Dear Forum,
Please help, i have some problem, when forwarding my Public IP to Local IP
i already set NAT like manual, but still cannot reach my Local Server from Public IP
the code :
chain=dstnat action=dst-nat to-addresses=192.168.0.252 to-ports=8081
protocol=tcp dst-address=222.124.139.xxx dst-port=8081
Thanks,
That looks about right. How are you testing? Where is the test machine located in relation to the target server? Also, post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram.
Hi Fewi,
I try with http://222.124.139.aaa:8081 with my PC (192.168.0.21)
if i try like this http://192.168.0.252:8081 it can access the web server
[ptpm@PTPM] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
0 192.168.0.1/24 192.168.0.0 192.168.0.255 Local
1 222.124.139.xxx/29 222.124.139.yyy 222.124.139.zzz Internet
[ptpm@PTPM] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S 0.0.0.0/0 222.124.139.193 1
1 ADC 192.168.0.0/24 192.168.0.1 Local 0
2 ADC 222.124.139.xxx/29 222.124.139.aaa Internet 0
[ptpm@PTPM] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R Internet ether 1500 1526
1 R Local ether 1500 1524
2 ether3 ether 1500 1524
3 ether4 ether 1500 1524
4 ether5 ether 1500 1524
[ptpm@PTPM] /ip firewall> export
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Added by webbox" disabled=no protocol=
icmp
add action=accept chain=input comment="Added by webbox" connection-state=
established disabled=no in-interface=Internet
add action=accept chain=input comment="Added by webbox" connection-state=
related disabled=no in-interface=Internet
add action=drop chain=input comment="Added by webbox" disabled=no
in-interface=Internet
add action=jump chain=forward comment="Added by webbox" disabled=no
in-interface=Internet jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=
established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=
related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no
/ip firewall mangle
add action=mark-packet chain=output comment="Hit Traffic From Proxy"
disabled=no dscp=4 new-packet-mark=Proxy-Hit out-interface=Local
passthrough=no
add action=mark-packet chain=prerouting comment="Up Traffic" disabled=no
in-interface=Local new-packet-mark=Test-Up passthrough=no src-address=
192.168.0.0/24
add action=mark-connection chain=forward comment="Mark Conn" disabled=no
new-connection-mark=Test-Conn passthrough=yes src-address=192.168.0.0/24
add action=mark-packet chain=forward comment=Down-Direct connection-mark=
Test-Conn disabled=no in-interface=Internet new-packet-mark=Test-Down
passthrough=no
add action=mark-packet chain=output comment="Down-Via Proxy" disabled=no
dst-address=192.168.0.0/24 new-packet-mark=Test-Down out-interface=Local
passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=redirect chain=dstnat comment="" disabled=no dst-port=80
in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat comment="" disabled=no dst-port=3128
in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat comment="" disabled=no dst-port=8000
in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-ports=8080
add action=masquerade chain=srcnat comment="masquerade hotspot network"
disabled=no src-address=222.124.139.xxx/29
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no
out-interface=Internet
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=
222.124.139.aaa dst-port=8081 protocol=tcp to-addresses=192.168.0.252
to-ports=8081
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
diagram : Internet - Modem - Mikrotik - Switch - User, Web server
Thanks,
I already use like the wiki tell, but still cannot
If i access my public ip like http://public ip even i give the different port like http://public ip:8081 its work
but if forward to local IP cannot
Any suggestion …
Thanks,
You either did not read the link I posted, or didn’t implement it right. The configuration you posted only reflects NAT, not hairpin NAT.
You also need to permit that traffic in the forward chain in your firewall filters.
Thanks,[/quote]
You either did not read the link I posted, or didn’t implement it right. The configuration you posted only reflects NAT, not hairpin NAT.
You also need to permit that traffic in the forward chain in your firewall filters.[/quote]
Dear Fewi,
I really have no idea,
would you give the code regarding this issue
Thanks,
Hi,
I get the same problem on my RB750G with RouterOS 5.2. Here is my related configuration.
/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
in-interface=ether1
add action=accept chain=input connection-state=related disabled=no
in-interface=ether1
add action=accept chain=input disabled=no in-interface=ether1 protocol=icmp
add action=accept chain=input disabled=no dst-port=220,443 in-interface=
ether1 protocol=tcp
add action=drop chain=input disabled=no in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1
src-address=10.32.1.0/24
add action=masquerade chain=srcnat disabled=no out-interface=ether1
src-address=10.32.0.0/24
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=ether5
protocol=tcp to-ports=8080
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=ether4
protocol=tcp to-ports=8080
add action=masquerade chain=srcnat disabled=no out-interface=ether1
src-address=10.32.2.0/24
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=ether3
protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat disabled=no dst-address=
dst-port=443 in-interface=ether1 protocol=tcp to-addresses=10.32.2.1
to-ports=443
/ip service
set telnet disabled=yes port=23
set ftp disabled=yes port=21
set www disabled=yes port=80
set ssh disabled=no port=220
set www-ssl certificate=none disabled=yes port=443
set api disabled=yes port=8728
set winbox disabled=no port=8291
Ether1 is connected to Internet with public IP, Ether2 is connected to private WAN, Ether 3 is connected to some servers, Ether4 and Ether5 are connected to LAN (2 segments). Everything is OK except the port forwarding of port 443 to my SSL server. The counter on this NAT rule is never moving. As configured, there is no enabled service using port 443 and this port is allowed by firewall. Please help on this.
