Redirect to external Public IP
How redirect incoming WAN TCP port 9999 connection to public ip 1.2.3.4 with port 9999 that accessible from WAN.
Re: Redirect to external Public IP
Please draw a diagram of what you speak as what you wrote makes little sense to me.
Also try not to speak of any solution config ideas for the following:
a. identify all the users/devices requiring traffic flow
b. identify all the traffic flows each device/user needs.
Also try not to speak of any solution config ideas for the following:
a. identify all the users/devices requiring traffic flow
b. identify all the traffic flows each device/user needs.
Re: Redirect to external Public IP
Trafic not big maybe some megs
Main goal that 128.128.128.128 got SSL signed and payed certificate but webhook service hosted at other machine with other gloabl ip i want to reroute trafic that comes with to 128.128.128.128 to port 9999 with domain name abcabc.com to other gloabal ip 8.8.8.8 that gonna router local server machine. Main proble that domain abcabc.com has other services that has be inplace that works now with reciving traffic from other ports as it is.
Main goal that 128.128.128.128 got SSL signed and payed certificate but webhook service hosted at other machine with other gloabl ip i want to reroute trafic that comes with to 128.128.128.128 to port 9999 with domain name abcabc.com to other gloabal ip 8.8.8.8 that gonna router local server machine. Main proble that domain abcabc.com has other services that has be inplace that works now with reciving traffic from other ports as it is.
You do not have the required permissions to view the files attached to this post.
Re: Redirect to external Public IP
The "red" traffic will likely only pass bi-directionally if you'll implement hairpin NAT for that "public to public" NAT. Without it, webserver 2 will try to reply to client (accessing abcabc.com:9999) directly, but client will reject this as it will try to talk to your router's WAN IP address.
Hairpin NAT means, that server doesn't see the real client's IP address, it sees the NAT device's IP address. In certain cases this is a deal breaker, in some cases it's a nuisance (lack of observability on server) and in most cases it's not a problem at all.
Hairpin NAT means, that server doesn't see the real client's IP address, it sees the NAT device's IP address. In certain cases this is a deal breaker, in some cases it's a nuisance (lack of observability on server) and in most cases it's not a problem at all.
Re: Redirect to external Public IP
can you give me solution to try i've tryed to add src-nat tcp port 9999 mascarade it doesnt help other remote router doesnt see any init connection to it
Re: Redirect to external Public IP
Glad you understand MKX can you explain what is going on.
It would appear that
a. the Router has a public IP and is the DHCP server etc..
b. Op has a dyndns URL that he uses for identifying the router ( not using Ip cloud )
c. He wants to reach a server on the LAN
d. The server requires port 8.8.8.8 but since there is some conflict somewhere it has to come into the router on port 9.9.9.9 ( simple port translation on dstnat rule ?)
Close???
It would appear that
a. the Router has a public IP and is the DHCP server etc..
b. Op has a dyndns URL that he uses for identifying the router ( not using Ip cloud )
c. He wants to reach a server on the LAN
d. The server requires port 8.8.8.8 but since there is some conflict somewhere it has to come into the router on port 9.9.9.9 ( simple port translation on dstnat rule ?)
Close???
Re: Redirect to external Public IP
@anav: you're pretty close to how I understand it. Just that @OP wants to forward connection (initially targeting his router port 9999) to some host on intetnet (same port 9999).
@RipperR: I'd try with this pair of NAT rules:
If your NAT rule list contains a default-like src-nat rule, then the second rule above is probably not even necessary.
It may be that the rules above are not entirely correct for your particular use case but this depends on the rest of your firewall config (e.g. there may be a rule which blocks what dst-nat rule above tries to do).
A side note: if the L5 protocol over TCP port 9999 includes telling server the FQDN (like in HTTP where client informs server about hostname part of URL), then server at 8.8.8.8:9999 has to know it's been referred to as abcabc.com
@RipperR: I'd try with this pair of NAT rules:
Code: Select all
/ip/firewall/nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=9999 to-addresses=8.8.8.8
add chain=srcnat action=masquerade protocol=tcp dst-port=9999 dst-address=8.8.8.8
If your NAT rule list contains a default-like src-nat rule, then the second rule above is probably not even necessary.
It may be that the rules above are not entirely correct for your particular use case but this depends on the rest of your firewall config (e.g. there may be a rule which blocks what dst-nat rule above tries to do).
A side note: if the L5 protocol over TCP port 9999 includes telling server the FQDN (like in HTTP where client informs server about hostname part of URL), then server at 8.8.8.8:9999 has to know it's been referred to as abcabc.com
Re: Redirect to external Public IP
Doesnt work
src has no trafic at all
Idea i got signed SSL cert for ip 128.128.128.128 for domain name abcabc.com i want redirect trafic for that domain https://abcabc.com:9999 to other "webServer" (its not actual web server itc TCP SSL SERVER that trying to look like HTTPS for Viber Web Hook) so i want when https://abcabc.com:9999 it looks like 128.128.128.128 replay but internaly all traffic goes to 8.8.8.8:9999 and 8.8.8.8 will use certificate belows to 128.128.128.128 to communication.
For example when client call 128.128.128.128:443 with domain name its actualy redirects to internal ip where webserver is located for exmaple dstnat to 192.168.0.128 ... so i want to do same but goes not to 192.168.0.128 but to 8.8.8.8
src has no trafic at all
Code: Select all
add action=dst-nat chain=dstnat comment=ViberWebHook dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
add action=masquerade chain=srcnat comment=ViberWebHook dst-address=8.8.8.8 dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
For example when client call 128.128.128.128:443 with domain name its actualy redirects to internal ip where webserver is located for exmaple dstnat to 192.168.0.128 ... so i want to do same but goes not to 192.168.0.128 but to 8.8.8.8
Last edited by RipperR on Fri Mar 15, 2024 3:49 pm, edited 4 times in total.
