Public IP display problem

k750 · Mon Mar 28, 2016 3:48 pm

Hello everyone
I have a display problem of public IP of my server Synology connected person
Before as it logs on to my server ip public could see the connected person
Since I have my new router CCR1009 I see more public IP but the IP of the router that is 192168.1.1
Do you know why ?
Thanks in advance for your help
Claude

Sorry for the English translation

ShayanFiroozi · Mon Mar 28, 2016 10:33 pm

Hi,
it's about NAT , send your router configuration please

k750 · Tue Mar 29, 2016 1:35 am

Hello,
Here are the rules that I set

add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes
add chain=pinholes protocol=tcp dst-port=80,443 action=dst-nat to-address=192.168.1.198
add chain=pinholes protocol=tcp dst-port=98,8443 action=dst-nat to-address=192.168.1.198

ShayanFiroozi · Tue Mar 29, 2016 2:03 am

it seems you need this : http://wiki.mikrotik.com/wiki/Hairpin_NAT

Sob · Tue Mar 29, 2016 2:12 am

I'd say you're hiding something from us.

What about srcnat rules?

k750 · Tue Mar 29, 2016 3:59 am

it seems you need this : http://wiki.mikrotik.com/wiki/Hairpin_NAT

The problem is that I know nothing has it all

k750 · Tue Mar 29, 2016 4:00 am

I'd say you're hiding something from us. What about srcnat rules?

No I have nothing to hide

Here are my 2 other rules

add action=masquerade chain=srcnat out-interface=vlan832-orange
add action=masquerade chain=srcnat out-interface=all-ethernet

Sob · Tue Mar 29, 2016 4:14 am

So, which one of those two rules do you think is the reason of your problem? You have two guesses.

...

Yes, it's number two. Why? Because out-interface=all-ethernet means any ethernet interface. So when packet from internet goes to your LAN and your LAN is connected to router's ethernet interface, ...

k750 · Tue Mar 29, 2016 11:15 am

Hello,
At first I was given this line: add action = masquerade chain = srcnat out-interface = vlan832 orange-to-addresses = 0.0.0.0
But to-addresses = 0.0.0.0 does not pass
Regarding the content add action=masquerade chain=srcnat out-interface=all-ethernet
What do I do ?
A switch was made to the ports 1 to 4
Sorry but I know nothing has it all

ShayanFiroozi · Tue Mar 29, 2016 11:45 am

At first I was given this line: add action = masquerade chain = srcnat out-interface = vlan832 orange-to-addresses = 0.0.0.0
But to-addresses = 0.0.0.0 does not pass

what is orange-to-addresses = 0.0.0.0 ?

we don't know how your Synology connected to your network , and which interface , but excluding that interface from NAT may solve the problem

k750 · Tue Mar 29, 2016 12:27 pm

Grieve if my information is incomplete
The router interface: 192.168.1.1
The interface of the server 192.169.1.198
The server is connected to the port Ether3
I also try the little ether8 port ?
Access to the server is outside via a domain name

ShayanFiroozi · Tue Mar 29, 2016 2:39 pm

disable this add action=masquerade chain=srcnat out-interface=all-ethernet
and check your Synology log , see what happens ?

k750 · Tue Mar 29, 2016 3:12 pm

From the outside I arrive on the server, log shows me the same IP, the router
By cons I do not have access to any site from my computer

k750 · Tue Mar 29, 2016 3:57 pm

When I get this line via winbox /ip firewall nat add chain=srcnat action=masquerade out-interface=Public
Here is the response from the router

Tue Mar 29, 2016 4:01 pm

Because you do not have any interface named "Public"

k750 · Tue Mar 29, 2016 4:17 pm

Because you do not have any interface named "Public"

Yeah but I do how to do this ?

Sob · Tue Mar 29, 2016 7:17 pm

For basic setup, you need only one srcnat rule:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=<name of your WAN interface>

I though your WAN interface was vlan832-orange, but perhaps it's not. If you look in IP->Routes, what is the name of interface with default route (the one with destination address 0.0.0.0/0)?

