0

I exposed web-service on my local machine to the external IP via Mikrotik and can access it via MY_EXTERNAL_IP:5000.

But my nginx-server can't access to MY_EXTERNAL_IP:5000. Logs: 

14:09:53 firewall,info dstnat: in:bridge out:(none), src-mac 60:03:08:8c:a7:30, proto TCP (SYN), 192.168.1.19:50135->MY_EXTERNAL_IP:5000, len 64 
14:09:55 firewall,info input: in:ether1 out:(none), src-mac 04:62:73:a2:55:49, proto TCP (SYN), 188.196.62.73:47850->MY_EXTERNAL_IP:5000, len 60

Nginx error log:

[error] 2048#0: *434 connect() failed (111: Connection refused) while connecting to upstream, client: MY_EXTERNAL_IP, server: MY_DOMAIN.com, request: "GET / HTTP/1.1", upstream: "http://MY_EXTERNAL_IP:5000/", host: "MY_DOMAIN.com"

Why the nginx-server can't access to MY_EXTERNAL_IP:5000 (It causes 502 error), otherwise I can from browser?

I suppose I need an additional Firewall Filter rule. Which one?

Serhii C.
  • 11
  • 1
  • 3

2 Answers2

0

You also need to add an allow rule into the FORWARD chain:

/ip firewall filter add chain=forward action=accept protocol=tcp dst-address=INTERNAL_IP dst-port=5000 log=no log-prefix=""

The rule should be above any generic blocking rules affecting the FORWARD chain.

Daniel
  • 302
  • 1
  • 5
  • The `INTERNAL_IP` should be the IP of my router (192.168.1.1) or my machine with web-service (192.168.1.10) ? – Serhii C. May 03 '18 at 11:48
  • Your machine with web-service - 192.168.1.10 – Daniel May 03 '18 at 11:49
  • No luck. Nginx said "110: Connection timeout".Without FORWARD rule I had "111: Connection refused". – Serhii C. May 03 '18 at 11:57
  • I believe that its passing trough the router fw but for some reason cannot reach 192.168.1.10. Can you give more details about your network - are the nginx system and 1.10 in the same subnet? Is the nginx server behind the same router? If you allow ping (ICMP) between those systems are they reachable? – Daniel May 03 '18 at 12:42
  • The nginx-server placed on the other network (DigitalOcean). The ICMP ping was allowed by default. I have added some filter rules for debugging: `input` chain (dst-address=EXTERNAL_IP, dst-port=5000) `forward` chain (dst-address=192.168.1.10, dst-port=80, my web-service is launging on 80 port on this machine) `output` chain (dst-port=5000). Logs says that `input` chain is passing, `forward` logs contain more than 15 log-entries. The `output` hasn't any logs. – Serhii C. May 03 '18 at 12:55
  • Can you post the debug logs from the `forward` chain and also the NAT rule that you have configured? – Daniel May 03 '18 at 13:13
0

The problem was in the NAT settings: I had an In. Interface settled to "Bridge" instead of "ether1" (a right one).

Serhii C.
  • 11
  • 1
  • 3