Page 1 of 1
Redirect to external Public IP
Posted: Wed Mar 13, 2024 3:31 am
by RipperR
How redirect incoming WAN TCP port 9999 connection to public ip 1.2.3.4 with port 9999 that accessible from WAN.
Re: Redirect to external Public IP
Posted: Wed Mar 13, 2024 3:41 am
by anav
Please draw a diagram of what you speak as what you wrote makes little sense to me.
Also try not to speak of any solution config ideas for the following:
a. identify all the users/devices requiring traffic flow
b. identify all the traffic flows each device/user needs.
Re: Redirect to external Public IP
Posted: Wed Mar 13, 2024 1:16 pm
by RipperR
trafic flow.png
Trafic not big maybe some megs
Main goal that 128.128.128.128 got SSL signed and payed certificate but webhook service hosted at other machine with other gloabl ip i want to reroute trafic that comes with to 128.128.128.128 to port 9999 with domain name abcabc.com to other gloabal ip 8.8.8.8 that gonna router local server machine. Main proble that domain abcabc.com has other services that has be inplace that works now with reciving traffic from other ports as it is.
Re: Redirect to external Public IP
Posted: Wed Mar 13, 2024 3:33 pm
by mkx
The "red" traffic will likely only pass bi-directionally if you'll implement hairpin NAT for that "public to public" NAT. Without it, webserver 2 will try to reply to client (accessing abcabc.com:9999) directly, but client will reject this as it will try to talk to your router's WAN IP address.
Hairpin NAT means, that server doesn't see the real client's IP address, it sees the NAT device's IP address. In certain cases this is a deal breaker, in some cases it's a nuisance (lack of observability on server) and in most cases it's not a problem at all.
Re: Redirect to external Public IP
Posted: Wed Mar 13, 2024 4:28 pm
by RipperR
can you give me solution to try i've tryed to add src-nat tcp port 9999 mascarade it doesnt help other remote router doesnt see any init connection to it
Re: Redirect to external Public IP
Posted: Wed Mar 13, 2024 4:39 pm
by anav
Glad you understand MKX can you explain what is going on.
It would appear that
a. the Router has a public IP and is the DHCP server etc..
b. Op has a dyndns URL that he uses for identifying the router ( not using Ip cloud )
c. He wants to reach a server on the LAN
d. The server requires port 8.8.8.8 but since there is some conflict somewhere it has to come into the router on port 9.9.9.9 ( simple port translation on dstnat rule ?)
Close???
Re: Redirect to external Public IP
Posted: Wed Mar 13, 2024 7:42 pm
by mkx
@anav: you're pretty close to how I understand it. Just that @OP wants to forward connection (initially targeting his router port 9999) to some host on intetnet (same port 9999).
@RipperR: I'd try with this pair of NAT rules:
/ip/firewall/nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=9999 to-addresses=8.8.8.8
add chain=srcnat action=masquerade protocol=tcp dst-port=9999 dst-address=8.8.8.8
If your NAT rule list contains a default-like src-nat rule, then the second rule above is probably not even necessary.
It may be that the rules above are not entirely correct for your particular use case but this depends on the rest of your firewall config (e.g. there may be a rule which blocks what dst-nat rule above tries to do).
A side note: if the L5 protocol over TCP port 9999 includes telling server the FQDN (like in HTTP where client informs server about hostname part of URL), then server at 8.8.8.8:9999 has to know it's been referred to as abcabc.com
Re: Redirect to external Public IP
Posted: Fri Mar 15, 2024 3:30 pm
by RipperR
Doesnt work
src has no trafic at all
add action=dst-nat chain=dstnat comment=ViberWebHook dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
add action=masquerade chain=srcnat comment=ViberWebHook dst-address=8.8.8.8 dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
Idea i got signed SSL cert for ip 128.128.128.128 for domain name abcabc.com i want redirect trafic for that domain
https://abcabc.com:9999 to other "webServer" (its not actual web server itc TCP SSL SERVER that trying to look like HTTPS for Viber Web Hook) so i want when
https://abcabc.com:9999 it looks like 128.128.128.128 replay but internaly all traffic goes to 8.8.8.8:9999 and 8.8.8.8 will use certificate belows to 128.128.128.128 to communication.
For example when client call 128.128.128.128:443 with domain name its actualy redirects to internal ip where webserver is located for exmaple dstnat to 192.168.0.128 ... so i want to do same but goes not to 192.168.0.128 but to 8.8.8.8
Re: Redirect to external Public IP
Posted: Fri Mar 15, 2024 3:39 pm
by anav
Still makes no sense....... Oh well, I will move on.
