NAT routing to internal webserver

rburke · Fri Oct 14, 2005 6:02 pm

Greetings all,
I am trying to route the pubic IP address of my Mikrotik router v2.9.5 to a webserver on the internal network. However unsuccessful as of yet. The Public IP given to me from my provider funily enough ends /24 and my internal network say 10.11.19.0/24.
I have tried to configure using the example in the 2.9 manual using my own IP addresses where applicable. without using the NAT rule when i load the webpage with the public IP i get the mikrotik webpage, however when i apply the NAT rule, no page will loads at all.

Also I should mention that i have my network mascaraded behind the public IP.

Am I doing something wrong.

thanks in advance,

regards,
rburke

Sun Oct 16, 2005 9:26 pm

you have to configure full nat for web-server, use src-nat instead of masquerade, here is configuration example:
http://www.mikrotik.com/docs/ros/2.8/ho ... ent#12.2.6
change syntax for 2.9

proxy · Sun Oct 16, 2005 11:38 pm

i have that problem too, i can't srcnat :S
what can the problem be?

changeip · Mon Oct 17, 2005 12:40 am

I have made this work when you have a separate LAN (DMZ) for your internet facing servers, but never really got it working right ... cisco calls this 'nat on a stick' - maybe something similiar needs to be configured on mt as well.. anyhow, putting those servers on a different subnet or interface should help.

Sam

jaytcsd · Mon Oct 17, 2005 10:59 am

I've been able to nat with both 2.8 and 2.9 running hotspots to a webcam on my private network.

2.9 rules

0 ;;; masquerade hotspot network
chain=srcnat src-address=10.20.7.0/24 action=masquerade

1 ;;; masquerade private network
chain=srcnat src-address=192.168.0.0/24 action=masquerade

2 chain=dstnat dst-address=xxx.yyy.194.57 action=dst-nat to-addresses=192.168.0.20 to-ports=80

3 chain=src-nat src-address=192.168.0.20 action=src-nat to-addresses=xxx.yyy.194.57 to-ports=80

ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 P 80:80:66:7B:1F:A0 192.168.0.20 xxx.yyy.194.57 hs-hotspot

xxx.yyy.194.57 is my public IP.

If you're not running a hotspot I don't think you will need the ip-binding command

rburke · Mon Oct 17, 2005 9:48 pm

thanks jaytcsd that seemed to work this time round

proxy · Mon Oct 17, 2005 10:04 pm

i can't get this work ..
i want that all addresses to be natted to xx.xxx.xx.x and all ports but it doesn't work.. on 2.8 it worked.. but i don't know why on 2.9 it doesen't :S

jaytcsd · Tue Oct 18, 2005 3:52 am

[quote]i want that all addresses to be natted to xx.xxx.xx.x [/quote]

Are you trying to map a bunch of private IPs to one public IP for outbound traffic, or are you trying to map public IPs to private IPs so traffic can get inside your private network?

proxy · Tue Oct 18, 2005 12:31 pm

Hi , i will try to make it clearly ,
when i was using 2.8 i hat a src nat rule and in that rule i added this config

ip firewall src-nat> add action=nat to-src-address=x1.x23.x14.xx to-s
rc-port=0-65535 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all

the problem is that in 2.9 it doesn't work..

jaytcsd · Tue Oct 18, 2005 7:37 pm

I'm not using src-nat / nat rules in my router, only masquerade rules, afraid I can't help much.

andrewluck · Tue Oct 18, 2005 8:14 pm

My rules to NAT an internal network and also an IP phone connected to a separate interface:

0 ;;; Internal LAN NAT
chain=srcnat out-interface=Internet src-address=192.168.1.0/24
action=src-nat to-addresses=82.xxx.xxx.205 to-ports=0-65535

1 ;;; Nat for IP phone
chain=srcnat out-interface=Internet src-address=192.168.2.10
action=src-nat to-addresses=82.xxx.xxx.201 to-ports=0-65535

2 ;;; IP Phone
chain=dstnat in-interface=Internet dst-address=82.xxx.xxx.201
action=dst-nat to-addresses=192.168.2.10 to-ports=0-65535

The syntax changed a little with 2.9.

