Page 1 of 1
How to access DMZ from LAN with its public IP?
Posted: Thu Nov 19, 2015 4:53 pm
by Uqbar
I have a server on my LAN that I have exposed in DMZ with a couple of src-nat/dst-nat.
Its public IP address is different from the mikrotik WAN IP.
I added a NAT rule like this (sorry, I use winbox):
Chain: dst-nat
Dst-address: DMZ public IP
In.Interface: LAN
Action: dst-nat
to address: LAN private IP for the server
What happens is that I get to the mikrotik instead of being redirected to the server.
The logs have been useless, to me at least.
Any hint?
Thanks.
Re: How to access DMZ from LAN with its public IP?
Posted: Thu Nov 19, 2015 5:09 pm
by docmarius
Try rebooting, since tracked connection will interfere with dst-nat....
Re: How to access DMZ from LAN with its public IP?
Posted: Mon Nov 23, 2015 12:13 pm
by Uqbar
That's not working yet.
I want to be able to access the local DMZ server by means of its public IP...
Re: How to access DMZ from LAN with its public IP?
Posted: Mon Nov 23, 2015 12:20 pm
by vixxant
Can you try without "In.Interface: LAN"
ip firewall nat add chain=dstnat dst-address=public-ip action=dst-nat to-addresses=local-ip
Re: How to access DMZ from LAN with its public IP?
Posted: Mon Nov 23, 2015 12:39 pm
by Uqbar
That works.
But it's interfering with the filtering dst-nat rule that comes before.
I have a first dst-nat rule to allow the access from internet to the DMZ server only with a few protocols.
While the second one that you suggested (and works) allows all protocols, as it should be.
What happens is that the second rule "overrules" the first one, allowing all protocols to the DMZ server...
I actually need a "limited" dst-nat when coming from the Internet and an "unlimited" dst-nat from LAN.
Re: How to access DMZ from LAN with its public IP?
Posted: Mon Nov 23, 2015 12:57 pm
by vixxant
i did not understand well what you said . but you can only forward the ports you need to dmz. like
ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip
if you want you can define "to-ports=80,443,3128" so that it will only forward those ports to dmz.
Re: How to access DMZ from LAN with its public IP?
Posted: Mon Nov 23, 2015 1:09 pm
by Uqbar
i did not understand well what you said . but you can only forward the ports you need to dmz. like
ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip
if you want you can define "to-ports=80,443,3128" so that it will only forward those ports to dmz.
You cannot use port list in "to-ports" but only port ranges.
Re: How to access DMZ from LAN with its public IP?
Posted: Mon Nov 23, 2015 1:14 pm
by vixxant
my mistake . then you can leave it blank.
Re: How to access DMZ from LAN with its public IP?
Posted: Mon Nov 23, 2015 3:25 pm
by Uqbar
We are back to the original point.
1. I have a dst-nat rule with a few TCP ports available from internet
2. I have a dst-nat rule with all TCP ports available from LAN
But it doesn't work.
Re: How to access DMZ from LAN with its public IP?
Posted: Fri Nov 27, 2015 12:26 pm
by Uqbar
I made it (almost) working with these two rules in NAT:
0 chain=dstnat action=dst-nat to-addresses=10.74.1.222 to-ports=80 protocol=tcp dst-address-type=local in-interface=ether2-LAN dst-port=80
1 chain=srcnat action=masquerade protocol=tcp src-address=10.74.1.0/24 dst-address=10.74.1.222 out-interface=ether2-LAN dst-port=80
Where 10.74.1.222 is my DMZ server.
Now, if I point my browser to the second WAN IP address I get to the LAN server 10.74.1.222.
But two main problems remain:
1. I don't fully understand why and how it works (my bad!)
2. It works for all WAN IPs.
I was expecting a simple dst-nat rule to dst-NAT all traffic from LAN to the chosen public IP addresses on WAN to the LAN server itself.
But that's not working.
Any idea?