access to webserver in the same subnet [solved]

RouterOS Beginner Basics
1

HI,
I do know topic was written here thousands time but I need help.

I have webserver behind microtick.

So I have forwarded port 80 to server inside my lan

PublicIP------------ 80 port-----Mikrotik ---- port forwarding 192.168.1.250:80.


Everythink works just great from internet perspective.

Unfortunatelly when I try reach website from the same subnet as www serwer 192.168.1.0/24 then it failed.


I have used hairpin nat:
http://wiki.mikrotik.com/wiki/Hairpin_NAT

Unfortunately I did somethink wrong cause it doesn’t work :confused:

Could someone see my NAT config and tell me where is “wally” ?


      protocol=tcp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

46    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5119 
      protocol=udp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

47    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=30033 
      protocol=tcp in-interface=ether1-gateway dst-port=30033 log=no 
      log-prefix="" 

48    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22222 log=no 
      log-prefix="" 

49    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=9987 
      protocol=udp in-interface=ether1-gateway dst-port=9987 log=no 
      log-prefix="" 

50    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8801 log=no 
      log-prefix="" 

51    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=2221 log=no 
      log-prefix="" 

52    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=2222 log=no 
      log-prefix="" 

53    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=22 
      protocol=tcp in-interface=ppp-out1 dst-port=2222 log=no log-prefix="" 

54    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=9091 
      protocol=tcp in-interface=ether1-gateway dst-port=9091 log=no 
      log-prefix="" 

55    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=22 protocol=tc>
      in-interface=ether1-gateway dst-port=22224 log=no log-prefix="" 

56    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=80 protocol=tc>
      in-interface=ether1-gateway dst-port=8804 log=no log-prefix="" 

57    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=21 protocol=tc>
      in-interface=ether1-gateway dst-port=22214 log=no log-prefix="" 

58    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=10090-1010>
      protocol=tcp in-interface=ether1-gateway dst-port=10090-10100 log=no 
      log-prefix="" 

59    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=41100-41110 
      protocol=tcp in-interface=ether1-gateway dst-port=41100-41110 log=no 
      log-prefix="" 

60    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=41100-41110 
      protocol=udp in-interface=ether1-gateway dst-port=41100-41110 log=no 
      log-prefix="" 

61 X  chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=79 
      protocol=udp in-interface=ether1-gateway dst-port=79 log=no log-prefix="" 

[admin@MikroTik] /ip firewall nat>
2

All of your rules use the in-interface=ether1-gateway selector.
I prefer this myself, because if the wan IP changes, then there’s no need to change the firewall rules.

However, for hairpin NAT, this won’t work because when LAN hosts attempt to reach the public IP address, the in-interface will be the LAN interface, not the ether1-gateway interface.

There are basically two ways to fix this:

  1. use dst-address=x.x.x.x (public IP address of the ether1-gateway interface) instead of in-interface=ether1-gateway
  2. use dst-address-type=local dst-address=!192.168.0.0/16

I prefer method 2 because it is more flexible and won’t need to be updated if your IP addressing changes. (of course, if your LAN uses 10.x.x.x then make the dst-address=!10.0.0.0/8 - etc)

I also have another suggestion - move the pinhole rules into their own chain.
This will make the firewall a little bit more efficient as well as making the rules easier to manage.

Step1 - insert this new rule just before the first pinhole dstnat rule:
dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes

Step2 - modify all of your NAT pinhole rules by changing the chain to pinholes, and removing the in-interface=ether1-gateway criteria.

Step3 - at the end of the pinholes chain, add a default return rule:
add chain=pinholes action=return

3

Hi ZeroByte,
Thank you for reply.

I’ve tried go with suggestion number 1 what seems to be more fast :slight_smile:

Unfortunatelly no luck:

Here is my NAT rules

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no 
      log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ppp-out1 log=no 
      log-prefix="" 

 2    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/16 
      dst-address=public_IP dst-port=80 log=no log-prefix=""

I do telnet from network 192.168.1.0/24

telnet 192.168.1.250 80

Trying 192.168.1.250...
Connected to 192.168.1.250.
Escape character is '^]'.
Connection closed by foreign host.




telnet publicIP 80
Trying publicIP...
telnet: Unable to connect to remote host: Connection refused

Additionally I changed my rule to forward traffic from net to server www behind microtik. So I removed from in.interface ether1-gateway and left it blank. For dest address I put my public IP and I must admit it works. Still users from net are able to connect my websites. But anyway I still stuck in the same point, no access to websites for users in the same subnet as www-server.


18    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp dst-address=publicIP_addr dst-port=80 log=no log-prefix=""
4

Your rule #2 was a bit wrong:
2 chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/16
dst-address=public_IP dst-port=80 log=no log-prefix=“”

This is the hairpin rule - the reason it didn’t work for you is that by the time SRCNAT is being checked, the DSTNAT has already been completed, so at this point, the packet will have the web server’s private IP as the destination.

If you just have a single LAN interface, then change the above rule by removing the part highlighted in red and replacing it with out-interface=LAN


18 chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80
protocol=tcp dst-address=publicIP_addr dst-port=80 log=no log-prefix=“”

This rule is correct. If you have a dynamic public IP (or may change it from time to time for various reasons like changing your ISP) and you don’t want to have to remember to come fix this rule whenever the public IP changes, you can modify the rule like this:

18 chain=dstnat action=dst-nat to-addresses=192.168.1.250 protocol=tcp dst-address-type=local dst-address=!192.168.0.0/16 dst-port=80

(note that to-ports isn’t a required setting if the port isn’t being changed by your NAT rule)

5

Thank you Zerobyte, you are awesome !
Indeed , then I changed rule number 2 with your suggestion it started work as should.
Thank you very much for your help and lesson.

6

No problem. I think it helps more if people understand what’s going on when they fix something.
You may want to edit the thread’s subject to begin with [SOLVED]