Recently I saw that the web server, which is located inside the network, does not see the client’s IP. Instead, he displays Mikrotik's IP.
# sep/21/2023 17:53:41 by RouterOS 6.47.10
# software id = 8USD-L3ZM
#
# model = CRS109-8G-1S-2HnD
# serial number = HD6088Q2G2X
/ip firewall filter
add action=accept chain=forward protocol=icmp
add action=accept chain=output protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=VPN connection-state=new protocol=gre
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FTP dst-address=185.46.151.62 \
dst-port=210 protocol=tcp to-addresses=192.168.20.215 to-ports=21
add action=src-nat chain=srcnat dst-address=192.168.20.215 dst-port=21 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="FTP Web" dst-address=185.46.151.62 \
dst-port=21 protocol=tcp to-addresses=192.168.20.10 to-ports=21
add action=src-nat chain=srcnat dst-address=192.168.20.10 dst-port=21 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="Git SSH" dst-address=185.46.151.62 \
dst-port=22 protocol=tcp to-addresses=192.168.20.197 to-ports=22
add action=src-nat chain=srcnat comment="Git SSH" dst-address=192.168.20.197 \
dst-port=22 protocol=tcp to-addresses=192.168.20.205
add action=src-nat chain=srcnat comment="SSH ProxMox" dst-address=\
192.168.20.169 dst-port=22 protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="SSH ProxMox" dst-address=\
185.46.151.62 dst-port=169 protocol=tcp to-addresses=192.168.20.169 \
to-ports=22
add action=dst-nat chain=dstnat comment=Web dst-address=185.46.151.62 \
dst-port=80 log=yes protocol=tcp to-addresses=192.168.20.225 to-ports=80
add action=src-nat chain=srcnat dst-address=192.168.20.225 dst-port=80 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="Web HTTPS" dst-address=185.46.151.62 \
dst-port=443 protocol=tcp to-addresses=192.168.20.225 to-ports=443
add action=src-nat chain=srcnat dst-address=192.168.20.225 dst-port=443 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="1C Test" dst-address=185.46.151.62 \
dst-port=54061 protocol=tcp to-addresses=192.168.20.191 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.191 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="AM RDP" dst-address=185.46.151.62 \
dst-port=54041 protocol=tcp to-addresses=192.168.20.189 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.189 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="K2 RDP" dst-address=185.46.151.62 \
dst-port=54001 protocol=tcp to-addresses=192.168.20.185 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.185 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="DP2 RDP" dst-address=185.46.151.62 \
dst-port=54021 protocol=tcp to-addresses=192.168.20.187 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.187 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="FD RDP" dst-address=185.46.151.62 \
dst-port=54031 protocol=tcp to-addresses=192.168.20.188 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.188 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="Small-Cli RDP" dst-address=\
185.46.151.62 dst-port=54051 protocol=tcp to-addresses=192.168.20.190 \
to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.190 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="Tea RDP" dst-address=185.46.151.62 \
dst-port=54071 protocol=tcp to-addresses=192.168.20.194 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.194 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="Net RDP" dst-address=185.46.151.62 \
dst-port=54081 protocol=tcp to-addresses=192.168.20.214 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.214 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="DP RDP" dst-address=185.46.151.62 \
dst-port=54011 protocol=tcp to-addresses=192.168.20.186 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.186 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
add action=dst-nat chain=dstnat comment="DP Buh RDP" dst-address=\
185.46.151.62 dst-port=14152 protocol=tcp to-addresses=192.168.20.196 \
to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.20.196 dst-port=3389 \
protocol=tcp to-addresses=192.168.20.205
On the server, when I output:
echo 'HTTP_CLIENT_IP='.$_SERVER['HTTP_CLIENT_IP'].'</br>';
echo 'HTTP_X_FORWARDED_FOR='.$_SERVER['HTTP_X_FORWARDED_FOR'].'</br>';
echo 'REMOTE_ADDR='.$_SERVER['REMOTE_ADDR'].'</br>';
echo 'HOST='.$_SERVER['HOST'].'</br>';
echo 'X-Real-IP='.$_SERVER['X-Real-IP'].'</br>';
echo 'Date='.date("d.m.Y H:i:s").'</br>';
echo 'HTTP_HOST='.$_SERVER['HTTP_HOST'].'</br>';
I receive:
HTTP_CLIENT_IP=
HTTP_X_FORWARDED_FOR=
REMOTE_ADDR=192.168.20.200
HOST=
X-Real-IP=
Date=21.09.2023 17:24:51
HTTP_HOST=debug2.corp2.net
What am I doing wrong ? How can I make sure that the client's IP address is transferred to the web server? I tried disabling masquerading - it didn't help. I've been struggling with this for several days now, but haven't found a solution (.
Re: The web server does not show the client IP
I'm wondering why you have so many src-nat rules? I'm not saying that they're not necessary, but I'd like to know what kind of use case requires do many of them. If they're intended for hair-pin bat, then they can most of times be replaced by single rule.
Like these:
Is that your web server residing at 192.160.20.225 by any chance? The to-addresses doesn't match the address shown in server's response.
Like these:
add action=src-nat chain=srcnat dst-address=192.168.20.225 dst-port=80 \
protocol=tcp to-addresses=192.168.20.205
add action=src-nat chain=srcnat dst-address=192.168.20.225 dst-port=443 \
protocol=tcp to-addresses=192.168.20.205
Is that your web server residing at 192.160.20.225 by any chance? The to-addresses doesn't match the address shown in server's response.
Re: The web server does not show the client IP
Yes 192.160.20.225 is the server address.I'm wondering why you have so many src-nat rules? I'm not saying that they're not necessary, but I'd like to know what kind of use case requires do many of them. If they're intended for hair-pin bat, then they can most of times be replaced by single rule.
Like these:add action=src-nat chain=srcnat dst-address=192.168.20.225 dst-port=80 \
protocol=tcp to-addresses=192.168.20.205
add action=src-nat chain=srcnat dst-address=192.168.20.225 dst-port=443 \
protocol=tcp to-addresses=192.168.20.205
Is that your web server residing at 192.160.20.225 by any chance? The to-addresses doesn't match the address shown in server's response.
I made 2 rules each because 1 rule works for packets from the external network. 2 - for packets from the internal network. In this option, the site is loaded both from the external network and the internal network.
Disabling the rules does not work - the router's address is still shown in the web server, and not the client's address from the Internet.
Re: The web server does not show the client IP
I still believe the problem is `src-nat`.
See:
`dst-nat` means literally "change DESTINATION address", forward packet to the webserver.
`src-nat` means "changes SOURCE" address, and `REMOTE_ADDR` is source address.
See:
`dst-nat` means literally "change DESTINATION address", forward packet to the webserver.
`src-nat` means "changes SOURCE" address, and `REMOTE_ADDR` is source address.