Re: Redirect to external Public IP
Still makes no sense....... Oh well, I will move on.
Re: Redirect to external Public IP
dstnat: in:ether1 out:(unknown 0), src-mac 06:5d:6d:d9:69:3d, proto TCP (SYN), 109.251.110.110:57905->128.128.128.128:9092, len 60 thats what i got in logs no trafice reaches srcnat rule (
So question is SRCNAT MASCARADE rule doesnt triggers ....
So question is SRCNAT MASCARADE rule doesnt triggers ....
Re: Redirect to external Public IP
I've made testing. I do same from second side and it successfully redirect to side one at that way but as I want from side one to side two doesnt work i can't figure why. Side one 6.48.6 side two 7.9.2.
At side on rule dstnat works src nat no trafic hit.
At side on rule dstnat works src nat no trafic hit.
Re: Redirect to external Public IP
No idea whether it could work, but what mkx posted:
is different from what you reported trying:/ip/firewall/nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=9999 to-addresses=8.8.8.8
add chain=srcnat action=masquerade protocol=tcp dst-port=9999 dst-address=8.8.8.8
add action=dst-nat chain=dstnat comment=ViberWebHook dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
add action=masquerade chain=srcnat comment=ViberWebHook dst-address=8.8.8.8 dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
Re: Redirect to external Public IP
Code: Select all
19 ;;; ViberWebHook
chain=dstnat action=netmap to-addresses=8.8.8.8 protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""
20 chain=srcnat action=masquerade protocol=tcp dst-address=8.8.8.8 dst-port=9999 log=no log-prefix="" gloabl nat rule is
1 ;;; NAT
chain=srcnat action=src-nat to-addresses=public_ip src-address=192.168.1.0/24 out-interface=ether1 log=no log-prefix=""
Re: Redirect to external Public IP
What Firewall Filter rules do you have? Have you allowed for a Forward from/to external interface?
Re: Redirect to external Public IP
The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.
Another waste of a chasing thread because there is no first post process....... thankyou MT.
Re: Redirect to external Public IP
I've add rules beforeWhat Firewall Filter rules do you have? Have you allowed for a Forward from/to external interface?
forward chain hited no trafic on input.68 ;;; ViberWebHook
chain=input action=accept protocol=tcp dst-port=9999 log=no log-prefix=""
69 ;;; ViberWebHook
chain=forward action=accept protocol=tcp dst-port=9999 log=no log-prefix=""
Last edited by RipperR on Sat Mar 16, 2024 6:40 pm, edited 1 time in total.
Re: Redirect to external Public IP
its production config it has many rules on it i can't post it here so you can give advice what i can i check and what can be affected on that issue ...The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.
Last edited by RipperR on Sat Mar 16, 2024 7:16 pm, edited 3 times in total.
Re: Redirect to external Public IP
/export file=anynameyouwish ( minus PUBLIC IP information, KEYS, long dhcp lease lists, etc..)
There should be relatively little else to scrub ( possibly some names you give to things, comments etc..... )
Use code block to limit visible length and improved readability ( on same line as Bold and Underline, just to the left of the quotation marks!
There should be relatively little else to scrub ( possibly some names you give to things, comments etc..... )
Use code block to limit visible length and improved readability ( on same line as Bold and Underline, just to the left of the quotation marks!
Re: Redirect to external Public IP
I found the way to pocket goes to second router but no replay from server and no pocket reach server but direct acess to 8.8.8.8:9999 works
pocket log looks simular
pocket log looks simular
- works direct connectiondstnat: in:ether1-gateway out:(unknown 0), src-mac 00:xx:xx:xx:xx:22, proto TCP (SYN), somepublicip:50916->8.8.8.8:9999, len 60
doesnt work thrue remote server via mascaradedstnat: in:ether1-gateway out:(unknown 0), src-mac 00:xx:xx:xx:xx:22, proto TCP (SYN), 128.128.128.128:50926->8.8.8.8:9999, len 60
srcnat: in:(unknown 0) out:ether1, src-mac 06:yy:yy:yy:yy:3f, proto TCP (SYN), omepublicip:51394->8.8.8.8:9999, NAT omepublicip:51394->(128.128.128.128:9999->8.8.8.8:9999), len 60
Re: Redirect to external Public IP [SOLVED]
Complete solution in my case:
128.128.128.128 router (cert and domain bind for)
128.128.128.128 router (cert and domain bind for)
8.8.8.8 side with redirected web serverip firewall filter
chain=forward action=accept protocol=tcp src-address=8.8.8.8 in-interface=ether1 src-port=9999 log=no log-prefix=""
chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""
ip firewall nat
chain=dstnat action=netmap to-addresses=8.8.8.8 to-ports=9999 protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""
chain=srcnat action=masquerade protocol=tcp dst-address=8.8.8.8 dst-port=9999 log=no log-prefix=""
And everething works with signed ssl certificate for ip 128.128.128.128 and domain abcabc.com for that ip but internaly i redirected to other web server with public ip 8.8.8.8 with internal redirection to local ipip firewall filter
chain=forward action=accept protocol=tcp dst-port=9999 log=no log-prefix=""
ip firewall nat
chain=dstnat action=netmap to-addresses=10.10.0.254 to-ports=9999 protocol=tcp in-interface=ether1-gateway
dst-port=9999 log=no log-prefix=""