Firewall Reflection

Southerntelcom · December 1, 2006, 10:50pm

I believe that I’m experiencing a form of firewall reflection.

I have a single public IP on a wan interface with nat-masquerade to inside private interface

There is a webserver @ 192.168.1.31

port 80 requests on the public (66.76.129.58) interface are dst-nat to 192.168.1.31

this is working fine.

But when you browse to http://www.4stn.com which resolves to 66.76.129.58 and you are inside on
the private side you get “page cannot be displayed” but from anywhere else in the world it works fine.

How do you resolve this?

andrewluck · December 2, 2006, 11:40am

Split the DNS or use a hosts file.

Regards

Andrew

Southerntelcom · December 5, 2006, 10:26pm

This is the reply from support:

You need to add ‘src-nat’ for the web-server, where ‘src-address’ is local
address and ‘to-addresses’ is public address.
Then web-server located in the local network should work for all clients
(including from the local network).

\

But this still didn’t resolve this issue.

Equis · December 6, 2006, 8:48am

Can you post your firewall settings?

It works for me

Southerntelcom · December 6, 2006, 4:47pm

how do I do that?

Can I somehow extract just the firewall rules?

andrewluck · December 6, 2006, 5:09pm

From the console:

/ip firewall filter print

Regards

Andrew

Southerntelcom · December 6, 2006, 5:35pm

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.1.31 protocol=tcp src-port=80
action=src-nat to-addresses=66.76.129.58 to-ports=80

1 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=8100
icmp-options=0:0 action=dst-nat to-addresses=192.168.2.51 to-ports=80

2 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.1.31 to-ports=80

3 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=2222
action=dst-nat to-addresses=192.168.1.31 to-ports=22

4 chain=dstnat src-address=139.76.164.8 dst-address=66.76.129.58
action=dst-nat to-addresses=192.168.1.60 to-ports=0-65535

5 chain=dstnat dst-address=66.76.129.58 protocol=udp dst-port=1644-1647
action=dst-nat to-addresses=192.168.5.244 to-ports=1644-1647

6 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=10000
action=dst-nat to-addresses=192.168.5.244 to-ports=10000

7 chain=dstnat src-address=66.76.129.135 dst-address=66.76.129.58
protocol=tcp src-port=3306 dst-port=3306 action=dst-nat
to-addresses=172.28.50.40 to-ports=3306

8 chain=dstnat src-address=66.76.129.135 dst-address=66.76.129.58
protocol=tcp src-port=3306 dst-port=3306 action=dst-nat
to-addresses=172.28.50.40 to-ports=3306

9 chain=dstnat dst-address=66.76.129.58 protocol=udp dst-port=4569
action=dst-nat to-addresses=192.168.2.20 to-ports=4569

10 chain=dstnat src-address=208.54.234.200 dst-address=66.76.129.58
action=dst-nat to-addresses=192.168.2.20 to-ports=0-65535

11 chain=srcnat out-interface=ether3 action=masquerade

12 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=2224
action=dst-nat to-addresses=172.28.50.49 to-ports=22
– [Q quit|D dump|up|down]

Southerntelcom · December 6, 2006, 5:36pm

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] >