Hello everybody.
I need access of a server Apache (public) with an PHP application to an internal LAN Routerboard (/ip neighbors)
The Border Router WAN IP is: 200.1.1.1
The routerboard LAN IP address is: 192.168.0.1
I tested use other port (8787) with dst-nat to the internal routerboard.
Example: /ip nat
add action=dst-nat chain=dstnat comment="acceso a routerboard API neighbords" disabled=\
no dst-address=200.1.1.1 dst-port=8787 protocol=tcp to-addresses=192.168.0.1 \
to-ports=[b]8728[/b]
[] have ping response from 192.168.0.1
[] The firewall and bridge filter accept this ports.
[] The connection tracking is setting in “ON” en both routerboars.
[] The users have Api Police And the /ip/service api is enabled.
But the PHP app don’t connect to api saying:
Connection attempt #1 to 200.1.1.1:8787… Connection attempt #2 to 200.1.1.1:8787… Error…
The same PHP code, is working in other routerboard.
Any idea?
You shouldn’t need to do any natting. The API service should be available from all interfaces, and therefore from both IP addresses of the router.
What may be blocking the connection instead are mangle “prerouting” and filter rules. They get applied before the next hop (which in your case would be the final destination) is determined.
Another, MUCH more popular source of problems is the web server itself being unable to send packets because of its own firewall. Try to change the API port to “443” (which FYI is the port of the “HTTPS” protocol; most web servers are allowed to make outgoing requests to those), and connect on it. And remove that NAT rule anyway.
If you actually have control over the web server’s firewall, you can (and should!) instead adjust it to allow Apache (and/or PHP) to make outgoing connections.
Hello boen_robot, you don’t understand me.
I make a graph for a better explain of my situation.
Is this posible?.
Best regards!.
Oh. So the MikroTik you’re trying to access is a different one from the MikroTik doing the natting. That makes sense then.
The NAT rule itself seems OK. Given all other things you mentioned about your configuration, I guess there’s only one possible problem left:
Another, MUCH more popular source of problems is the web server itself being unable to send packets because of its own firewall.
<>
Try to change the WAN port on the NAT rule from 8787 to 443, and connect on that.
If you actually have control over the web server’s firewall, you can (and should!) instead adjust it to allow Apache (and/or PHP) to make outgoing connections.
Connect from PHP to port 443 had already tested and does not work.
example: In this example i need a dst-nat rule to redirect to the other Routerboard API.
$API->connect("200.1.1.1" , "usuario" , "contraseña", 443);
Then, if i enable the API service in MIKROTIK main router(200.1.1.1), in default port 8728. It run perfectly. It is saying that the outgoing connections in the apache server does has not blocked.
$API->connect("200.1.1.1" , "usuario" , "contraseña", 8728);
Connection attempt #1 to 200.1.1.1:8728… <<< [6] /login >>> [5/5 bytes read. >>> [5, 39] !done >>> [37/37 bytes read. >>> [37, 1] =ret=2d3a7578910aea5861359fd2ce76 <<< [6] /login <<< [15] =name=usuario<<< [44] =response=00614996719106430a16c9874a3d3 >>> [5/5 bytes read. >>> [5, 1] !done Connected… <<< [19] /ip/neighbor/getall <<< [22] ?address=192.168.0.19 >>> [5/5 bytes read. >>> [5, 1] !done Disconnected…
The problem may be with the dst-nat. or no?
Best regards.
Are you sure the API enabled in the inner router (192.168.0.1)?
Can you make an API connection from within the 192.168.0.0/24 network to 192.168.0.1?