Or you can just post complete export (/export hide-sensitive) and let us look.

Pea · Tue Mar 29, 2016 9:27 pm

Remove those 4 NAT rules:
add action=masquerade chain=srcnat out-interface=all-ethernet
add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes
add chain=pinholes protocol=tcp dst-port=80,443 action=dst-nat to-address=192.168.1.198
add chain=pinholes protocol=tcp dst-port=98,8443 action=dst-nat to-address=192.168.1.198

Then add these 2 rules:

add action=dst-nat chain=dstnat dst-address-type=local dst-port=80,98,443,8443 protocol=tcp to-addresses=192.168.1.198 comment="WAN pinhole to Synology"
add action=masquerade chain=srcnat dst-address=192.168.1.198 protocol=tcp src-address=192.168.0.0/16 comment="LAN to Synology"

You will see in Synology log external IP addresses of connected users from internet.
With this you can connect also from inside your LAN using your external IP or your domain name.
Only side effect is that all connections from your LAN will show as router address 192168.1.1

ShayanFiroozi · Tue Mar 29, 2016 11:19 pm

as i suggested : http://wiki.mikrotik.com/wiki/Hairpin_NAT

but he's using internet too , so a NAT should be added for internet access

k750 · Tue Mar 29, 2016 11:42 pm

For basic setup, you need only one srcnat rule:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<name of your WAN interface>

Error message

I though your WAN interface was vlan832-orange, but perhaps it's not. If you look in IP->Routes, what is the name of interface with default route (the one with destination address 0.0.0.0/0)?

Or you can just post complete export (/export hide-sensitive) and let us look.

The road

k750 · Wed Mar 30, 2016 12:51 am

I though your WAN interface was vlan832-orange

That's right
An optical fiber line ONT box is arriving and is connected to the harbor ether7 (vlan832-orange)

Sob · Wed Mar 30, 2016 1:34 am

Then the only absolutely required srcnat rule is:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan832-orange

With this, your internet access must work and remote addresses on NAS must show correctly. If not, then it does not make sense.

With just this one rule, you won't be able to connect to your forwarded ports (80,98,443,8443) on your public address 90.12.x.x from your internal network. To be able to do that, you need the rule from Pea's post:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.198 protocol=tcp src-address=192.168.0.0/16 comment="LAN to Synology"

ShayanFiroozi · Wed Mar 30, 2016 8:16 am

It seems you have a bridge in your router ,so what is that ? in your routing table you have 192.168.1.0 reachable from bridge ! i still recommend you to post you router configuration with hide-sensitive , may be it's not about NAT at all because you are bridging some devices , also disabling your nat didn't work

k750 · Wed Mar 30, 2016 10:56 am

Hello
The problem is the same
How do I export my configuration?

ShayanFiroozi · Wed Mar 30, 2016 6:07 pm

Hello
The problem is the same
How do I export my configuration?

on Winbox go to NewTerminal and type this command : export hide-sensitive

and don't forget to secure(hide) your router sensitive information such as public IP's

k750 · Wed Mar 30, 2016 7:24 pm

Hello everyone,
Here are the topics that may interest you
Ask if you need

[color=#0000FF]# mar/30/2016 16:57:52 by RouterOS 6.34.2
# software id = SPEA-6527
#
/interface bridge
add comment=Livebox mtu=1500 name=br-livebox
add name=bridge1

/interface ethernet
set [ find default-name=ether1 ] comment="PC Asus"
set [ find default-name=ether2 ] comment="Inoccupé"
set [ find default-name=ether3 ] comment=Serveur
set [ find default-name=ether4 ] comment="Inoccupé"
set [ find default-name=ether5 ] comment=Livebox
set [ find default-name=ether6 ] comment="Unifi Wifi"
set [ find default-name=ether7 ] comment="Boitier ONT (Optical Network Terminal)"
set [ find default-name=ether8 ] comment="Inoccupé"
set [ find default-name=sfp-sfpplus1 ] comment="Port SFP-Plus" disabled=yes name=sfp-plus
set [ find default-name=sfp1 ] comment="Port SFP" disabled=yes

