Hello!
I have a Mikrotik G750 GR3 and I would like to ask a question.
Imagine the following scenario:
I have a web server at the IP address 10.0.0.100 with port 80 open.
I have a Windows host with the IP address 10.0.0.150.
On this Windows host, I open the browser and type the URL http://10.0.0.100/8888 and I would like it to be redirected to port 80 of the web server located at IP 10.0.0.100.
Please note that I want this redirection to occur within the internal network. I was able to set up the redirection from the INTERNET link to an internal IP.
If my explanation is not clear, I will try to explain it in another way.
-
-
guilhermecatini
just joined
- Posts: 3
- Joined:
- Location: Brasil
Re: Port Fowarding on Internal Network
Until we see the config, cannot comment on what you may have setup incorrectly
Re: Port Fowarding on Internal Network
For the most part, if you have multiple devices on the same LAN segment (which sounds like your situation), traffic between them never goes through your router, and therefore the router can't modify the traffic.
If that is not the case please provide a network description (or better yet a network drawing) to go along with the configuration that Anav asked for.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
If that is not the case please provide a network description (or better yet a network drawing) to go along with the configuration that Anav asked for.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
-
-
guilhermecatini
just joined
- Posts: 3
- Joined:
- Location: Brasil
Re: Port Fowarding on Internal Network
For the most part, if you have multiple devices on the same LAN segment (which sounds like your situation), traffic between them never goes through your router, and therefore the router can't modify the traffic.
Yes, this is the case. This information is new to me.
Even so, I will send the equipment configuration.
Code: Select all
# aug/07/2024 09:38:36 by RouterOS 6.49.15
# software id = *******
#
# model = RB750Gr3
# serial number = HFM09MEMDCC
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes disabled=no interface=\
ether1 name=pppoe-out1 user=***********@netfibrajundiai.com
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.0.2-172.16.0.149
add name=L2TP ranges=10.1.1.2-10.1.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=10.1.1.1 name=L2TP remote-address=L2TP \
use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=LAN
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=L2TP enabled=yes \
max-sessions=20 one-session-per-host=yes use-ipsec=required
/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=172.16.0.250
/ip dns static
add address=172.16.0.249 name=api-sandbox.catini.org
add address=172.16.0.249 name=vw.catini.org
/ip firewall filter
add action=fasttrack-connection chain=forward in-interface=pppoe-out1 \
out-interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat comment="Rotear Internet para Rede" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="BPR - Web Server Mods" dst-port=2933 \
protocol=tcp to-addresses=172.16.0.153 to-ports=2933
add action=dst-nat chain=dstnat comment="BPR - Servidor Rifles" dst-port=\
28960 protocol=udp to-addresses=172.16.0.154 to-ports=28960
add action=dst-nat chain=dstnat comment="BPR - Servidor PAM" dst-port=28961 \
protocol=udp to-addresses=172.16.0.154 to-ports=28961
add action=dst-nat chain=dstnat comment="BPR - Servidor Teste" dst-port=28962 \
protocol=udp to-addresses=172.16.0.154 to-ports=28962
add action=dst-nat chain=dstnat comment=MariaDB dst-port=3306 protocol=tcp \
to-addresses=172.16.0.252 to-ports=3306
add action=dst-nat chain=dstnat comment="Nginx Proxy Manager" dst-port=4443 \
protocol=tcp to-addresses=172.16.0.249 to-ports=443
/ip service
set www disabled=yes
set www-ssl certificate=CA disabled=no port=2323
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=guilhermecatini profile=L2TP
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name="Catini Corporation"
What is your suggestion to solve this case?
