Which command sets a DST NAT rule to forward TCP port 80 from WAN to internal host 192.168.10.10:80?

• A. /ip firewall nat add chain=srcnat dst-address=<WAN_IP> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.10.10 to-ports=80
• B. /ip firewall nat add chain=dstnat dst-address=<WAN_IP> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.10.10 to-ports=80
• C. /ip firewall nat add chain=dstnat dst-address=<WAN_IP> protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.10.10 to-ports=80
• D. /ip firewall nat add chain=dstnat dst-address=192.168.10.10 protocol=tcp dst-port=80 action=dst-nat to-addresses=<WAN_IP> to-ports=80

Answer: (B)

Forwarding external HTTP traffic to an internal server uses destination NAT. The router watches for packets arriving at the WAN IP on TCP port 80 and rewrites the destination to the internal host 192.168.10.10 on port 80 so the internal server handles the request.

The correct rule uses the dstnat chain, which is designed for inbound traffic redirection. It matches the destination address as the WAN IP, filters for TCP traffic on port 80, and performs a dst-nat to the internal address 192.168.10.10 with the internal port 80. This combination ensures that only external requests to the router’s external address on port 80 are forwarded to the internal web server.

Why the other approaches don’t fit: using srcnat would alter the source address for outbound traffic, not forward inbound requests. Using a destination address of the internal IP would apply to traffic already inside the network, not to external WAN traffic. Forwarding port 443 would handle HTTPS, not HTTP, and pointing the NAT to the WAN IP would send traffic back out rather than to the internal host.