DMZ with Dynamic IP

rd228 · February 29, 2016, 11:31am

Hi all,

Is this possible? If so how would I go about achieving this?

I’m already using a PPPoE connection with a dynamic ip address for my internet connection.

I’d like to be able to put a web server in a DMZ to keep it separate from my local LAN.

I’ve done some googling but no one seems to have definitively answered this question or how to go about doing it.

Could someone provide me with some guidance/assistance?

Regards

ShayanFiroozi · February 29, 2016, 2:06pm

Hi ,
Use dst-nat , which means destination NAT , just asking the router to NAT packets from your public IP address to an internal one which is your web server

ZeroByte · February 29, 2016, 2:38pm

When using NAT pinholes, there’s really very little difference between cases where the internal host is in the same LAN or in a DMZ lan.
DMZ network can be nice because you don’t need to use hairpin NAT rules when the LAN stations try to reach the DMZ host using its public IP.

Just pick an ethernet interface and remove it from hardware switching and/or from your LAN bridge. (port is standalone router port)

Then put a DMZ IP range on this interface. If you want multiple DMZ hosts, then you’ll need to create a DMZ bridge interface, and put the proper interfaces on the DMZ bridge…

Then just make your dstnat rule(s) point to the DMZ IP addresses of those hosts.

Since you’re using a DMZ interface, the dst-nat rule needs to match traffic in the WAN and in the LAN interface as well…
This is the easiest:
/ip firewall nat
add chain=dstnat dst-address=!192.168.0.0/16 protocol=tcp dst-port=80,443 to-addresses=192.168.100.80
(assuming that 192.168.100.x is the DMZ network and that your LAN is also using a 192.168.x.x address.)

For firewall filters, just make sure that you have a rule that blocks in-interface=dmz, out-interface=lan
of course make sure there’s a rule to accept “established,related” connection state, so that the LAN can connect to DMZ and the replies will be permitted.

rd228 · March 2, 2016, 9:51pm

Hi Zerobyte

I setup ether6 as my DMZ interface and set master port to none. The IP of the interface as 172.28.20.1

The webservers ip address is 172.28.20.254 and connected to ether6

I setup NAT as the following

Chain - DST-NAT
Protocol: tcp
dst.port : 80
in.interface: pppoe-out1 (This is my wan connection via ether1 which is connected to my modem)
action : dst-nat
To address: 172.28.20.254
To ports: 80

I tried to set it up DST-NAT as you said in your post but if I put in my LAN IP address as !172.28.8.0/24 in the src.address (This is my LAN) instead of using the in.interface as ive done it above. When I tried to navigate to say google from my network it would show my webserver intead of google.

Setting the NAT alone wouldn’t let me in to the webserver from outside my network so I also set a firewall rule to

in interface: pppoe-out1
out interface: ether6
protocol: tcp
port :80

I can now successfully connect to my webserver from OUTSIDE my network.

I then setup firewall rules as follows as you suggested

in : ether6
out: ether2-master-local (LAN)
action : DROP

This prevented me from being able to ping anything from within an SSH session on my webserver to my LAN! (Perfect)
But can still ping my webserver from my lan devices (Perfect!)

I then in the mikrotik log saw that the webserver was being blocked from being able to get out onto the internet. So i set up another firewall rule to allow this by

in interface: ether6
out interface: pppoe-out1
action: accept

I can now ping 8.8.8.8 from my webserver.

The only issue I have now is that if i try and go to my public domain name from WITHIN my LAN. The page wont load…
Any ideas why?

Can you also confirm that the way ive set all this up above in terms of firewalls/NAS is correct and secure? Just because I deviated slightly from how you said to set it up.

rd228 · March 4, 2016, 1:37pm

Anyone??

ZeroByte · March 4, 2016, 6:13pm

Okay - change the above rule to this:
Protocol: tcp
dst.port : 80
dst-address: ! 172.28.0.0/16
dst-address-type=local
action : dst-nat
To address: 172.28.20.254

(To-ports: is not required if you’re not modifying the port - in fact, you could also specify dst.port: 80,443 and also support SSL on your server)

That should fix it for you, as far as the problem you had where the entire world was being mapped to your internal server’s web page.
dst-address-type=local means “any IP address configured on the Mikrotik itself” (this includes the dynamic wan IP and all LAN IPs at once)
dst-address: ! 172.28.0.0/16 → exclude any of the LAN addresses of the Mikrotik from the above

Don’t specify in-interface because requests from the LAN to the wan IP will not be arriving via the pppoe interface, thus wouldn’t be matched.
Also note that if you request the DMZ server via its private IP, this will simply be forwarded and will work as you would normally expect it to.

I would say that it’s enough to just have one rule that says out interface: pppoe-out1
No need to specify the in-interface, as you want all of your LAN interfaces to be able to go out to the Internet anyway. This way it only takes one rule to allow both the LAN and the DMZ out to the world.

You were really close there, and good job on everything else you’d gotten working properly.