Hello
I have just setup a DMZ on my mikrotik.
I have my LAN running from one port on my mikrotik and my DMZ connected to the other. There are firewall rules between them to stop them talking to each other, that's not the issue here. Just to also point out both the DMZ and LAN are running on different subnets as well.
Problem I am facing is that when I try to go to my external domain name which points at a webserver in my DMZ from outside of my network its all fine and the page loads.
Now if I go to the same external url inside my LAN, the page doesn't load. Checking the drop traffic it looks like its trying to route to the DMZ internally but it cant because I have blocked all access between the 2 networks.
This is the bit i'm stuck on and cant work out - how do I force my LAN clients to go out to the internet to resolve the webserver in the DMZ rather than doing it internally? Or is even this approach a stupid one and it would make more sense for the LAN users to be able to get to it internally instead? Im not using Split DNS so my DNS isnt resolving an internal address for the URL
Help appreciated please!
-
-
bramwittendorp
Member Candidate
- Posts: 101
- Joined:
- Location: The Netherlands
- Contact:
Re: DMZ Routing question (Stuck)
You'll need Hairpin-NAT lots of good topics on this forum explaining that. Just do a search for Hairpin-NAT.
search.php?keywords=Hairpin+NAT
search.php?keywords=Hairpin+NAT
Re: DMZ Routing question (Stuck)
Actually, there's no need for it: LAN and DMZ are different subnets.You'll need Hairpin-NAT lots of good topics on this forum explaining that. Just do a search for Hairpin-NAT.
search.php?keywords=Hairpin+NAT
And I dont't really understand what is it all about - the only things that needs to be done, is opening the access from LAN to DMZ in the firewall for these connections:
1) If dst-nat rule is limited to outside connections -> remove this limitation.
2) If there is no filter rule accepting packets for new connections with connection-nat-state=dstnat - create one.
Re: DMZ Routing question (Stuck)
Hi all
I think im going to need a little more assistance on this one - I have tried a hairpin nat based on the wiki documentation but its not working
This is what is showing up as the problem in my log when I try and access my external domain from within side my LAN.
The bit I have scribbled out is my public IP address
DMZ Bridge is the bridge interface for my DMZ and Bridge1 is my LAN
My internal LAN is 172.28.0.0/20
PCs on the LAN get a DHCP address of 172.28.6.0
My DMZ Subnet is 172.28.20.0/24
The NGINX Proxy server is sat on the DMZ as 172.28.20.253 - This proxies requests to other web servers sat inside the DMZ
I think im going to need a little more assistance on this one - I have tried a hairpin nat based on the wiki documentation but its not working
This is what is showing up as the problem in my log when I try and access my external domain from within side my LAN.
The bit I have scribbled out is my public IP address
DMZ Bridge is the bridge interface for my DMZ and Bridge1 is my LAN
My internal LAN is 172.28.0.0/20
PCs on the LAN get a DHCP address of 172.28.6.0
My DMZ Subnet is 172.28.20.0/24
The NGINX Proxy server is sat on the DMZ as 172.28.20.253 - This proxies requests to other web servers sat inside the DMZ
You do not have the required permissions to view the files attached to this post.
Re: DMZ Routing question (Stuck)
As was already pointed out, you don't need hairpin NAT for this. And if it's the reply packets getting blocked, as it looks from your screenshot, it really shouldn't happen with regular firewall where replies are allowed by very first rule. Try to share few more detail about your firewall. Output of "/ip firewall export" would probably help.
Re: DMZ Routing question (Stuck)
Xvo pointed out above that I need to open up firewall access from my LAN to my DMZ. I dont want to do that, I want to keep them both completely isolated...
