Redirect to external Public IP

RipperR · Wed Mar 13, 2024 3:31 am

How redirect incoming WAN TCP port 9999 connection to public ip 1.2.3.4 with port 9999 that accessible from WAN.

anav · Wed Mar 13, 2024 3:41 am

Please draw a diagram of what you speak as what you wrote makes little sense to me.
Also try not to speak of any solution config ideas for the following:
a. identify all the users/devices requiring traffic flow
b. identify all the traffic flows each device/user needs.

RipperR · Wed Mar 13, 2024 1:16 pm

trafic flow.png

Trafic not big maybe some megs

Main goal that 128.128.128.128 got SSL signed and payed certificate but webhook service hosted at other machine with other gloabl ip i want to reroute trafic that comes with to 128.128.128.128 to port 9999 with domain name abcabc.com to other gloabal ip 8.8.8.8 that gonna router local server machine. Main proble that domain abcabc.com has other services that has be inplace that works now with reciving traffic from other ports as it is.

mkx · Wed Mar 13, 2024 3:33 pm

The "red" traffic will likely only pass bi-directionally if you'll implement hairpin NAT for that "public to public" NAT. Without it, webserver 2 will try to reply to client (accessing abcabc.com:9999) directly, but client will reject this as it will try to talk to your router's WAN IP address.

Hairpin NAT means, that server doesn't see the real client's IP address, it sees the NAT device's IP address. In certain cases this is a deal breaker, in some cases it's a nuisance (lack of observability on server) and in most cases it's not a problem at all.

RipperR · Wed Mar 13, 2024 4:28 pm

can you give me solution to try i've tryed to add src-nat tcp port 9999 mascarade it doesnt help other remote router doesnt see any init connection to it

anav · Wed Mar 13, 2024 4:39 pm

Glad you understand MKX can you explain what is going on.

It would appear that
a. the Router has a public IP and is the DHCP server etc..
b. Op has a dyndns URL that he uses for identifying the router ( not using Ip cloud )
c. He wants to reach a server on the LAN
d. The server requires port 8.8.8.8 but since there is some conflict somewhere it has to come into the router on port 9.9.9.9 ( simple port translation on dstnat rule ?)

Close???

mkx · Wed Mar 13, 2024 7:42 pm

@anav: you're pretty close to how I understand it. Just that @OP wants to forward connection (initially targeting his router port 9999) to some host on intetnet (same port 9999).

@RipperR: I'd try with this pair of NAT rules:

/ip/firewall/nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=9999 to-addresses=8.8.8.8
add chain=srcnat action=masquerade protocol=tcp dst-port=9999 dst-address=8.8.8.8

If your NAT rule list contains a default-like src-nat rule, then the second rule above is probably not even necessary.

It may be that the rules above are not entirely correct for your particular use case but this depends on the rest of your firewall config (e.g. there may be a rule which blocks what dst-nat rule above tries to do).

A side note: if the L5 protocol over TCP port 9999 includes telling server the FQDN (like in HTTP where client informs server about hostname part of URL), then server at 8.8.8.8:9999 has to know it's been referred to as abcabc.com

RipperR · Fri Mar 15, 2024 3:30 pm

Doesnt work
src has no trafic at all

add action=dst-nat chain=dstnat comment=ViberWebHook dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
add action=masquerade chain=srcnat comment=ViberWebHook dst-address=8.8.8.8 dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8

Idea i got signed SSL cert for ip 128.128.128.128 for domain name abcabc.com i want redirect trafic for that domain https://abcabc.com:9999 to other "webServer" (its not actual web server itc TCP SSL SERVER that trying to look like HTTPS for Viber Web Hook) so i want when https://abcabc.com:9999 it looks like 128.128.128.128 replay but internaly all traffic goes to 8.8.8.8:9999 and 8.8.8.8 will use certificate belows to 128.128.128.128 to communication.

For example when client call 128.128.128.128:443 with domain name its actualy redirects to internal ip where webserver is located for exmaple dstnat to 192.168.0.128 ... so i want to do same but goes not to 192.168.0.128 but to 8.8.8.8

anav · Fri Mar 15, 2024 3:39 pm

Still makes no sense....... Oh well, I will move on.

RipperR · Fri Mar 15, 2024 4:02 pm

dstnat: in:ether1 out:(unknown 0), src-mac 06:5d:6d:d9:69:3d, proto TCP (SYN), 109.251.110.110:57905->128.128.128.128:9092, len 60 thats what i got in logs no trafice reaches srcnat rule (

So question is SRCNAT MASCARADE rule doesnt triggers ....

RipperR · Sat Mar 16, 2024 2:33 pm

I've made testing. I do same from second side and it successfully redirect to side one at that way but as I want from side one to side two doesnt work i can't figure why. Side one 6.48.6 side two 7.9.2.

