MikroTik

Community discussions
https://forum.mikrotik.com/

[SOLVED] Internet access webserver behind routeros

https://forum.mikrotik.com/viewtopic.php?t=70977

Page 1 of 1

[SOLVED] Internet access webserver behind routeros

Posted: Wed Mar 20, 2013 11:28 pm
by rich
I know this topic has been up a lot in this forum, I've read about 10-15 different threads about it, also the wiki-pages.
However I need some guidance.

I have several servers behind the router, a RB2011UAS-2HnD-IN.
It is connected in the following way
Public IP (DHCP from ISP) - ether 1
ether 2 - L2 Switch.

So what I want to do is to let users access my servers behind the router, in some of the forums they are mentioning the given WAN Ip from the ISP.
However, since I only get IP from DHCP it could change any day which won't be so nice as I would have to manually (or script something) to update the rules.

As I gathered this is how such port "opening" should look like:
Code: Select all
chain=dstnat action=dst-nat to-addresses=10.0.10.10 to-ports=80 protocol=tcp dst-port=80
But that only disabled my ability to access the web from my LAN.

Are there any firewall rules I need to set or anything?

This is the output from my router:
Code: Select all
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway to-addresses=0.0.0.0
I've not added any NAT here as they didn't work at all for me.
I have also heard about Hairpin NAT, but it looks as it require a static WAN IP as well.

Are there firewall rules I need to add / remove and / or NAT rules?

Thanks in advance.

Re: Internet access webserver behind routeros

Posted: Thu Mar 21, 2013 9:48 pm
by nmaton
Hi,


First start with removing all your nat rules . and add



/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway

This should make sure that you can reach internet again.

Then add

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=yourpublicipaddress dst-port=80 protocol=tcp to-addresses=10.0.10.10 to-ports=8080 comment="port80"


After you have done run the below script with your schedulare at a specified interval.


--------------START SCRIPT---------------
:global currentIP;

:local newIP [/ip address get [find interface="ether1"] address];

:if ($newIP != $currentIP) do={
:put "ip address $currentIP changed to $newIP";
:set currentIP $newIP;
/ip firewall nat set [find comment="port80"] dst-address=<pptp-Citymesh>;
}


--------------END SCRIPT---------------

I havent tested this but try it and maybe youll need to add some modifications.

Re: Internet access webserver behind routeros

Posted: Fri Mar 22, 2013 3:02 am
by rich
Thanks a lot. The nat works great.
I will have to test the script later on, I'll have to add all the ports I need first and then I'll add the script to test if it will work.

I think it would be better if you could set "dst-interface" or something instead of "dst-address" as that would be a great improvement for the home users whom are often using dynamically assigned IP addresses.

again, many thanks.

Internet access webserver behind routeros

Posted: Fri Mar 22, 2013 4:37 am
by cbrown
It is easier to specify "in-interface=WAN-INTERFACE" on your NAT rule than having to run that script.

/ip if nat
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=80 protocol=tcp to-addresses=10.0.10.10 to-ports=8080

Re: Internet access webserver behind routeros

Posted: Sun Mar 24, 2013 5:44 am
by rich
Awesome, that's exactly what I was looking for.

Thanks a lot!
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/