Here is the firewall/NAT rules. There are some bits in there I need to tidy up and remove but haven't had the time to go through it yet
The Jump to DMZ rules is triggered by anything coming IN to the DMZ interface. This is where I block access to and from my LAN
Here is the firewall/NAT rules. There are some bits in there I need to tidy up and remove but haven't had the time to go through it yet
The Jump to DMZ rules is triggered by anything coming IN to the DMZ interface. This is where I block access to and from my LAN
Code: Select all
/ip firewall filter
add action=jump chain=forward comment="Jump to DMZ Rules" in-interface=\
"DMZ Bridge" jump-target=DMZ
add action=accept chain=forward comment="Allow Traffic from GRE Tunnel to LAN" \
in-interface=gre-tunnel1 out-interface=bridge1
add action=accept chain=forward comment=\
"Allow new connections through router coming in LAN interface" \
connection-state=new in-interface=bridge1
add action=accept chain=forward comment=\
"Allow established connections through router" connection-state=established
add action=accept chain=forward comment=\
"Allow related connections through router" connection-state=related
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment=\
"Allow everything from the LAN interface to the router" in-interface=\
bridge1
add action=accept chain=input comment="Allow established connections to the rou\
ter, these are OK because we aren't allowing new connections" \
connection-state=established
add action=accept chain=input comment="Allow related connections to the router, \
these are OK because we aren't allowing new connections" connection-state=\
related
add action=accept chain=DMZ comment="Allow DMZ Clients out to Internet (WAN)" \
in-interface="DMZ Bridge" out-interface=pppoe-out1
add action=accept chain=forward comment="Allow Plex" dst-port=32400 protocol=\
tcp
add action=accept chain=forward comment="Tempoary for Lets Encrypt Renewal" \
dst-port=80 protocol=tcp
add action=accept chain=forward comment="Tempoary for Lets Encrypt Renewal" \
dst-port=443 protocol=tcp
add action=accept chain=DMZ comment="Allow LAN to DMZ" disabled=yes \
in-interface="DMZ Bridge" out-interface=bridge1
add action=drop chain=DMZ comment="Disable DMZ talking to LAN" in-interface=\
"DMZ Bridge" log=yes out-interface=bridge1
add action=drop chain=input comment="Drop everything else to the router"
add action=drop chain=forward comment=\
"Drop all other connections through the router" log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="PUBLIC/PRIVATE NAT (Internet)" \
out-interface=pppoe-out1
add action=masquerade chain=srcnat dst-address=172.28.0.0/16 out-interface=\
bridge1 src-address=172.28.0.0/16
add action=dst-nat chain=dstnat comment="Plex Server" dst-port=32400 \
in-interface=pppoe-out1 protocol=tcp to-addresses=172.28.8.100 to-ports=\
32400
add action=dst-nat chain=dstnat comment="Port 80 Lets Encrypt (Tempoary)" \
dst-address=!172.28.0.0/16 dst-address-type=local dst-port=80 log=yes \
protocol=tcp to-addresses=172.28.20.253 to-ports=80
add action=dst-nat chain=dstnat comment="Port 443 Lets Encrypt (Tempoary)" \
dst-address=!172.28.0.0/16 dst-address-type=local dst-port=443 log=yes \
protocol=tcp to-addresses=172.28.20.253 to-ports=443
Re: DMZ Routing question (Stuck)
I guess you actually have conceptual problem: you can not push IP packet out of router's WAN interface just to get it bounced back so that router's firewall can treat it as if it originated from internet.
Example:
DNS www.some.domain points to 1.2.3.4
router's WAN IP address: 1.2.3.4
router's DMZ segment address: 192.168.1.1
router's LAN segment address: 10.10.1.1
server in DMZ address: 192.168.1.100
LAN PC address: 10.10.2.2
routers NAT config has ports 80,443 forwarded to server in DMZ
When user from LAN PC requests a web page with URL https://www.some.domain/mypage.html ...
If you want to allow LAN users to connect to server in DMZ, you need to (selectively) allow connections. You can actually construct similar rules as you have for access from internet ... plus some form of generic hair-pin NAT, combined with appropriate firewall filter rules.
