Forward to a local webserver

mannana93 · Fri May 02, 2014 7:21 pm

Hi, I need a rule that redirect a specified host (like 10.1.0.100 in the example) in my LAN to a webserver also in the LAN when the host try to go to a specified pool of public ip (y.y.y.y), but I don't want to use the RB as DNS server, so I tried the following way but it doesn't work.

chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=80 protocol=tcp src-address=10.1.0.100 dst-address=y.y.y.y

I have disabled all the firewall rules but it still doesn't work, so can the mangle have some problem? I have the mangle rule for PCC load balacing.

CelticComms · Fri May 02, 2014 7:31 pm

If you are DST NATing back to the same local LAN as the source you might be hitting a hairpin NAT issue:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

mannana93 · Sat May 03, 2014 12:21 pm

If you are DST NATing back to the same local LAN as the source you might be hitting a hairpin NAT issue:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

I tried with this solution but it doesn't work, there are no forwarding (the 192.168.0.100 is the webserver and the .64 is the host that have to be forwarded there).

/ip firewall nat
add chain=srcnat src-address=192.168.0.64 \
  dst-address=192.168.0.100 protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade

Caci99 · Sat May 03, 2014 1:38 pm

I think you also need a rule in the mangle placed before the PCC rules:

/ip firewall mangle
chain=prerouting in-interface=LAN dst-address=192.168.1.0/24 action=accept

This might help to not process this traffic and force it through the specified gateways of your PCC

mannana93 · Sat May 03, 2014 1:48 pm

I think you also need a rule in the mangle placed before the PCC rules:
Code: Select all
/ip firewall mangle
chain=prerouting in-interface=LAN dst-address=192.168.1.0/24 action=accept
This might help to not process this traffic and force it through the specified gateways of your PCC

I already have an accept rule in the mangle like that. Here you are (in the local assdress list there are all the subnet of my lan):

chain=prerouting action=accept src-address-list=local dst-address-list=loca

mannana93 · Sat May 03, 2014 3:36 pm

I tried also to force the use of local dns with the following simple rule but it doesn't work.
I think the problem is in mangle.

chain=dstnat action=redirect to-ports=53 protocol=udp src-address=192.168.0.0/24 dst-port=53

mannana93 · Sat May 03, 2014 4:40 pm

This is my mangle, if I edit the first RULE and delete the dst-address-list=local all is ok, but the load balacing doesn't work anymore.

ros code

0   ;;; Accept local to local
     chain=prerouting action=accept src-address-list=local dst-address-list=local 

 1   chain=prerouting action=accept  src-address-list=local  dst-address=x.x.x.x/21 //(pool of the 2 public IPs)

 2   ;;; FROM HERE PCC
     chain=input action=mark-connection new-connection-mark=ether1_conn passthrough=yes in-interface=ether1 - WAN 1 connection-mark=no-mark 

 3   chain=input action=mark-connection new-connection-mark=ether2_conn passthrough=yes in-interface=ether2 - WAN 2 connection-mark=no-mark 

 4   chain=prerouting action=mark-connection new-connection-mark=ether1_conn passthrough=yes src-address-list=local per-connection-classifier=both-addresses:2/0 

 5   chain=prerouting action=mark-connection new-connection-mark=ether2_conn passthrough=yes dst-address-type=!local src-address-list=local connection-mark=no-mark 
     per-connection-classifier=both-addresses:2/1 

 6   chain=prerouting action=mark-routing new-routing-mark=to_ether1 passthrough=no src-address-list=local connection-mark=ether1_conn 

7   chain=prerouting action=mark-routing new-routing-mark=to_ether2 passthrough=no src-address-list=local connection-mark=ether2_conn 

8   chain=output action=mark-routing new-routing-mark=to_ether1 passthrough=no connection-mark=ether1_conn 

9   chain=output action=mark-routing new-routing-mark=to_ether2 passthrough=no connection-mark=ether2_conn