Setup:
Mikrotik Routerboard 2011UiAS-2HnD
static public IP
LAN
wireless
lan and wireless are bridged, router is the DHCP server.

After introducing a server and forwarding 25 80 443 1723 and 3389 to it I can no longer surf internet from clients on network:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=10.31.37.202 to-ports=3389 protocol=tcp dst-port=3389 log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=10.31.37.11 to-ports=25 protocol=tcp dst-port=25 log=no log-prefix=""

3 chain=dstnat action=dst-nat to-addresses=10.31.37.11 to-ports=80 protocol=tcp dst-port=80 log=no log-prefix=""

4 chain=dstnat action=dst-nat to-addresses=10.31.37.11 to-ports=443 protocol=tcp dst-port=443 log=no log-prefix=""

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

7 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface=ether1

What am I missing here? do I need a filter? Is it that router forwards trafic to originating from clients and destined to 80 outside to 80 of 10.31.37.11?
Do I need a filter or should I add !10.31.37.0/24 to nat rules?

Hello, in your NAT rules, you need to specify the out-interface(WAN) or dst-address (your public IP)

Regards,

Hello,
Just the dst-address. Out interface is not for inbound traffic, just outbound with masquerade action.

Sent from Tapatalk

Hello,
Just the dst-address. Out interface is not for inbound traffic, just outbound with masquerade action.

Sent from Tapatalk

It depends if he runs with multiple public IP

I must disagree.

For traffic destined to his internal server, he has to specify dst-address since it's inbound traffic (for a destination!). When you specify an out-interface, that's for traffic gong out.

The problem he has is that by NOT specifying dst-adress, anything destined to the ports as defined by Nat rules 1 to 4 get sent to his server. Those rules must have dst-address as a marcher.

Sent from Tapatalk

Edit: matcher!!

Stupid auto-correct.

Sent from Tapatalk

Also, filters must allow traffic. If in doubt, log!!

Sent from Tapatalk

in-interface on dst-nat rules needed.

Currently these rules are dst-natting ALL connections back to local hosts - even those that are generated by those hosts themselves

Hello,
Just the dst-address. Out interface is not for inbound traffic, just outbound with masquerade action.

Sent from Tapatalk

You are right, sorry it is a mistake I'd say in-interface instead of out-interface

Thank you for help. I missed the in-interface in dst-nat rules.