DNAT-U-Turn?

dog · September 4, 2009, 2:05am

Hi, I have a problem using Port Forwarding.
I want to expose a webserver via dstnat rules - which works if if I try to access it from the outside, but does not if I try to access it from LAN:

LAN-IP → LAN-IP: works
WAN-IP → WAN-IP: works
LAN-IP → WAN-IP: doesn’t work; I see the webbox

These are my rules:

 0   ;;; Standard-NAT-Rule
     chain=srcnat action=masquerade out-interface=pppoe-telekom1 

 1   ;;; HTTP -> G5
     chain=dstnat action=dst-nat to-addresses=10.26.4.15 protocol=tcp in-interface=pppoe-telekom1 dst-port=80

I already read this post: http://forum.mikrotik.com/t/port-forwarding-problems/30728/16
But the solution does not work in my case because my WAN IP is dynamic, so I can only work with the interface (?).

My old Linksys router can do this - so how can I do this on RouterOS?

Best regards

Max

kirshteins · September 4, 2009, 6:05am

According to the post you are refering to you have to add rule like

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.26.4.15 \
dst-port=80 protocol=tcp src-address=local_network/netmask

SurferTim · September 4, 2009, 8:08am

I already read this post: viewtopic.php?f=13&t=34245&p=167859
But the solution does not work in my case because my WAN IP is dynamic, so I can only work with the interface (?).

Did you read the last two posts on that subject? To quote mrz: “guess not”.

dog · September 4, 2009, 11:40am

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.26.4.15 \
dst-port=80 protocol=tcp src-address=10.26.4.0/24

I wish that would work, but it does not.

/ip firewall nat chain=srcnat action=masquerade src-address=10.26.4.0/24 dst-port=80 protocol=tcp

Neither does this example by mrz.

Let me rephrase my first NAT rule:

 
0   ;;; Standard-NAT-Rule
     chain=srcnat action=masquerade src-address=10.26.4.0/24

As far as I understand NAT this rule would already match the other two from above, but the result is unchanged.

I think the real problem here is that the only way I can do a dst-nat is by using “in-interface”.
The public IP is dynamic so I can’t use it, but on the other hand dst-natted traffic from the inside will never pass through the given interface…

So I would need a rule that matches the public IP regardless of the interface
Something like:

1   ;;; HTTP -> G5
     chain=dstnat action=dst-nat to-addresses=10.26.4.15 protocol=tcp dst-address=[/ip addr find int="pppoe-telekom1"] dst-port=80

Best regards

Max

kirshteins · September 4, 2009, 12:04pm

Is there a bridge somewhere in between?

Pilgrim · September 4, 2009, 1:14pm

I couldn’t see anything about your IP firewall filter, so this may potentially be totally beside the point. But just to be sure.

These rules work for me for the forward to my FTP. I am connected to the internet by a PPPoE connection. In below named as “GTS”

rgs Pilgrim

In the IP/firewall/filter:
chain=forward action=accept protocol=tcp dst-port=20-21

In the IP/firewall/nat:
chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=20-21 protocol=tcp in-interface=GTS dst-port=20-21

dog · September 4, 2009, 7:40pm

Is there a bridge somewhere in between?

No, all LAN traffic comes from ether2 and all WAN traffic goes through pppoe-telekom1 (which is mounted on ether1)

In the IP/firewall/filter:
chain=forward action=accept protocol=tcp dst-port=20-21

In the IP/firewall/nat:
chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=20-21 protocol=tcp in-interface=GTS dst-port=20-21

I tried your first rule but what it does account for has always been working, also the second rule is basically the same as mine.

These two rules would do exactly what I want:

 0   ;;; Standard-NAT-Rule
     chain=srcnat action=masquerade src-address=10.26.4.0/24 

 1   ;;; HTTP -> G5
     chain=dstnat action=dst-nat to-addresses=10.26.4.15 protocol=tcp 
     dst-address=84.138.122.xxx dst-port=80

BUT I can’t use the 84… address in the rule as it changes every 24h

Best regards

Max

iam8up · September 4, 2009, 10:25pm

You can not route to an interface from which you came. In your case, you can’t route from the LAN interface right back to the LAN interface. It’s a Linux kernel problem.

You can solve this issue with DNS. As far as I know, there is no other solution.

changeip · September 5, 2009, 4:08am

this can be done. search for hairpin nat in the forums.

SurferTim · September 5, 2009, 10:17am

If you use the “public ip of the day” in the nat rules, does it work? I know it is not a fix, but might help with the debugging.

dog · September 5, 2009, 12:30pm

If you use the “public ip of the day” in the nat rules, does it work? I know it is not a fix, but might help with the debugging.

Yup, as said above this would work:

0   ;;; Standard-NAT-Rule
     chain=srcnat action=masquerade src-address=10.26.4.0/24

1   ;;; HTTP -> G5
     chain=dstnat action=dst-nat to-addresses=10.26.4.15 protocol=tcp
     dst-address=84.138.122.xxx dst-port=80

this can be done. search for hairpin nat in the forums.

http://forum.mikrotik.com/search.php?keywords=hairpin&terms=all&author=&sc=1&sf=all&sk=t&sd=d&sr=posts&st=0&ch=300&t=0&submit=Search

That wasn’t a too successful search

SurferTim · September 5, 2009, 2:30pm

So it does work if the ip address is correct?

How often does your public ip address change? I have static ips, but many friends have dhcp connections and their ips usually don’t change unless the power fails.

Maybe a script scheduled every few minutes (or a couple minutes after startup) would take care of changing that ip in your nat.

Would that be ok with you?

changeip · September 5, 2009, 3:23pm

possibly you can use interface and destination-address-type=local? You should not need to hard code any IPs in there for this to work.

dog · September 5, 2009, 3:37pm

So it does work if the ip address is correct?

Yeah.

How often does your public ip address change?

To help sell their leased lines the owner of pretty much all German last-miles “Deutsche Telekom” enforces a pretty silly limitation:
Every DSL user will be disconnected every 24 hours and will receive a new IP upon reconnect.

possibly you can use interface and destination-address-type=local? You should not need to hard code any IPs in there for this to work.

THANK YOU
That did the trick:

 1   ;;; HTTP -> G5
     chain=dstnat action=dst-nat to-addresses=10.26.4.15 protocol=tcp 
     dst-address=!10.26.4.254 dst-address-type=local dst-port=80

(where 10.26.4.254 is the IP of the router)

Just out of curiosity: Is this the only way?

Best regards

Max

changeip · September 5, 2009, 8:12pm

that works, but I would have split mine into two rules probably, one with in-interface=lan and the other in-interface=wan. i dunno, just seems like you want to keep them separated. i could be wrong… anyhow, glad it works as you like.