MikroTik

Posted: **Sat Jul 24, 2021 10:00 pm**

Hii there,

Yea, the title may not really make any sense so let me explain.
I have a traefik proxy that proxies data to back-end applications.
let's say my router's WAN IP is 1.2.3.4 and its LAN IP is 10.0.0.1.
Now when I try to access something through the proxy, everything goes fine except one thing: My proxy thinks *everything* is 10.0.0.1 (even when I tell my machine to connect to 1.2.3.4).
This causes some apps behind the proxy to misbehave because they rely on the IP being the IP from the outside *not* the inside.
When I access it through my phones 4G (5.6.7.8), everything works perfectly fine.

So this is basically what I get:
- Phone connects through 4G: traefik sees as 5.6.7.8
- Desktop connects: traefik sees as 10.0.0.1
- Phone connects through wifi: traefik sees as 10.0.0.1

How can I make it so that if I access my proxy using the *external* IP, traefik sees the external IP, not the routers IP?

Posted: **Sat Jul 24, 2021 10:01 pm**

I would love to help but have no idea what a proxy is, what it looks like, its purpose, how it attaches to a router or switch or a pc etc..........

Posted: **Sat Jul 24, 2021 10:16 pm**

In this case, it's basically a webserver that forwards requests to a back-end.
How it's hooked up, how it functions etc. etc. is irrelevant otherwise.
Basically what the MikroTik router does is:
- See if request comes from LAN, destined for 1.2.3.4 (my WAN IP)
- Sends it to the proxy as 10.0.0.1 (the router's LAN IP)

This causes the proxy to think that the client IP is 10.0.0.1, but this causes things to break because some back-end apps rely on the publically accessible IPs to be the client IP.

That's all I know about it, I only know what I expect it to do, but not how to do it and why it misbehaves like this.
Again, this is what the proxy sees (because the router does something to interfere with the IPs):
- Phone + 4G: 5.6.7.8 (correct)
- Laptop from Starbucks or something: 9.1.2.3 (correct)
- Desktop in LAN: 10.0.0.1 (wrong, should be 1.2.3.4, the routers WAN IP)
- Phone in LAN: 10.0.0.1 (wrong, should be 1.2.3.4, the routers WAN IP)

Posted: **Sat Jul 24, 2021 10:19 pm**

Like I said, I dont understand the need for proxies............. or more fundamentally the requirements that you have for your users or devices.
For example why cannot they go out from their PC directly to the internet??

Posted: **Sat Jul 24, 2021 10:45 pm**

The proxy is there so that I can have multiple back-ends on 1 WAN IP (1.2.3.4) and port (443).
Basically the proxy matches from the HTTP headers like this (and forwards request accordingly):
- "test.finlaydag33k.nl" -> 10.0.1.123
- "www.finlaydag33k.nl" -> 10.0.1.133
- "something.finlaydag33k.nl" -> 10.1.234

So if, for example, a device would come in: "send me 1.2.3.4:443 with hostname www.finlaydag33k.nl", the router would take that and forward it as-is to the proxy, proxy then looks at the HTTP header and forwards it to the LAN IP "10.0.1.233".
Else, I would run out of ports really quickly (also, it's not very nice to have people remember and enter all kinds of ports).

Now if I instead wanted to access "test.finlaydag33k.nl", it would just forward the request to the required back-end.

However, if the client is located in the LAN, things get iffy and this becomes the scenario:

Here, the router starts interfering somehow (which is what I'm trying to fix) and the "client-ip" is my router's LAN IP instead of it's WAN IP.
That should be the WAN IP so that the back-end app can do it's thing properly.
I hope this makes more sense?

Posted: **Sat Jul 24, 2021 11:00 pm**

You're seeing the result of a hairpin-NAT-rule. This is explained here: https://help.mikrotik.com/docs/display/ ... HairpinNAT.
If you just need to change the address to the WAN IP address of the router instead of its LAN IP address, you can do that by changing the "to-addresses" in the src-nat rule. That's the address the source address is changed to. It defaults to the address that a new connection through the egress interface would get, e.g. the LAN address if the connection is routed through the LAN interface.

Posted: **Sat Jul 24, 2021 11:31 pm**

I now have the following two rules according to that wiki article:

[admin@Main Router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade src-address=10.0.0.0/8 dst-address=10.0.0.149 out-interface=bridge1 log=yes log-prefix="[LAN]" 

 1    ;;; Traefik Ingress (HTTPS)
      chain=dstnat action=dst-nat to-addresses=10.0.0.149 to-ports=443 protocol=tcp dst-address=213.93.110.189 dst-port=443 log=no 
      log-prefix=""

But this still results in the IP showing in my app as "10.0.0.1" (if I use my phone from 4G, it still shows the right external IP).
This is what I get in my logs, so it is doing something:

Posted: **Sat Jul 24, 2021 11:44 pm**

Yes, that's the hairpin-NAT rule. The "masquerade" target changes the source address to the address of the egress interface. Use the "src-nat" target instead and set the "to-addresses" in that rule to the WAN-address.

Posted: **Sat Jul 24, 2021 11:52 pm**

\o/ Victory!

For those that come by this later (read: "dear future self"):

[admin@Main Router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Traefik Ingress (HTTPS)
      chain=dstnat action=dst-nat to-addresses=10.0.0.149 to-ports=443 protocol=tcp dst-address=<WAN IP> dst-port=443 log=no log-prefix=""
 15    ;;; Hairpin (IMPORTANT)
      chain=srcnat action=src-nat to-addresses=<WAN IP> src-address=10.0.0.0/8 dst-address=10.0.0.149 log=no log-prefix=""

Thanks for all the help guys :)

MikroTik

Allow WAN IP to LAN Client within LAN

Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN

Re: Allow WAN IP to LAN Client within LAN