You just can't get connectivity from LAN PCs to DMZ servers without allowing some (limited) communication between those.
Example:
DNS www.some.domain points to 1.2.3.4
router's WAN IP address: 1.2.3.4
router's DMZ segment address: 192.168.1.1
router's LAN segment address: 10.10.1.1
server in DMZ address: 192.168.1.100
LAN PC address: 10.10.2.2
routers NAT config has ports 80,443 forwarded to server in DMZ
When user from LAN PC requests a web page with URL https://www.some.domain/mypage.html ...
- browser first resolves FQDN to IP address using whatever DNS service is configured. It gets 1.2.3.4.
- Then it starts TCP connection from 10.10.2.2 to 1.2.3.4. LAN PC's IP stack knows it can not connect server directly (destination IP 1.2.3.4 is outside own subnet), it sends packets to its gateway, which is router's LAN segment.
- When router receives this IP packet on it's LAN interface, it consults routing tables. Sees that 1.2.3.4 is one of its own addresses. So it passes on to ...
- ... it's NAT layer. NAT configuration says 'rewrite dst-address with 192.168.1.100', which router does. (If there wasn't matching NAT rule, router would consult firewall rules for chain=input instead).
- After that it consults firewall rules for chain=forward. If action=accept (explicit or implicit) is found, it ...
- ... consults own routing tables (again). Sees that (new) dst-address is directly reachable via router's DMZ segment interface and passes the packet to server in DMZ.
- In your case router, while checking firewall rules for chain=forward, finds action=deny based on src-address being from your LAN. Making router to drop the packet.
If you want to allow LAN users to connect to server in DMZ, you need to (selectively) allow connections. You can actually construct similar rules as you have for access from internet ... plus some form of generic hair-pin NAT, combined with appropriate firewall filter rules.
You just can't get connectivity from LAN PCs to DMZ servers without allowing some (limited) communication between those.
Re: DMZ Routing question (Stuck)
Hi @mkx
Thank you for the detailed explanation
So basically what you are saying is, I need to open up ports between my LAN and DMZ for this to work? Ideally something I wanted to avoid.
So for normal HTTP and HTTPS traffic I would need to open up port 80 and 443 between my LAN and DMZ?
Thank you for the detailed explanation
So basically what you are saying is, I need to open up ports between my LAN and DMZ for this to work? Ideally something I wanted to avoid.
So for normal HTTP and HTTPS traffic I would need to open up port 80 and 443 between my LAN and DMZ?
Re: DMZ Routing question (Stuck)
You can't isolate LAN and DMZ completely, because when you'll try to connect from LAN to DMZ, it will be exactly that, no matter if it uses internal or external address. But you don't need to do any compromises with security. First you need to make sure that dstnat rules work for connections from LAN too (those LE ones do, Plex rule with in-interface=pppoe-out1 won't). Then you need the magic rule:
It will accept all dstnatted connections. But direct access is still prohibited. So if you try to connect from LAN to DMZ directly to internal address, it won't work. But if you use public address, dstnat will happen and the magic rule will allow it to pass. Your current rules allowing ports 80, 443 and 32400 in forward chain won't be necessary any more either.
Also remember that order of rules is important. You want to accept established & related before other rules. It's because it will match vast majority of packets, so it will speed up things a little. And after you deal with established, related and invalid, the rest will be new connections and that's where you decide by other rules, if you want them to pass or not.
Code: Select all
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=acceptAlso remember that order of rules is important. You want to accept established & related before other rules. It's because it will match vast majority of packets, so it will speed up things a little. And after you deal with established, related and invalid, the rest will be new connections and that's where you decide by other rules, if you want them to pass or not.
Re: DMZ Routing question (Stuck)
...one post to find what the problem is...
...one post to suggest a solution...
...ten posts to convince, that it is the only solution...
...sigh...
Nevermind, just grumbling
...one post to suggest a solution...
...ten posts to convince, that it is the only solution...
