How to access DMZ from LAN with its public IP?

Uqbar · November 19, 2015, 2:53pm

I have a server on my LAN that I have exposed in DMZ with a couple of src-nat/dst-nat.
Its public IP address is different from the mikrotik WAN IP.
I added a NAT rule like this (sorry, I use winbox):

Chain: dst-nat
Dst-address: DMZ public IP
In.Interface: LAN
Action: dst-nat
to address: LAN private IP for the server

What happens is that I get to the mikrotik instead of being redirected to the server.
The logs have been useless, to me at least.
Any hint?
Thanks.

docmarius · November 19, 2015, 3:09pm

Try rebooting, since tracked connection will interfere with dst-nat…

Uqbar · November 23, 2015, 10:13am

That’s not working yet.
I want to be able to access the local DMZ server by means of its public IP…

vixxant · November 23, 2015, 10:20am

Can you try without “In.Interface: LAN”

ip firewall nat add chain=dstnat dst-address=public-ip action=dst-nat to-addresses=local-ip

Uqbar · November 23, 2015, 10:39am

That works.
But it’s interfering with the filtering dst-nat rule that comes before.
I have a first dst-nat rule to allow the access from internet to the DMZ server only with a few protocols.
While the second one that you suggested (and works) allows all protocols, as it should be.
What happens is that the second rule “overrules” the first one, allowing all protocols to the DMZ server…
I actually need a “limited” dst-nat when coming from the Internet and an “unlimited” dst-nat from LAN.

vixxant · November 23, 2015, 10:57am

i did not understand well what you said . but you can only forward the ports you need to dmz. like

ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip

if you want you can define “to-ports=80,443,3128” so that it will only forward those ports to dmz.

Uqbar · November 23, 2015, 11:09am

vixxant:

i did not understand well what you said . but you can only forward the ports you need to dmz. like
ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip
if you want you can define “to-ports=80,443,3128” so that it will only forward those ports to dmz.

You cannot use port list in “to-ports” but only port ranges.

vixxant · November 23, 2015, 11:14am

my mistake . then you can leave it blank.

Uqbar · November 23, 2015, 1:25pm

We are back to the original point.

I have a dst-nat rule with a few TCP ports available from internet
I have a dst-nat rule with all TCP ports available from LAN

But it doesn’t work.

Uqbar · November 27, 2015, 10:26am

I made it (almost) working with these two rules in NAT:

  0   chain=dstnat action=dst-nat to-addresses=10.74.1.222 to-ports=80 protocol=tcp dst-address-type=local in-interface=ether2-LAN dst-port=80

 1    chain=srcnat action=masquerade protocol=tcp src-address=10.74.1.0/24 dst-address=10.74.1.222 out-interface=ether2-LAN dst-port=80

Where 10.74.1.222 is my DMZ server.
Now, if I point my browser to the second WAN IP address I get to the LAN server 10.74.1.222.
But two main problems remain:

I don’t fully understand why and how it works (my bad!)
It works for all WAN IPs.

I was expecting a simple dst-nat rule to dst-NAT all traffic from LAN to the chosen public IP addresses on WAN to the LAN server itself.

But that’s not working.
Any idea?