How to DMZ to ROS?

kendal · June 28, 2024, 6:24pm

I have three routers…

Smartrg SR516AC - connected to my ISP
Asus - I wish to utilize this as my Management Network (MGMT)
Mikrotik RB5009UG - I wish to utilize this as my External Network (XNIC)

The Smartrg connects to my ISP - WAN: 1.2.3.4, LAN: 192.168.2.1/24
The Asus connects to the Smartrg - WAN: 192.168.2.2/24, LAN: 192.168.0.1/24

I know the Management Network is double NAT’d, but it functions for my purposes.
All is well.

The External Network (XNIC) has a web server on it that must be accessible from the internet.
This is where I am stuck.

The Mikrotik connects to the Smartrg via DMZ.

Configuration of the Mikrotik is as follows…

/system reset-configuration keep-users=yes

After the Mikrotik has booted I connect with winbox.

I select ‘Quick Set’ and choose the following…
Mode: Router
Port: Eth1
Address Acquisition: static
IP Address: 192.168.2.4
Netmask: 255.255.255.0/24
Gateway: 192.168.2.1
DNS Server: 1.1.1.1
Local Network / IP Address: 10.0.0.1
Local Network / 255.255.255.0/24
Local Network / DHCP Server: yes
Local Network / NAT: yes

I then run the following cli command…

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-address=10.0.0.246 to-port=80 comment=“Port forward HTTP”

That’s the total of my configuration.

In the winbox terminal this works…
/ping 10.0.0.246

My workstation has two NICs connected as follows…

MGMT
XNIC

My workstation is running a VM bridged to XNIC and configured with the IP of 10.0.0.246/24

From my workstation this works…

curl http://10.0.0.246

Therefore, the internal server that I wish to connect to is up and the firewall is open.

I then visit this online site to test remote access…
https://www.yougetsignal.com/tools/open-ports/

I enter in my statically assigned ISP IP, select port 80, press CHECK, and get no connection.

My understanding is that DMZ would direct all external requests to the Mikrotik.
I also assume that internal responses would pass freely back through the DMZ to their exteral requester.

Therefore, I have assumed that the standard NAT rule for port-forwarding would require no modifications to function with DMZ.

Alas, I seem wrong about something.

Running tcpdump on the 10.0.0.246 server displays incoming packets, so external requests seem to be coming in.
So my guess is that responses are not getting back through.

Any help would be greatly appreciated.

kendal

TheCat12 · June 28, 2024, 7:01pm

Is it possible that your ISP has not enabled port forwarding, and you’re behind CGNAT because the rule should be working regardless whether you’re behind DMZ or not, given that it’s set up properly

kendal · June 28, 2024, 7:08pm

I have been successfully port-forwarding in the past. Besides, with DMZ is ISP port-forwarding even a consideration?

TheCat12 · June 28, 2024, 7:44pm

Yes, as I said, if you’re sitting behind CGNAT, i.e. the ISP router is in Router mode and not Bridge mode, then you’re out of luck. Try port forwarding something from your MGMT network and if it’s possible, then I have no clue what could be the problem

kendal · June 28, 2024, 8:22pm

I have no problems port-forwarding from the ISP router to the MGMT network. That method is what I have been doing up to now.

Besides, doesn’t DMZ eliminate any NAT between the smartrg and the mikrotik?

anav · June 28, 2024, 11:23pm

You are contradicting yourself. If you put the first router DMZ to the mikrotik then it would not be possible to port forward to the second router from the first router, all ports would be going to RB5009.
Why do you have the first router at all replace it with the RB5009 or is the first router actually an ISP modem/router ??

kendal · June 29, 2024, 12:40am

The first router is also my dsl modem, so it has to come first. I DMZ from it to the RB5009. I assume, from the DMZ perspective, that all traffic just arrives and leaves unfettered at the WAN-side of the RB5009. I then rely on the NAT rule I added above to port-forward from the RB5009’s WAN through to my internal VM that is part of the RB5009’s LAN. I don’t know what I am contradicting or confused about. Please elaborate cause I need enlightenment bad!

thanks!

anav · June 29, 2024, 12:53am

You stated you also port forward on the second router, but that is not possible if the first router is connected to the second router and then the second router to the RB5009.
Even if both are connected directly to the first router, if you dmz the first router to the RB5009 you would not be able to port forward to the second router.

Yes, as stated dmz to rb5009 and rb5009 setup properly port forwarding should work
without a config to review discussion is pointless at this point…
So will move on to another thread.

kendal · June 29, 2024, 1:09am

The second router is the RB5009 - that is where the above port forward rule lies.
The ASUS that I refer to above is in parallel to the RB5009 from the ISP modem, not serial, .It can safely be taken out of the equation completely.
Only the ISP router and the RB5009 need be considered.

I described my configuration above. What more can I add to move forward?

thanks!

TheCat12 · June 29, 2024, 6:42am

Please run the following command:

/export file=anynamyouwish

and post the created file here

anav · June 29, 2024, 1:48pm

The unmitigated GALL, me doth protest!! YE are asking for evidence and fact, off with your head.

kendal · June 29, 2024, 2:35pm

I found the problem!
Request packets were getting through; however, responses were not getting back.
I had to change the default route of the VM to be the External Network rather than Virtualbox’s default.

I thank you profusely for your willingness to look at this.
I greatly, greatly appreciate it!

kendal