Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Forward secondary IP to web server

Post Reply
 
kdmytro
just joined
Topic Author
Posts: 2
Joined: Sat Jul 15, 2023 1:55 pm

Forward secondary IP to web server

Sat Jul 15, 2023 8:34 pm

Disclaimer: All IP addresses appearing in this post are fictitious. Any resemblance to real IP addresses is purely coincidental.

I have 2 IP addresses assigned by my ISP via DHCP. 1.1.1.225 is the original IP address of my router. The second IP address 1.1.2.85 was added recently. When I added the second IP address I removed ether2 from bridge and created a new DHCP client, and now I can see both IP addresses here:
Code: Select all
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                         
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                                                                                            
 1 D 1.1.1.225/24       1.1.1.0         ether1                                                                                                                            
 2 D 1.1.2.85/24        1.1.2.0         ether2
I have a web server running on 192.168.88.71 which I want to make available externally via the second IP address. I added netmap rules to NAT configurations (the two at the bottom):
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    ;;; Terraria
      chain=dstnat action=dst-nat to-addresses=192.168.88.24 to-ports=7777 protocol=tcp dst-port=7777 log=no log-prefix="" 

 2    ;;; Terraria
      chain=dstnat action=dst-nat to-addresses=192.168.88.24 to-ports=7778 protocol=tcp src-port="" dst-port=7778 log=no log-prefix="" 

 3 X  ;;; Jupyterhub
      chain=dstnat action=dst-nat to-addresses=192.168.88.32 to-ports=80 protocol=tcp dst-port=5384 log=no log-prefix="" 

 4    ;;; VRising
      chain=srcnat action=masquerade protocol=udp dst-address=192.168.88.64 out-interface=bridge log=no log-prefix="" 

 5    ;;; VRising
      chain=dstnat action=dst-nat to-addresses=192.168.88.64 to-ports=9876 protocol=udp dst-port=9876 log=no log-prefix="" 

 6    ;;; VRising
      chain=dstnat action=dst-nat to-addresses=192.168.88.64 to-ports=9877 protocol=udp dst-port=9877 log=no log-prefix="" 

 7    chain=dstnat action=netmap to-addresses=192.168.88.71 dst-address=1.1.2.85 in-interface=ether2 log=no log-prefix="" 

 8    chain=srcnat action=netmap to-addresses=1.1.2.85 src-address=192.168.88.71 out-interface=ether2 log=no log-prefix=""
When I attempt to connect to this IP from my local network I get this error straight away:
Code: Select all
❯ curl 1.1.2.85
curl: (7) Failed to connect to 1.1.2.85 port 80: Connection refused
But when I attempt to connect to this IP from an external network the connection times out, which feels like a firewall misconfiguration:
Code: Select all
$ curl 1.1.2.85
curl: (28) Failed to connect to 1.1.2.85 port 80: Connection timed out
Here is my firewall configuration:
Code: Select all
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; allow IPsec NAT
      chain=input action=accept protocol=udp dst-port=4500 

 3    ;;; allow IKE
      chain=input action=accept protocol=udp dst-port=500 

 4    ;;; allow l2tp
      chain=input action=accept protocol=udp dst-port=1701 

 5    ;;; allow pptp
      chain=input action=accept protocol=tcp dst-port=1723 

 6    ;;; allow sstp
      chain=input action=accept protocol=tcp dst-port=443 

 7    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 8    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 9    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

10    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

11    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

12    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

13    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec log=no log-prefix="" 

14    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

15    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

16    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward
What should I change in order to make the web server on 192.168.88.71 accessible by IP 1.1.2.85?
Top
 
wiseroute
Member
Member
Posts: 425
Joined: Sun Feb 05, 2023 11:06 am

Re: Forward secondary IP to web server

Sun Jul 16, 2023 4:14 am

hello,
Code: Select all
7    chain=dstnat action=netmap to-addresses=192.168.88.71 dst-address=1.1.2.85 in-interface=ether2 log=no log-prefix="" 

 8    chain=srcnat action=netmap to-addresses=1.1.2.85 src-address=192.168.88.71 out-interface=ether2 log=no log-prefix=""
please note that netmap is 1 to 1 ip translation, so you need to be very careful with it.

and I don't see any fw rules for your netmap - allowing the internet to contact your server?
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2942
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Forward secondary IP to web server

Sun Jul 16, 2023 11:26 am

Thanks for the disclaimer. ;-)

Try with line 8 in NAT disabled.
Top
 
kdmytro
just joined
Topic Author
Posts: 2
Joined: Sat Jul 15, 2023 1:55 pm

Re: Forward secondary IP to web server

Sun Jul 16, 2023 2:27 pm

I added the following firewall rule, but it did not change anything:
Code: Select all
/ip firewall filter add chain=input protocol=tcp dst-port=80,443 dst-address=1.1.2.85 action=accept
I noticed that dstnat rule packet counters go up when I run `curl` with or without the firewall rule. srcnat packet counter never goes up, it is still at 0. Disabling rule 8 (netmap scrnat) has no effect.

I also tried disabling both netmap rules and adding this instead:
Code: Select all
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443 dst-address=1.1.2.85 action=dst-nat to-addresses=192.168.88.71
But the behavior remains the same: incoming packets are counted, but they do not reach the web server.

Any more ideas?
Top
 
tdw
Forum Guru
Forum Guru
Posts: 2043
Joined: Sat May 05, 2018 11:55 am

Re: Forward secondary IP to web server

Sun Jul 16, 2023 3:58 pm

If the WAN connections have different gateways you have to use mangle rules and additional routing tables or VRFs to ensure return traffic uses the same WAN as the inbound traffic arrived on.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 30 guests
  4. RouterOS
  5. Beginner Basics