Best regards,
Hi,
I am also trying to access website hosted by IIS using this manual:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
I can access it from local network using
192.168.88.xxx/mywebsite
I added those 3 rules that are given on the link provided, and I am still unable to access it. I am trying with
90.x.x.x/mywebsite - this one gives Error 404: Not Found
90.x.x.x - no response!
If I disable the first rule I have added, I am able to access web page for mikrotik router configuration.
If I set in-interface to my pppoe interface, I am again able to access mikrotik router web configuration.
So, why I cant access it using
PublicIP/mywebsite
and also how can I disable login to my router from public IP address? In NAT I have additional default srcnat masquerade rule.
Thanks,
Goran
HI all
This is quite simple
Firewall>Nat> add chain=dstnat dst-address=the public ip protocol=tcp action netmap to-addresses= the local ip to-ports=0-65535
Dont forget to add the public ip on your own address list
Hope this helps
Hi Zizobaddy, Im having this problem with forwarding some IP from the public ip to a local (to RD and access to internal web server)
I try with these two roules:
Firewall>Nat> add chain=dstnat dst-address=“the public ip” protocol=tcp Dst. Port=“the port” action netmap to-addresses= “the local ip” to-ports=“the port”
and
Firewall>Nat> add chain=dstnat dst-address=“the public ip” protocol=tcp Dst. Port=“the port” action dst-nat to-addresses= “the local ip” to-ports=“the port”
I’m testing with an RD that it was working with another Device (NFGW), both see the packages and traffic, but its not working.
Thanks.
Please, could someone help me with this problem. I can´t set that, to redirect some port (RDP, PPTP connections to another internal mikrotik and http redirection to an internal web server).
Thanks
Does the mikrotik have the public IP assigned itself? Or is it behind the ISP router?
Hi Pukkita.
The Mikrotik have the Public IP in their own Wan interface (ether 1).
The strangest thing is that I see the traffic in the Nat roules, but cant establish the RDP connection or get into to the web (in the web server)
Try, Add one NAT rule
chain=src-nat action=masquerade dst-address=the local ip
Hi kangndo, I add the Route that you mentioned, but it looks like nothing change. I see the packages but can´t see the Web server (going to the public IP:8000).
Thanks.
What is the wan connection method, pppoe client?
Try,
Firewall>Nat> add chain=dstnat in-interface=“pppoe client interface” protocol=tcp Dst. Port=“the port” action dst-nat to-addresses= “the local ip” to-ports=“the port”
Hope this helps
I have a public static IP configured in the Ether1 interface (190.2.37.X), and is wired to a Modem. I have a Gatway address (190.2.37.(X+1)) in the same submask than my public IP. Is this a PPPOE?
It doesn’t work, but now when i write the public IP in the page and do not show I do not see the packages going trough this policy (the one you mentioned)
I Test making the same, but in the internal network. I set if an internal IP try to go the Local IP:8000 redirect (dst-nat) to the local ip (10.0.0.201:80), but doesent work too…
/ip firewall nat> add chain=dstnat src-address=10.0.0.37 dst-address=190.2.37.X protocol=tcp dst-port=8000 action=dst-nat to-addresses=10.0.0.201 to-ports=80
And happen the same, dont redirect the web interface and see the packages going through…
Any advice?
Thanks.
Hi to everyone.
Im lookin about the logs when I try to connect to the local web server from the Local IP:port. And I See this.
10:43:17 firewall,info forward: in:ether6 out:ether6, src-mac 28:d2:44:a8:58:96, proto TCP (SYN), 10.0.0.228:53914->10.0.0.201:80, len 52
10:43:17 firewall,info forward: in:ether6 out:ether6, src-mac 28:d2:44:a8:58:96, proto TCP (SYN), 10.0.0.228:53915->10.0.0.201:80, len 52
10:43:17 firewall,info forward: in:ether6 out:ether6, src-mac 28:d2:44:a8:58:96, proto TCP (SYN), 10.0.0.228:53916->10.0.0.201:80, len 52
Im 10.0.0.228 and the web server is on 10.0.0.201.
I don’t know why appear the :53914 port if I am trying to accede to the web interface from 8000 port.
Thanks
53194 is your source port, your machine will randomly use those available. Port 8000 is the destination port.
That log means your firewall filter is blocking the connection.
Ya casi está! 