At side on rule dstnat works src nat no trafic hit.

jaclaz · Sat Mar 16, 2024 3:08 pm

No idea whether it could work, but what mkx posted:

/ip/firewall/nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=9999 to-addresses=8.8.8.8
add chain=srcnat action=masquerade protocol=tcp dst-port=9999 dst-address=8.8.8.8

is different from what you reported trying:

add action=dst-nat chain=dstnat comment=ViberWebHook dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8
add action=masquerade chain=srcnat comment=ViberWebHook dst-address=8.8.8.8 dst-port=9999 log=yes protocol=tcp to-addresses=8.8.8.8

RipperR · Sat Mar 16, 2024 3:37 pm

19    ;;; ViberWebHook
      chain=dstnat action=netmap to-addresses=8.8.8.8 protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix="" 

20    chain=srcnat action=masquerade protocol=tcp dst-address=8.8.8.8 dst-port=9999 log=no log-prefix=""

it doesnt hit srcnat .... dstnat got traffic thrue but src no traffic ... how to track why

gloabl nat rule is

1 ;;; NAT
chain=srcnat action=src-nat to-addresses=public_ip src-address=192.168.1.0/24 out-interface=ether1 log=no log-prefix=""

DeadStik · Sat Mar 16, 2024 6:25 pm

What Firewall Filter rules do you have? Have you allowed for a Forward from/to external interface?

anav · Sat Mar 16, 2024 6:29 pm

The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.

RipperR · Sat Mar 16, 2024 6:37 pm

What Firewall Filter rules do you have? Have you allowed for a Forward from/to external interface?

I've add rules before

68 ;;; ViberWebHook
chain=input action=accept protocol=tcp dst-port=9999 log=no log-prefix=""

69 ;;; ViberWebHook
chain=forward action=accept protocol=tcp dst-port=9999 log=no log-prefix=""

forward chain hited no trafic on input.

RipperR · Sat Mar 16, 2024 6:38 pm

The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.

its production config it has many rules on it i can't post it here so you can give advice what i can i check and what can be affected on that issue ...

anav · Sat Mar 16, 2024 7:11 pm

/export file=anynameyouwish ( minus PUBLIC IP information, KEYS, long dhcp lease lists, etc..)
There should be relatively little else to scrub ( possibly some names you give to things, comments etc..... )

Use code block to limit visible length and improved readability ( on same line as Bold and Underline, just to the left of the quotation marks!

RipperR · Sat Mar 16, 2024 7:17 pm

I found the way to pocket goes to second router but no replay from server and no pocket reach server but direct acess to 8.8.8.8:9999 works

pocket log looks simular

dstnat: in:ether1-gateway out:(unknown 0), src-mac 00:xx:xx:xx:xx:22, proto TCP (SYN), somepublicip:50916->8.8.8.8:9999, len 60

- works direct connection

dstnat: in:ether1-gateway out:(unknown 0), src-mac 00:xx:xx:xx:xx:22, proto TCP (SYN), 128.128.128.128:50926->8.8.8.8:9999, len 60

doesnt work thrue remote server via mascarade

srcnat: in:(unknown 0) out:ether1, src-mac 06:yy:yy:yy:yy:3f, proto TCP (SYN), omepublicip:51394->8.8.8.8:9999, NAT omepublicip:51394->(128.128.128.128:9999->8.8.8.8:9999), len 60

RipperR · Sun Mar 17, 2024 2:35 pm

Complete solution in my case:

128.128.128.128 router (cert and domain bind for)

ip firewall filter
chain=forward action=accept protocol=tcp src-address=8.8.8.8 in-interface=ether1 src-port=9999 log=no log-prefix=""
chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""

ip firewall nat
chain=dstnat action=netmap to-addresses=8.8.8.8 to-ports=9999 protocol=tcp in-interface=ether1 dst-port=9999 log=no log-prefix=""
chain=srcnat action=masquerade protocol=tcp dst-address=8.8.8.8 dst-port=9999 log=no log-prefix=""

8.8.8.8 side with redirected web server

ip firewall filter
chain=forward action=accept protocol=tcp dst-port=9999 log=no log-prefix=""

ip firewall nat
chain=dstnat action=netmap to-addresses=10.10.0.254 to-ports=9999 protocol=tcp in-interface=ether1-gateway
dst-port=9999 log=no log-prefix=""

And everething works with signed ssl certificate for ip 128.128.128.128 and domain abcabc.com for that ip but internaly i redirected to other web server with public ip 8.8.8.8 with internal redirection to local ip

Redirect to external Public IP [SOLVED]

Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP

Re: Redirect to external Public IP [SOLVED]

Who is online