...sigh...
Nevermind, just grumbling
Re: DMZ Routing question (Stuck)
Thanks, but as i'm sure you know with any IT problem there is no "one solution" so whilst everyone including yourself above have posted what I would consider to all be viable solutions and I appreciate them, its about finding the best one for the goal you are trying to reach. So if that means someone has to ask a few more questions to help them work that out, or even understand what someone else has explained to them because better they aren't sure they understand it then so be it....one post to find what the problem is...
...one post to suggest a solution...
...ten posts to convince, that it is the only solution...
...sigh...
Nevermind, just grumbling
Not to have a go at yourself here, but the whole point of a user forum is to help other people out, not critisise because they don't understand and are asking questions so that they can learn or further expand their knowledge.
Re: DMZ Routing question (Stuck)
I have done as you said and disabled the forward rules for 80,443 and 32400 and added the magic rule. I can still access from external.You can't isolate LAN and DMZ completely, because when you'll try to connect from LAN to DMZ, it will be exactly that, no matter if it uses internal or external address. But you don't need to do any compromises with security. First you need to make sure that dstnat rules work for connections from LAN too (those LE ones do, Plex rule with in-interface=pppoe-out1 won't). Then you need the magic rule:It will accept all dstnatted connections. But direct access is still prohibited. So if you try to connect from LAN to DMZ directly to internal address, it won't work. But if you use public address, dstnat will happen and the magic rule will allow it to pass. Your current rules allowing ports 80, 443 and 32400 in forward chain won't be necessary any more either.Code: Select all/ip firewall filter add chain=forward connection-nat-state=dstnat action=accept
Also remember that order of rules is important. You want to accept established & related before other rules. It's because it will match vast majority of packets, so it will speed up things a little. And after you deal with established, related and invalid, the rest will be new connections and that's where you decide by other rules, if you want them to pass or not.
I still cant access internally though
same error I posted before comes up in the logs.Re: DMZ Routing question (Stuck)
If I remove the Drop rule that drops traffic from the DMZ to the lan then I can access from internal. however I dont think thats what I need to do? As if I do that I am now able to ping address on my DMZ and vice versa from my LAN
Re: DMZ Routing question (Stuck)
Ok think i've sussed it!
Bare with me, just tidying up some of my rules and ill post what I have done and if you wouldn't mind confirming its correct.
Bare with me, just tidying up some of my rules and ill post what I have done and if you wouldn't mind confirming its correct.
Re: DMZ Routing question (Stuck)
All true.Thanks, but as i'm sure you know with any IT problem there is no "one solution" so whilst everyone including yourself above have posted what I would consider to all be viable solutions and I appreciate them, its about finding the best one for the goal you are trying to reach. So if that means someone has to ask a few more questions to help them work that out, or even understand what someone else has explained to them because better they aren't sure they understand it then so be it....one post to find what the problem is...
...one post to suggest a solution...
...ten posts to convince, that it is the only solution...
...sigh...
Nevermind, just grumbling
Not to have a go at yourself here, but the whole point of a user forum is to help other people out, not critisise because they don't understand and are asking questions so that they can learn or further expand their knowledge.
Still, a little bit of sarcasm will never hurt too
Re: DMZ Routing question (Stuck)
Again, order of rules is important. If you left your jump to DMZ chain before everything else, it won't work well. But move it further down, after accepting forwarded ports (so that it will apply only to new connections) and it will work.
Re: DMZ Routing question (Stuck)
Yes - It was the ordering that messed me up.
This is what I have now come up with
There are a couple of forward rules in my DMZ jump rules to allow the DMZ to talk to the LAN but only over specific ports, this is because I have a couple of things in my LAN that cant be moved to the DMZ. The external connection to these servers on my LAN is proxied through my NGINX proxy server which sits in my DMZ, the forward rule as you will see then allows the NGINX server to be able to talk to the 2 devices in my LAN. The ports to my LAN are not open externally.
