-interface=pppoe-out1
add action=log chain=forward out-interface=pppoe-out1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface-list=!mactel log=yes \
log-prefix=1
add action=accept chain=forward
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \
in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \
to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
bridge-local protocol=udp to-addresses=192.168.1.2 to-ports=80
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1 out-interface-list=WAN to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=yes dst-port=21 protocol=tcp \
to-addresses=192.168.0.22 to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-address=**ELIDED** \
dst-port=21 protocol=tcp to-addresses=192.168.0.22
add action=dst-nat chain=dstnat disabled=yes dst-address=**ELIDED** \
dst-port=2402 protocol=tcp to-addresses=192.168.0.22
add action=dst-nat chain=dstnat disabled=yes dst-address=**ELIDED** \
dst-port=2402 protocol=udp to-addresses=192.168.0.22
/ip proxy
set cache-path=web-proxy1
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
add comment=Modem distance=1 dst-address=192.168.1.0/24 gateway=pppoe-out1 \
pref-src=192.168.1.254
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set cache-entries=4k
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=**ELIDED**
/system identity
set name=HAL
/system leds
set 0 interface=wlan1
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
/system ntp client
set enabled=yes primary-ntp=212.23.8.6 secondary-ntp=130.88.200.4
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel
/tool sniffer
set filter-stream=yes only-headers=yes
Last edited by tangent on Tue Apr 23, 2024 2:11 pm, edited 1 time in total.
Reason: elided PII, PSKs, user names…*someone* didn't tell OP to add hide-sensitive for v6 export!
Reason: elided PII, PSKs, user names…*someone* didn't tell OP to add hide-sensitive for v6 export!
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \
in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \
to-addresses=192.168.1.2 to-ports=80
Drop the src-address bit. It's simply wrong. The packets' source addresses will be unpredictable, being that of the remote clients, not the address of the bridge.
The in-interface bit is also wrong. That says "restrict this rule to packets coming from the LAN". Based on your configuration, you likely want "in-interface=pppoe-out1" instead.
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
Yo
So, this rule -
It reads "When a packet comes from 192.168.1.253 to original IP address 192.168.1.2 on port 80 in interface bridge-local, translate the destination to 192.168.1.2, port 80." This means, in essence "no change". And given that 192.168.1.2 is not routed on the internet,
If you want to present your server to the world, try something like
Note that the firewall filter rules are pretty large, so consider tightening things there.
So, this rule -
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \
in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \
to-addresses=192.168.1.2 to-ports=80
If you want to present your server to the world, try something like
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 \
in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.2
Note that the firewall filter rules are pretty large, so consider tightening things there.
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
DOH1: I was using my mobile to test this and did not think to turn the Wi-Fi off./ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \
in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \
to-addresses=192.168.1.2 to-ports=80
Drop the src-address bit. It's simply wrong. The packets' source addresses will be unpredictable, being that of the remote clients, not the address of the bridge.
The in-interface bit is also wrong. That says "restrict this rule to packets coming from the LAN". Based on your configuration, you likely want "in-interface=pppoe-out1" instead.
DOH2: The Headless server had rebooted, for Windows update, so had to start the Apache server - Will implement it as a service later.
The solution proposed by vingjfg also works, any idea which is best?
Also, should I put it before or after the masquerade, have experimented, and it seems to make no difference.
THANK YOU, to the pair of you, I've got a real personal shit-hitting-the-fan situation going on personally, ghosting, bullying including getting physical with me and weaponizing the impending death of a very very near relative, this will help so much with me getting my story out there, it might even turn the tide, thank you so very, very much.
They are not computer experts, but they may know some, which could range in intelligence from below average to PhD level, not saying they have a PhD computer expert(s) to hand, but they could have.
vingjfg said my firewall rules are rather open, I really don't know off the top of my head how to tighten them up, not played with them for 10 years.
Any chance of a few suggestions that will tighten them up, please? As I really need to concentrate on the person who is trying to convince me I'm mad and stuff around that!
You do not have the required permissions to view the files attached to this post.
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
Thank you so much, could you please also have a look at my reply to tangent above?Yo
So, this rule -
It reads "When a packet comes from 192.168.1.253 to original IP address 192.168.1.2 on port 80 in interface bridge-local, translate the destination to 192.168.1.2, port 80." This means, in essence "no change". And given that 192.168.1.2 is not routed on the internet,Code: Select all/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \ in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \ to-addresses=192.168.1.2 to-ports=80
If you want to present your server to the world, try something like
Code: Select all/ip firewall nat add action=dst-nat chain=dstnat dst-port=80 \ in-interface-list=WAN protocol=tcp \ to-addresses=192.168.1.2
Note that the firewall filter rules are pretty large, so consider tightening things there.
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
any idea which is best?
Mine, unconditionally, always.
The only material difference is "in-interface=pppoe-out1" vs "in-interface-list=WAN". Since the WAN list has exactly one interface in it, pppoe-out1, the two rules mean the same thing. Which you choose is more a matter of style, plus the tiny chance that the WAN list will eventually contain another interface, and you want this rule to apply to it, too.
Re: Cannot access Apache server from the internet, only get as far as the routeros www server.
As tangent says, there is no better solution here, just pick the one you feel is the most manageable for you and stick to it.
I tend to use the interface name to describe the type of connection (ether, pppoe, wifi), and the list name to describe the role (WAN, LAN-Trusted, LAN-IOT, LAN-PRINTERS). As I do have a few MT, this helps me remember what each rule does, and catch errors early on.
Regarding the rules clean-up, reorganize them to have the usual default on top (established, fasttrack, related, invalid and so forth), then the ones to accept the new connections. And for these, be specific. For example the following rules allows everything to your webserver. If you make a typo in the NAT, you can end up with the whole server being exposed to the Internet.
Would be best rewritten as
I tend to use the interface name to describe the type of connection (ether, pppoe, wifi), and the list name to describe the role (WAN, LAN-Trusted, LAN-IOT, LAN-PRINTERS). As I do have a few MT, this helps me remember what each rule does, and catch errors early on.
Regarding the rules clean-up, reorganize them to have the usual default on top (established, fasttrack, related, invalid and so forth), then the ones to accept the new connections. And for these, be specific. For example the following rules allows everything to your webserver. If you make a typo in the NAT, you can end up with the whole server being exposed to the Internet.
Code: Select all
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.2
Code: Select all
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.2 dst-port=80,443 in-interface-list=WAN comment="Expose WWW server to the Internet"
Who is online
Users browsing this forum: junbr0 and 16 guests