/ip neighbor discovery
set ether1 comment="PC Asus"
set ether2 comment="Inoccupé"
set ether3 comment=Serveur
set ether4 comment="Inoccupé"
set ether5 comment=Livebox
set ether6 comment="Unifi Wifi"
set ether7 comment="Boitier ONT (Optical Network Terminal)"
set ether8 comment="Inoccupé"
set sfp-plus comment="Port SFP-Plus"
set sfp1 comment="Port SFP"
set br-livebox comment=Livebox

/interface vlan
add comment=vlan832-livebox interface=ether5 name=vlan832-livebox vlan-id=832
add comment=vlan832-orange interface=ether7 name=vlan832-orange vlan-id=832
add comment="VOD Livebox" disabled=yes interface=ether5 name=vlan838-livebox vlan-id=838
add comment="TV Livebox" disabled=yes interface=ether5 name=vlan840-livebox vlan-id=840
add comment="VoIP Livebox" disabled=yes interface=ether5 name=vlan851-livebox vlan-id=851
add comment="VoIP Orange" disabled=yes interface=ether7 name=vlan851-orange vlan-id=851

/ip neighbor discovery
set vlan832-livebox comment=vlan832-livebox
set vlan832-orange comment=vlan832-orange
set vlan838-livebox comment="VOD Livebox"
set vlan840-livebox comment="TV Livebox"
set vlan851-livebox comment="VoIP Livebox"
set vlan851-orange comment="VoIP Orange"

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
add name=livebox ranges=192.168.2.20-192.168.2.200

/ip dhcp-server
add address-pool=dhcp authoritative=yes disabled=no interface=bridge1 lease-time=1w name=LAN
add address-pool=livebox authoritative=yes disabled=no interface=vlan832-livebox lease-time=1w name=Livebox

/interface bridge port
add bridge=br-livebox comment="Déactivé car pas nécessaire" disabled=yes interface=vlan851-livebox
add bridge=br-livebox interface=vlan838-livebox
add bridge=br-livebox interface=vlan840-livebox
add bridge=bridge1 comment="PC Asus" interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 comment=Serveur interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 comment=Livebox interface=ether5
add bridge=bridge1 comment="Wifi Ubiquity" interface=ether6
add bridge=bridge1 comment="Boitier ONT (Optical Network Terminal)" interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp-plus

/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan832-livebox network=192.168.2.0

/ip arp
add address=192.168.1.198 comment=Serveur interface=ether3 mac-address=0000000000000000

/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,userclass,vendor-class-identifier disabled=no interface=vlan832-orange
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server lease
add address=192.168.2.21 comment=Livebox dhcp-option=authsend,SIP mac-address=0000000000000000 server=Livebox
add address=192.168.1.198 client-id=1:0:11:32:1b:ec:b7 comment=Serveur mac-address=0000000000000000 server=LAN
add address=192.168.1.194 client-id=1:44:d9:e7:f6:d3:22 comment=WiFi mac-address=0000000000000000 server=LAN
add address=192.168.1.200 client-id=1:14:da:e9:25:6e:c0 comment=Asus mac-address=000000000000000000000 server=LAN

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dhcp-option=authsend,SIP dns-server=81.253.149.1,80.10.246.130 gateway=192.168.2.1 netmask=24

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.1.0/24 list=support
add address=192.168.2.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" disabled=yes list=bogons
	