Regards

Andrew

mengong · Mon Nov 07, 2005 2:26 pm

Hi , i will try to make it clearly ,
when i was using 2.8 i hat a src nat rule and in that rule i added this config
Code: Select all
ip firewall src-nat> add action=nat to-src-address=x1.x23.x14.xx to-s
rc-port=0-65535 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all
the problem is that in 2.9 it doesn't work..

at 2.9 u need to define the chain to srcnat and action to src-nat its work to me

proxy · Fri Nov 11, 2005 12:32 pm

i defined that , but still doesn't work , can u plz post a copy of your config..

jaytcsd · Sat Nov 12, 2005 9:15 am

when I goto whatismyip.com with any PC other than 192.168.0.47 I get xx.59.194.58 as my address, my WAN IP in the router. When I use the PC at 192.168.0.47 I get xx.59.194.57 as the response.

ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; WAN IP
xxx.59.194.58/24 xxx.59.194.0 xxx.59.194.255 public
1 ;;; ip for internal PC
xxx.59.194.57/24 xxx.59.194.0 xxx.59.194.255 public

ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.0.47 action=src-nat to-addresses=xxx.59.194.57 to-ports=0-65535

1 ;;; masquerade hotspot network
chain=srcnat src-address=10.20.7.0/24 action=masquerade

2 ;;; masquerade private network
chain=srcnat src-address=192.168.0.0/24 action=masquerade

ip route> pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.20.7.0/24 10.20.7.1 hotspot
1 ADC xx.59.194.0/24 xx.59.194.58 public
2 ADC 192.168.0.0/24 192.168.0.10 private
3 A S 0.0.0.0/0 r xxx.59.194.1 public

believewireless · Sat Nov 19, 2005 6:00 pm

I'm having similar problems and can't seem to figure out why. Here is what I have:

1 chain=srcnat out-interface=ether3 src-address=192.168.1.0/24
action=masquerade

10 chain=dstnat dst-address=65.XX.XX.203 protocol=tcp dst-port=8021
action=dst-nat to-addresses=192.168.1.21 to-ports=80

11 chain=srcnat src-address=192.168.1.21 protocol=tcp action=src-nat
to-addresses=65.XX.XX.203 to-ports=0-65535

When I go to http://65.XX.XX.203:8021/ I see the Bytes and Packets increase for the dst-nat rule but nothing for either src-nat rule. Connections shows a "syn sent" for the 65.XX.XX.203 address but nothing shows at all for 192.168.1.21.

I can ping the IP and even connect to port 80 from the router using telnet. But trying to reach the web server from an external address isn't working.

Any ideas on what I'm doing wrong?

Tonda · Sat Nov 19, 2005 7:05 pm

What about your firewall rules? In order to perform correct mapping it is not only necessary to use src-nat correctly, but also have appropriate firewall filter rules.

wildbill442 · Sat Nov 19, 2005 7:08 pm

What about foward chain firewall rules? In order to perform correct mapping it is not only necessary to use src-nat correctly, but also have appropriate rules in your forward chain..

There's no need to modify the forward chain, unless there's a rule blocking the port(s) you're trying to NAT.

Tonda · Sat Nov 19, 2005 7:23 pm

When I assume your forward rules allow only outgoing connections from internal network and established and related connections from internet to internal network, it is necessary to add appropriate rules.

believewireless · Sat Nov 19, 2005 7:32 pm

No filter rules have been defined. Didn't read about having to modify and filter rules in the manual for destination NAT. Masquerading works fine. Is there something else I have to add?

Tonda · Sat Nov 19, 2005 7:41 pm

Of course it depends on actual router configuration and this is why I asked for these rules..

believewireless · Sat Nov 19, 2005 10:03 pm

What else in the config is there to see? Just the IP addresses set on the two ethernet ports and default route. Other dst-nat rules have been set to other ports but they don't work either.

