Forward traffic from 1 DHCP client interface to another IP

JeroenJasa · January 11, 2024, 12:52pm

Hi,

I have the following topology.

Network 1: 192.168.178.0/24, this network has it’s own DHCP server.
Network 2: 10.100.10.0/24, this network has it’s own DHCP server.
These 2 networks are seperated from eachother.

I have a device on the 10.100.10.0/24 network: 10.100.10.210 which has a HTTP server running on port 80. On the other network (192.168.178.0/24) there are multiple devices. I would like the devices on the 192.168.178.0/24 network to be able to connect to the HTTP server that’s running on the 10.100.10.210 device.

I have tried the following:

Connected port 5 of the hEX lite to network 1 (192.168.178.0/24) and I have configured this interface as DHCP client, it receives the following IP: 192.168.178.121.
Connected port 4 of the hEX lite to network 2 (10.100.10.0/24) and I have configured this interface as DHCP client, it receives the following IP: 10.100.10.20.
Added the following to the firewall nat:

chain=dstnat action=dst-nat to-addresses=10.100.10.210 to-ports=80 protocol=tcp in-interface=ether5 dst-port=80 log=yes log-prefix=""

When I connect my computer to 192.168.178.1/24 and try to visit 192.168.178.121 in my browser I am not able to connect to the HTTP server. The goal is to forward the HTTP request that is send to 192.168.178.121 (hEX lite) to the 10.100.10.20 device. I think this is the same type of configuration as port forwarding with the WAN interface but I want to use the 2 LAN ports.

I hope this makes sense, if there other methods of doing this please let me know.

anav · January 11, 2024, 1:28pm

I would need to see the complete config to ensure accuracy but the only thing required is a firewall forward chain rule.
add action=accept chain=forward dst-address=SERVERip dst-port=XXXXX protocol=yyy source-address=list=ServerUsers
/ip firewall address-list
add address=IP1 list=ServerUsers
add address=IP2 list=ServerUsers
add address=IP3 list=ServerUsers
etc…

JeroenJasa · January 11, 2024, 1:45pm

This is an overview of the topology:

This is my configuration:

# jan/11/2024 14:39:56 by RouterOS 6.48.6
# software id = **ELIDED**
#
# model = RB750r2
# serial number = *ELIDED**
/interface bridge
add admin-mac=*ELIDED** auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no interface=ether5
add disabled=no interface=ether4
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether5 log=yes \
    protocol=tcp to-addresses=10.100.10.210 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Interface eth1 is has the default settings and is not used in my setup. I am only using eth4 and eth5.

jaclaz · January 11, 2024, 3:24pm

And what do you have as output of /ip route print?

anav · January 11, 2024, 3:38pm

Your setup makes no sense to me. Are you sure that you are getting WAN from the two networks??
Makes me think, the hex is simply a switch and not a router, or the config is completely nonsensical… ?>??

Where is the WAN input??

bpwl · January 11, 2024, 4:08pm

With what I see here, for me, only 1/2 of the story is shown.

The route (default gateway etc) from 10.100.10.210 for 192.168.178.xxx must point to gateway 10.100.10.20, as no src-nat or masquerade is used , 10.100.10.210 will get a request from source 192.168.178.xxx, and must know where to send the answer.

Srcnat and masquerade are normally executed on interfaces in the WAN interface list, when the default firewall is used. But ether4 and ether5 are not a member of the LAN or WAN interface list, so are not handled properly by the default firewall.

Something like ether4 member of the WAN interface list, ether5 member of the LAN interface list, or just use modified FW rules.

anav · January 11, 2024, 4:09pm

Correct, It is not clear at all.
Is the hex a router or a switch
Are the two networks connected to the internet and if so HOW?

JeroenJasa · January 11, 2024, 4:11pm

[admin@RouterOS] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.100.10.1               1
 1  DS  0.0.0.0/0                          192.168.178.1             1
 2 ADC  192.168.178/24     192.168.178.121 ether5                    0
 3 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
 4 ADC  10.100.10.0/24     10.100.10.20    ether4                    0

Maybe my choice of interface configuration is wrong, let me try to describe the problem again. When devices of the 192.168.178.0/24 network access port 80 on ip 192.168.178.121 then these requests should be forwarded to port 80 on 10.100.10.210. This way the devices on 192.168.178.0/24 can only access port 80 of a single device (192.168.178.121) in the 10.100.10.0/24 network.

anav · January 11, 2024, 4:17pm

That part was clear, try answering the other questions because right now your config makes zero sense and there is no context

tdw · January 11, 2024, 4:20pm

You appear to be using the hEX to connect two networks each of which has existing gateways. Whilst the dst-nat rule will forward packets for any TCP port 80 packets arriving on ether5 to 10.100.10.210 those packets will still have a 192.168.178.x source address, and as 10.100.10.210 knows nothing of these addresses it will send replies via its default gateway.

If you apply src-nat in addition to dst-nat the original packets will appear to originate from 10.100.10.20 instead of 192.168.178.x
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4

Alternatively if you can assign static addresses on the hEX interfaces to both networks and add static routes to both of the existing gateways that would allow communication between any hosts on the two networks.

bpwl · January 11, 2024, 4:23pm

And how does the 10.100.10.210 know where to send the answer for 192.168.178.x ? Is 10.100.10.20 it’s default gateway ? What is set in the 10.100.10.0/24 DHCP server as default gateway for these leases.
WIthout srcnat/masquerade activated the return path must be checked for correct route settings.

JeroenJasa · January 11, 2024, 4:45pm

The 10.100.10.210 device did indeed not know where to send the replies, adding the masquarade rule fixed this problem. Thanks a lot for helping everyone. Devices on the 192.168.178.0/24 network can now open 192.168.178.121 in their browser and connect to the webserver.

It didn’t that was the problem. The 10.100.10.210 was using the default gateway (10.100.10.1) of the 10.100.10.0/24 network. 10.100.10.1 does not know about the 192.168.178.x network, with the masquarade rule the hEX will forward it correctly to the 192.168.178.0/24 network.

jaclaz · January 11, 2024, 4:57pm

You still need (IMHO) to address the fact that your ether4 and ether5 interfaces are neither LAN nor WAN.

Something like:

/interface list member
add comment=myconf interface=ether5 list=LAN
add comment=myconf interface=ether4 list=WAN