Re: Redirect to external Public IP
Posted: Fri Mar 15, 2024 4:02 pm
by RipperR
dstnat: in:ether1 out:(unknown 0), src-mac 06:5d:6d:d9:69:3d, proto TCP (SYN), 109.251.110.110:57905->128.128.128.128:9092, len 60 thats what i got in logs no trafice reaches srcnat rule (
So question is SRCNAT MASCARADE rule doesnt triggers ....
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 2:33 pm
by RipperR
I've made testing. I do same from second side and it successfully redirect to side one at that way but as I want from side one to side two doesnt work i can't figure why. Side one 6.48.6 side two 7.9.2.
At side on rule dstnat works src nat no trafic hit.
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 3:08 pm
by jaclaz
No idea whether it could work, but what mkx posted:
/ip/firewall/nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=9999 to-addresses=8.8.8.8
add chain=srcnat action=masquerade protocol=tcp dst-port=9999 dst-address=8.8.8.8
is different from what you reported trying:
add action=dst-nat chain=dstnat comment=ViberWebHook dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
add action=masquerade chain=srcnat comment=ViberWebHook dst-address=8.8.8.8 dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 3:37 pm
by RipperR
19 ;;; ViberWebHook
chain=dstnat action=netmap to-addresses=8.8.8.8 protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""
20 chain=srcnat action=masquerade protocol=tcp dst-address=8.8.8.8 dst-port=9999 log=no log-prefix=""
it doesnt hit srcnat .... dstnat got traffic thrue but src no traffic ... how to track why
gloabl nat rule is
1 ;;; NAT
chain=srcnat action=src-nat to-addresses=public_ip src-address=192.168.1.0/24 out-interface=ether1 log=no log-prefix=""
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 6:25 pm
by DeadStik
What Firewall Filter rules do you have? Have you allowed for a Forward from/to external interface?
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 6:29 pm
by anav
The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 6:37 pm
by RipperR
What Firewall Filter rules do you have? Have you allowed for a Forward from/to external interface?
I've add rules before
68 ;;; ViberWebHook
chain=input action=accept protocol=tcp dst-port=9999 log=no log-prefix=""
69 ;;; ViberWebHook
chain=forward action=accept protocol=tcp dst-port=9999 log=no log-prefix=""
forward chain hited no trafic on input.
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 6:38 pm
by RipperR
The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.
its production config it has many rules on it i can't post it here so you can give advice what i can i check and what can be affected on that issue ...
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 7:11 pm
by anav
/export file=anynameyouwish ( minus PUBLIC IP information, KEYS, long dhcp lease lists, etc..)
There should be relatively little else to scrub ( possibly some names you give to things, comments etc..... )
Use code block to limit visible length and improved readability ( on same line as Bold and Underline, just to the left of the quotation marks!
Re: Redirect to external Public IP
Posted: Sat Mar 16, 2024 7:17 pm
by RipperR
I found the way to pocket goes to second router but no replay from server and no pocket reach server but direct acess to 8.8.8.8:9999 works
pocket log looks simular
dstnat: in:ether1-gateway out:(unknown 0), src-mac 00:xx:xx:xx:xx:22, proto TCP (SYN), somepublicip:50916->8.8.8.8:9999, len 60
- works direct connection
dstnat: in:ether1-gateway out:(unknown 0), src-mac 00:xx:xx:xx:xx:22, proto TCP (SYN), 128.128.128.128:50926->8.8.8.8:9999, len 60
doesnt work thrue remote server via mascarade
srcnat: in:(unknown 0) out:ether1, src-mac 06:yy:yy:yy:yy:3f, proto TCP (SYN), omepublicip:51394->8.8.8.8:9999, NAT omepublicip:51394->(128.128.128.128:9999->8.8.8.8:9999), len 60
Re: Redirect to external Public IP [SOLVED]
Posted: Sun Mar 17, 2024 2:35 pm
by RipperR
Complete solution in my case:
128.128.128.128 router (cert and domain bind for)
ip firewall filter
chain=forward action=accept protocol=tcp src-address=8.8.8.8 in-interface=ether1 src-port=9999 log=no log-prefix=""
chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""
ip firewall nat
chain=dstnat action=netmap to-addresses=8.8.8.8 to-ports=9999 protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""
chain=srcnat action=masquerade protocol=tcp dst-address=8.8.8.8 dst-port=9999 log=no log-prefix=""
8.8.8.8 side with redirected web server
ip firewall filter
chain=forward action=accept protocol=tcp dst-port=9999 log=no log-prefix=""
ip firewall nat
chain=dstnat action=netmap to-addresses=10.10.0.254 to-ports=9999 protocol=tcp in-interface=ether1-gateway
dst-port=9999 log=no log-prefix=""
And everething works with signed ssl certificate for ip 128.128.128.128 and domain abcabc.com for that ip but internaly i redirected to other web server with public ip 8.8.8.8 with internal redirection to local ip