How to access DMZ from LAN with its public IP?

Uqbar · Thu Nov 19, 2015 4:53 pm

I have a server on my LAN that I have exposed in DMZ with a couple of src-nat/dst-nat.
Its public IP address is different from the mikrotik WAN IP.
I added a NAT rule like this (sorry, I use winbox):

Chain: dst-nat
Dst-address: DMZ public IP
In.Interface: LAN
Action: dst-nat
to address: LAN private IP for the server

What happens is that I get to the mikrotik instead of being redirected to the server.
The logs have been useless, to me at least.
Any hint?
Thanks.

docmarius · Thu Nov 19, 2015 5:09 pm

Try rebooting, since tracked connection will interfere with dst-nat....

Uqbar · Mon Nov 23, 2015 12:13 pm

That's not working yet.
I want to be able to access the local DMZ server by means of its public IP...

vixxant · Mon Nov 23, 2015 12:20 pm

Can you try without "In.Interface: LAN"

ip firewall nat add chain=dstnat dst-address=public-ip action=dst-nat to-addresses=local-ip

Uqbar · Mon Nov 23, 2015 12:39 pm

That works.
But it's interfering with the filtering dst-nat rule that comes before.
I have a first dst-nat rule to allow the access from internet to the DMZ server only with a few protocols.
While the second one that you suggested (and works) allows all protocols, as it should be.
What happens is that the second rule "overrules" the first one, allowing all protocols to the DMZ server...
I actually need a "limited" dst-nat when coming from the Internet and an "unlimited" dst-nat from LAN.

vixxant · Mon Nov 23, 2015 12:57 pm

i did not understand well what you said . but you can only forward the ports you need to dmz. like

ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip

if you want you can define "to-ports=80,443,3128" so that it will only forward those ports to dmz.

Uqbar · Mon Nov 23, 2015 1:09 pm

i did not understand well what you said . but you can only forward the ports you need to dmz. like
Code: Select all
ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip 
if you want you can define "to-ports=80,443,3128" so that it will only forward those ports to dmz.

You cannot use port list in "to-ports" but only port ranges.

vixxant · Mon Nov 23, 2015 1:14 pm

my mistake . then you can leave it blank.

Uqbar · Mon Nov 23, 2015 3:25 pm

We are back to the original point.
1. I have a dst-nat rule with a few TCP ports available from internet
2. I have a dst-nat rule with all TCP ports available from LAN

But it doesn't work.

Uqbar · Fri Nov 27, 2015 12:26 pm

I made it (almost) working with these two rules in NAT:

  0   chain=dstnat action=dst-nat to-addresses=10.74.1.222 to-ports=80 protocol=tcp dst-address-type=local in-interface=ether2-LAN dst-port=80

 1    chain=srcnat action=masquerade protocol=tcp src-address=10.74.1.0/24 dst-address=10.74.1.222 out-interface=ether2-LAN dst-port=80

Where 10.74.1.222 is my DMZ server.
Now, if I point my browser to the second WAN IP address I get to the LAN server 10.74.1.222.
But two main problems remain:

1. I don't fully understand why and how it works (my bad!)
2. It works for all WAN IPs.

I was expecting a simple dst-nat rule to dst-NAT all traffic from LAN to the chosen public IP addresses on WAN to the LAN server itself.

But that's not working.
Any idea?

How to access DMZ from LAN with its public IP?

How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?

Re: How to access DMZ from LAN with its public IP?