Yea, the title may not really make any sense so let me explain.
I have a traefik proxy that proxies data to back-end applications.
let’s say my router’s WAN IP is 1.2.3.4 and its LAN IP is 10.0.0.1.
Now when I try to access something through the proxy, everything goes fine except one thing: My proxy thinks everything is 10.0.0.1 (even when I tell my machine to connect to 1.2.3.4).
This causes some apps behind the proxy to misbehave because they rely on the IP being the IP from the outside not the inside.
When I access it through my phones 4G (5.6.7.8), everything works perfectly fine.
So this is basically what I get:
Phone connects through 4G: traefik sees as 5.6.7.8
Desktop connects: traefik sees as 10.0.0.1
Phone connects through wifi: traefik sees as 10.0.0.1
How can I make it so that if I access my proxy using the external IP, traefik sees the external IP, not the routers IP?
In this case, it’s basically a webserver that forwards requests to a back-end.
How it’s hooked up, how it functions etc. etc. is irrelevant otherwise.
Basically what the MikroTik router does is:
See if request comes from LAN, destined for 1.2.3.4 (my WAN IP)
Sends it to the proxy as 10.0.0.1 (the router’s LAN IP)
This causes the proxy to think that the client IP is 10.0.0.1, but this causes things to break because some back-end apps rely on the publically accessible IPs to be the client IP.
That’s all I know about it, I only know what I expect it to do, but not how to do it and why it misbehaves like this.
Again, this is what the proxy sees (because the router does something to interfere with the IPs):
Phone + 4G: 5.6.7.8 (correct)
Laptop from Starbucks or something: 9.1.2.3 (correct)
Desktop in LAN: 10.0.0.1 (wrong, should be 1.2.3.4, the routers WAN IP)
Phone in LAN: 10.0.0.1 (wrong, should be 1.2.3.4, the routers WAN IP)
Like I said, I dont understand the need for proxies… or more fundamentally the requirements that you have for your users or devices.
For example why cannot they go out from their PC directly to the internet??
The proxy is there so that I can have multiple back-ends on 1 WAN IP (1.2.3.4) and port (443).
Basically the proxy matches from the HTTP headers like this (and forwards request accordingly):
So if, for example, a device would come in: “send me 1.2.3.4:443 with hostname www.finlaydag33k.nl”, the router would take that and forward it as-is to the proxy, proxy then looks at the HTTP header and forwards it to the LAN IP “10.0.1.233”.
Else, I would run out of ports really quickly (also, it’s not very nice to have people remember and enter all kinds of ports).
Now if I instead wanted to access “test.finlaydag33k.nl”, it would just forward the request to the required back-end.
However, if the client is located in the LAN, things get iffy and this becomes the scenario:
Here, the router starts interfering somehow (which is what I’m trying to fix) and the “client-ip” is my router’s LAN IP instead of it’s WAN IP.
That should be the WAN IP so that the back-end app can do it’s thing properly.
I hope this makes more sense?
You’re seeing the result of a hairpin-NAT-rule. This is explained here: https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT.
If you just need to change the address to the WAN IP address of the router instead of its LAN IP address, you can do that by changing the “to-addresses” in the src-nat rule. That’s the address the source address is changed to. It defaults to the address that a new connection through the egress interface would get, e.g. the LAN address if the connection is routed through the LAN interface.
But this still results in the IP showing in my app as “10.0.0.1” (if I use my phone from 4G, it still shows the right external IP).
This is what I get in my logs, so it is doing something:
Yes, that’s the hairpin-NAT rule. The “masquerade” target changes the source address to the address of the egress interface. Use the “src-nat” target instead and set the “to-addresses” in that rule to the WAN-address.
