forward internal traffic to internal webpage

JLLBEE · September 16, 2022, 4:38pm

The issue: We have a webpage - subpage.webpage.com which is working from the internet - this page is running on our internal server. We use a Watchguard Firewall which routes this traffic to the webpage with a port attached - 9000 (subpage.webpage.com:9000) - this work great from the internet. We would like to access this page from our Intranet, but can not get it to work unless we setup a host file on each computer to route it. Being that we have over 800 computers i would like to find a way to do it with the mikrotik if possible. We do not use the firewall on the mikrotik right now. Our DNS server is also internal. We have a range of public IP’s form our ISP, and we use one of them for the traffic to this Webpage on the watchguard. also our lan is a different subnet then the Websever.

Watchguard Firewall
ether0 - 111.111.111.1/29 - Internet (external)
ether1 - 222.222.0.0/16 - LAN (trusted)
ether2 - 333.333.333.0/24 - Server network (trusted)
ether3 - 444.444.444.1/30 - SIP Network for Phones (External)

SNAT - 111.111.111.3 to 333.333.0.2:9000

Mikrotik
ether1 - 222.222.0.0/16 - LAN Subnet (This also has our internal DNS)
ether7 - 333.333.333.0/24 - Server Subnet (This subnet is used for other internal servers that the LAN is able to reach)
ether1 thru ether10 are all used for different subnets - ether1 being the default

Webpage: subpage.webpage.com = 111.111.111.3/29

Webserver is : 333.333.333.2/24

From internet webpage works great.
From LAN, only works if there is a Host file with: “333.333.333.2 subpage.webpage.com”
Don’t want to manage host files - can i do this with the microtik so internal PC’s can reach this website?

Thanks
John L.

mkx · September 16, 2022, 6:18pm

If internal client tries to resolve subpage.webpage.com, which address does it get?

BartoszP · September 16, 2022, 6:34pm

There are two ways to solve the problem:

A. Set DNS to answer to local clients with local address of the server instead of public one

B. Use harpin https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT

mkx · September 16, 2022, 8:51pm

Option A is messy in OP’s case as backend server seemingly runs on non-standard port.

And option B might not be needed if indeed server resides in different subnet than LAN clients are.

So let’s hear from OP some further detail before we dive into guess-game too deep.

JLLBEE · September 19, 2022, 11:27am

they will get the 111.111.111.3/29 - This domain is hosted via a third party and we forward the request to our internal server where the webserver resides.

Thanks
John L.

mkx · September 19, 2022, 11:48am

Sounds like you need to implement hairpin NAT on watchguard … I’m not sure how to do it there but essentially you have to add SRC NAT rule which replaces src-address for packets originating from internal networks and targeting the DST NATed server. Without it, the internal server sees client IP address, sends reply to it bypassing watchguard (who is supposed to do inverse of DST-NAT on return packets). This makes clients mighty confused.

So it’s option B from the post by @BartoszP …

JLLBEE · September 19, 2022, 12:25pm

Thanks, Guess i need to learn how to set that up…

anav · September 19, 2022, 4:49pm

https://forum.mikrotik.com/viewtopic.php?t=179343 if you prefer plain english compared to MT hieroglyphics.