/ip firewall nat
add action=masquerade chain=srcnat comment="Nat vlan832-orange" log-prefix=vlan832-orange out-interface=!vlan832-orange to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Nat All Ethernet" log-prefix="Port Ethernet" out-interface=!all-ethernet
add action=jump chain=dstnat dst-address=!192.168.0.0/16 dst-address-type=local jump-target=pinholes log-prefix=Voir-192.168.0.0
add action=dst-nat chain=pinholes comment=Photo-Station dst-port=80,443 log=yes log-prefix="Port 80-443" protocol=tcp to-addresses=192.168.1.198
add action=dst-nat chain=pinholes dst-port=98,8443 log=yes log-prefix="Port 98-8443" protocol=tcp to-addresses=192.168.1.198
add action=dst-nat chain=dstnat dst-port=5000 log=yes log-prefix="Port 5000" protocol=tcp to-addresses=192.168.1.198 to-ports=5000

/ip route
add distance=1 gateway=192.168.1.1

/ip service
set telnet address=192.168.1.200/32 disabled=yes
set ftp address=192.168.1.200/32 disabled=yes
set ssh address=192.168.1.200/32 disabled=yes
set winbox address=192.168.1.200/32

/queue interface
set sfp-plus queue=ethernet-default
set sfp1 queue=ethernet-default
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set ether6 queue=ethernet-default
set ether7 queue=ethernet-default
set ether8 queue=ethernet-default

/system logging
add disabled=yes topics=dhcp
add topics=firewall
add disabled=yes topics=interface
add disabled=yes topics=account
add prefix=Critique topics=critical

/system resource irq rps
set sfp-plus disabled=no
set sfp1 disabled=no
set ether5 disabled=no
set ether6 disabled=no
set ether7 disabled=no
set ether8 disabled=no

/system routerboard settings
set cpu-frequency=1000MHz memory-frequency=1066DDR protected-routerboot=disabled[/color]

ShayanFiroozi · Wed Mar 30, 2016 9:27 pm

Change your NAT rules priority , make sure all NATs about Synology come first in you Firewall Nat list , you can easily drag them to top on Winbox.
you are masquerading your Synology interface , of course router will change real addresses with itself IP.

Sob · Thu Mar 31, 2016 12:14 am

Translation to English:

add action=masquerade chain=srcnat comment="Nat vlan832-orange" log-prefix=vlan832-orange out-interface=!vlan832-orange to-addresses=0.0.0.0

Masquerade any traffic if outgoing interface is not vlan832-orange ("!" before interface name means "not"). This changes all incoming connections from internet to NAS to look like they are coming from 192.168.1.1, because this rules matches any outgoing interface except WAN.

add action=masquerade chain=srcnat comment="Nat All Ethernet" log-prefix="Port Ethernet" out-interface=!all-ethernet

Masquerade any traffic if outgoing interface is not ethernet. This currently makes your internet work, because your WAN is VLAN and not ethernet.

Instead of those two, you need only one:

add action=masquerade chain=srcnat comment="Nat vlan832-orange" log-prefix=vlan832-orange out-interface=vlan832-orange

Masquerade any traffic if outgoing interface is vlan832-orange.

-

I'm also not sure why ether5 is part of bridge with all other ports, I'd say it shouldn't be there, but it should not influence this.

k750 · Thu Mar 31, 2016 2:18 am

Masquerade any traffic if outgoing interface is not vlan832-orange ("!" before interface name means "not").

Hello Sob
Well I think you found the solution
This little box has check next to the name was activated
So I disable this check and did some tests
And the miracle in the server log I see the public IP of my tablet
I also did a test on Photo Station, same.
I'm going tomorrow deepen tests
I want to thank you all for your help and bring your patience
Claude

In French
------------
Bonjour Sob
Bon je crois que tu a trouver la solution
Cette petite case a cocher a coté du nom était activée
J'ai donc désactiver cette case et fait quelques essais
Et la miracle dans le journal du serveur je vois bien l'IP publique de ma tablette
J'ai aussi fait un essai sur Photo Station, même chose.
Je vais donc demain approfondir les essais
Je tiens a vous tous vous remercier pour votre aide apporter et pour votre patience
Claude

Public IP display problem

Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Re: Public IP display problem

Who is online