Re: Port Fowarding on Internal Network
Id say
a. your very confused, you have a bridge assigned to handle dhcp then you assign the address to ether2,
b. you have no bridge port defined
c. you have no firewall rules to speak,
aka, a copy and paste hack job from some crappy youtube videos etc.
no point in even looking at port forwarding until you put back the default firewall rules and clean up the config so it resembles something that is workable.
a. your very confused, you have a bridge assigned to handle dhcp then you assign the address to ether2,
b. you have no bridge port defined
c. you have no firewall rules to speak,
aka, a copy and paste hack job from some crappy youtube videos etc.
no point in even looking at port forwarding until you put back the default firewall rules and clean up the config so it resembles something that is workable.
-
-
jvanhambelgium
Forum Guru
- Posts: 1120
- Joined:
- Location: Belgium
Re: Port Fowarding on Internal Network
Simple make the webserver perform the redirect 
It can sent a HTTP 302 code to tell your Windows client that.
It can sent a HTTP 302 code to tell your Windows client that.
-
-
guilhermecatini
just joined
- Posts: 3
- Joined:
- Location: Brasil
Re: Port Fowarding on Internal Network
Id say
a. your very confused, you have a bridge assigned to handle dhcp then you assign the address to ether2,
b. you have no bridge port defined
c. you have no firewall rules to speak,
aka, a copy and paste hack job from some crappy youtube videos etc.
no point in even looking at port forwarding until you put back the default firewall rules and clean up the config so it resembles something that is workable.
a.No, I'm not very confused. I actually made a mistake, and since I'm a new Mikrotik user, the error went unnoticed.
Code: Select all
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1b. Wouldn't the Bridge Port be the combination of ETHER2, ETHER3, ETHER4, and ETHER5?
c.I really don't have it. As I said, I only have inbound rules, where I redirect the incoming ports from the internet to specific internal IP addresses.
Re: Port Fowarding on Internal Network
Can you use a dummy address ?
I try to explain better:
1 - Windows Host -> Open Browser -> Digit ip 99.99.99.99:99 (an ip that you know will never be used or you make take it will never be taken by another device, and random port if you want)
2 - The query goes to the RB to search for a route because no device will be found in the lan with the address
3 - In the RB -> Firewall -> Nat :
Whitout Port
With Port
4 - Now when you input that address in the Browser it will redirect to the webserver
In theory this should work, in reality i hope so for you!
I try to explain better:
1 - Windows Host -> Open Browser -> Digit ip 99.99.99.99:99 (an ip that you know will never be used or you make take it will never be taken by another device, and random port if you want)
2 - The query goes to the RB to search for a route because no device will be found in the lan with the address
3 - In the RB -> Firewall -> Nat :
Whitout Port
Code: Select all
ip/firewall/nat
add chain=dstnat dst-address=99.99.99.99 in-interface = LAN action=dst-nat to-addresses=10.0.0.100 to-ports=80
Code: Select all
ip/firewall/nat
add chain=dstnat dst-address=99.99.99.99 protcol=tcp/udp (your choice here) dst-port=99(the one that you choice) in-interface = LAN action=dst-nat to-addresses=10.0.0.100 to-ports=80
4 - Now when you input that address in the Browser it will redirect to the webserver
In theory this should work, in reality i hope so for you!
Re: Port Fowarding on Internal Network
Greetings. You can give the below a try. BTW, the proper way to reach an address with a specific port in browser is http://10.0.0.100:8888
/ip firewall nat
add action=redirect chain=dstnat comment="Redirect port 8888_to_80" dst-port=8888 in-interface-list=LAN protocol=tcp to-ports=80 src-address=10.0.0.150 dst-address=10.0.0.100
If this works for you, you can eliminate "src-address=10.0.0.150" to have all devices in the LAN redirect port 8888 to 80.
/ip firewall nat
add action=redirect chain=dstnat comment="Redirect port 8888_to_80" dst-port=8888 in-interface-list=LAN protocol=tcp to-ports=80 src-address=10.0.0.150 dst-address=10.0.0.100
If this works for you, you can eliminate "src-address=10.0.0.150" to have all devices in the LAN redirect port 8888 to 80.