I also by the looks of it didnt need to delete the Plex NAT rule - I left that in and its still working. I think this is because my plex server sits in my LAN not my DMZ so I dont run into the routing issues with the NAT issues going from my LAN to the DMZ as plex doesnt sit in the DMZ.
Any other changes you would make to the below?
This is what I have now come up with
There are a couple of forward rules in my DMZ jump rules to allow the DMZ to talk to the LAN but only over specific ports, this is because I have a couple of things in my LAN that cant be moved to the DMZ. The external connection to these servers on my LAN is proxied through my NGINX proxy server which sits in my DMZ, the forward rule as you will see then allows the NGINX server to be able to talk to the 2 devices in my LAN. The ports to my LAN are not open externally.
I also by the looks of it didnt need to delete the Plex NAT rule - I left that in and its still working. I think this is because my plex server sits in my LAN not my DMZ so I dont run into the routing issues with the NAT issues going from my LAN to the DMZ as plex doesnt sit in the DMZ.
Any other changes you would make to the below?
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Allow Traffic from Tunnel to LAN" \
in-interface=gre-tunnel1 out-interface=bridge1
add action=accept chain=forward comment="Allow Traffic from LAN to Tunnel" \
in-interface=bridge1 out-interface=gre-tunnel1
add action=accept chain=forward comment=\
"Allow new connections through router coming in LAN interface" \
connection-state=new in-interface=bridge1 out-interface=pppoe-out1
add action=accept chain=forward comment=\
"Allow established connections through router" connection-state=established
add action=accept chain=forward comment=\
"Allow related connections through router" connection-state=related
add action=accept chain=forward comment="The Magic Rule" connection-nat-state=\
dstnat
add action=jump chain=forward comment="Jump to DMZ Rules" in-interface=\
"DMZ Bridge" jump-target=DMZ
add action=accept chain=forward comment="Allow Plex" dst-port=\
32400 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment=\
"Allow everything from the LAN interface to the router" in-interface=\
bridge1
add action=accept chain=input comment="Allow established connections to the rou\
ter, these are OK because we aren't allowing new connections" \
connection-state=established
add action=accept chain=input comment="Allow related connections to the router, \
these are OK because we aren't allowing new connections" connection-state=\
related
add action=accept chain=DMZ comment="Allow DMZ Clients out to Internet (WAN)" \
in-interface="DMZ Bridge" out-interface=pppoe-out1
add action=accept chain=DMZ comment="Home Assistant" dst-address=172.28.8.143 \
dst-port=8123 in-interface="DMZ Bridge" out-interface=bridge1 protocol=tcp \
src-address=172.28.20.253
add action=accept chain=DMZ comment="Plex Requests" dst-address=172.28.8.143 \
dst-port=3579 in-interface="DMZ Bridge" out-interface=bridge1 protocol=tcp \
src-address=172.28.20.253
add action=drop chain=DMZ comment="Disable DMZ talking to LAN" in-interface=\
"DMZ Bridge" log=yes out-interface=bridge1
add action=drop chain=input comment="Drop everything else to the router"
add action=drop chain=forward comment=\
"Drop all other connections through the router" log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="PUBLIC/PRIVATE NAT (Internet)" \
out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="Plex Server" dst-port=32400 \
in-interface=pppoe-out1 protocol=tcp to-addresses=172.28.8.100 to-ports=\
32400
add action=dst-nat chain=dstnat comment="Port 80 Lets Encrypt (Tempoary)" \
dst-address=!172.28.0.0/16 dst-address-type=local dst-port=80 log=yes \
protocol=tcp to-addresses=172.28.20.253 to-ports=80
add action=dst-nat chain=dstnat comment="Port 443 Lets Encrypt (Tempoary)" \
dst-address=!172.28.0.0/16 dst-address-type=local dst-port=443 log=yes \
protocol=tcp to-addresses=172.28.20.253 to-ports=443