Tonda · Sat Nov 19, 2005 10:32 pm

2 believewireless:
I think rule number 11 in your config seen above is useless, because this srcnat is already handled by rule 1. What about other nat rules 2-9?

believewireless · Sat Nov 19, 2005 11:08 pm

The other rules just forward to other ports on other computers. (They don't work either.) I agree rule 11 is useless but tried it when nothing else worked. By the way, I'm using 2.9.8 on this router.

wifi · Sun Nov 20, 2005 12:21 pm

We had this problem for a while but finally got around it. You have to use a seperate dns server product. Most of the dns apps out there will only allow you to point you dns records at either a public ip or a private ip. (We ran it like this on 2 dns servers till about a week ago.). Simple DNS 4 allows you to do both. We now only use 1 dns server for both the outside network and the users on the internal wireless network. It has a section for NAT routers where you can specify that if someone on the internal network is looking for your self hosted website it will point them instead of to the public ip but to you internal web server.
Works perfect, reliable and fast. In the profiles section of the mikrotik (PPPOE) you will enter the IP address of the system running simple dns 4
Let me know if you need help with configuring it.

Tonda · Sun Nov 20, 2005 3:08 pm

Are your internal web servers correctly configured? I exactly mean default gateway..
Have you tried to log packets to your internal web server and especially packets from your internal web server to internet in Mikrotik? There must be some stupid error or misconfiguration...

believewireless · Sun Nov 20, 2005 3:37 pm

Has nothing to do with DNS since we are just going to the site with the IP address. It's possible it's something stupid but I just followed the example right out of the manual. The connection table shows "syn sent" but nothing on the internal IP address shows up.

So, Mikrotik sees the packet come in on the correct port and IP address but isn't forwarding it on to the private IP.

Tonda · Sun Nov 20, 2005 4:37 pm

How did you find it? Try to add two filter rules in forward chain: one logs everything with destination address of your internal web server and second that logs everything with source address of your internal server. Then you will be able to see packet exchange between Mikrotik and web server..

jaytcsd · Mon Nov 21, 2005 10:31 am

I lost track of where you were with your NAT problem, did you try moving rule 11 to the top of the list? What about just using port 8021 in your srcnat rule? Take out "out-interface=ether3", if you look at the rules I posted there is no interface specified.

believewireless · Tue Nov 22, 2005 2:34 pm

Removing the out-interface and moving the rule to the top didn't work. Here's what I have:

0 chain=dstnat dst-address=65.XX.XX.203 protocol=tcp dst-port=8021
action=dst-nat to-addresses=192.168.1.21 to-ports=80

1 chain=srcnat src-address=192.168.1.0/24 action=masquerade

I disabled all other rules.

Here's my route table:

0 ADC 65.XX.XX.128/25 65.XX.XX.203 ether3
1 ADC 172.16.1.0/24 172.16.1.2 ether1
2 ADC 192.168.1.0/24 192.168.1.254 ether1
3 A S 0.0.0.0/0 r 65.XX.XX.129 ether3
4 D 0.0.0.0/0 r 172.16.1.1 0 ether1

Here's my address table:

0 I 10.1.0.5/24 10.1.0.0 10.1.0.255 (unknown)
1 65.XX.XX.203/25 65.XX.XX.128 65.XX.XX.255 ether3
2 172.16.1.2/24 172.16.1.0 172.16.1.255 ether1
3 192.168.1.254/24 192.168.1.0 192.168.1.1 ether1
4 D 172.16.1.132/24 172.16.1.0 172.16.1.255 ether1

That's all that's configured in the router.

Tonda · Tue Nov 22, 2005 4:25 pm

Why do you have in your address table item 3 broadcast address set to 192.168.1.1? I think there should be 192.168.1.255...
Can you (only for testing purposes) disable all other addresses of interface ether1?

believewireless · Tue Nov 22, 2005 4:37 pm

Doh! How did I screw that up!

Thanks, that fixed the problem.