Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

NAT/MASQ - Can't access LAN through Public IP from LAN

Locked
 
User avatar
jaxx
just joined
Topic Author
Posts: 11
Joined: Thu Jun 25, 2009 5:16 pm
Location: Paris, France
Contact:
Contact jaxx

NAT/MASQ - Can't access LAN through Public IP from LAN

Sat Jun 27, 2009 5:28 pm

Hi,

This will probably seem dumb :? but I can't figure how to get a little pb fixed:

My Setup (much more complicated in fact, but that'll be a whole new a bigger topic):
RB450 acting as router (ISP side interface eth1 , IP by DHCP, though always static, but DNS could change)
The lan side is Eth2(+Eth3 as slave port) (Eth4 (+Eth5 as slave), will serve as collecting 3 vlans coming from one or more RB433s with multiple Virtual APs, one pushed through hotspot)


here's a part of what's in the masquerading NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1 src-address=192.168.83.0/24
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.83.1 to-ports=80
[... etc ...]

LAN can access web
And web can access port 80/22/21/etc... ports on server in LAN

But stations from "inside", on LAN, can't access port 80/etc... from the public interface (typically accessing http://hostname-resolving-to-the-public-ip/ in a browser) the connection is cut... "Connexion réinitialisée"


What entry am I forgeting ?

Thanks alot :)

JB./.
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7167
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: NAT/MASQ - Can't access LAN through Public IP from LAN

Mon Jun 29, 2009 1:31 pm

Because you have specified in-interface=ether1 in dst-nat rule. But ether1 is public interface, so packets are not matched by that rule if incoming interfaces are other than ether1
Top
 
User avatar
jaxx
just joined
Topic Author
Posts: 11
Joined: Thu Jun 25, 2009 5:16 pm
Location: Paris, France
Contact:
Contact jaxx

Re: NAT/MASQ - Can't access LAN through Public IP from LAN

Mon Jun 29, 2009 3:17 pm

Because you have specified in-interface=ether1 in dst-nat rule. But ether1 is public interface, so packets are not matched by that rule if incoming interfaces are other than ether1
Hi, Thanks,

Well, in a way, it is more or less arriving on ether1, since I'm querying the public IP... :-)
I managed to get it working after all... hopefully it's mainly 80 that needs it for commodity, all the reste can be done from LAN anyways
I "unmatched" ether1 but looks like I barely have any choice to have one-liners without giving it the public IP (which hopefully never changes)

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=192.168.83.0/24
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=WW.XX.YY.ZZ dst-port=80 protocol=tcp to-addresses=192.168.83.1 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=WW.XX.YY.ZZ dst-port=22 protocol=tcp to-addresses=192.168.83.1 to-ports=22
[... etc ...]

:-)
Top
Locked

Who is online

Users browsing this forum: Bing [Bot] and 25 guests
  4. RouterOS
  5. Beginner Basics