how to dstnat to a server located on hotspot network

donv · June 15, 2007, 5:07pm

mikrotik newbie question - please help..

I have basic question on how to configure dstnat to a server located in hotspot network.

config is:
ether1: public network, say: 1.2.3.4/24 w/gateway of 1.2.3.254
ether2: hotspot network, say 192.168.1.254/24

I desire to place a server at 192.168.1.10 and nat TCP:80 inbound to this from a secondary IP (such as 1.2.3.5) that I would (presumably) bind to the external of the Mikrotik.

Questions are:

if i desire to bind a second ip address, say 1.2.3.5 and nat TCP:80 from that IP address to the server at 192.168.1.10 - do i do this in: ip firewall nat, or do i do this as a nat rule under the hotspot configuration? Do i need to bind the ip to ether1 in ip addresses?
do i need a firewall rule to allow this inbound? would this be an input chain rule or a forward chain rule?

Essentially i need a quick step-by-step to make srcnat work when the srcnat destination happens to be a server on the hotspot network.

Any assistance would really be appreciated as am having a hard time making this work.

Thanks a bunch!

-d

donv · June 18, 2007, 1:41pm

If anyone could please help I would really appreciate it!

thanks.

-d

dsobin · June 24, 2007, 4:30am

I needed to do the same thing. The object I needed to connect to behind the hotspot was another router, running Ikarus OS, which needed an odd port to be open.

To get to port 80:

The easy part is:
ip firewall add chain=dstnat dst-address=1.2.3.5 dst-port=80 action=dst-nat to-address=192.168.1.10 to-port=80

After creating this entry MOVE IT TO THE TOP OF THE CHAIN. It has to appear before the other rules that will otherwise send your packets to the hotspot servlet.

(Pls forgive the syntax errors and the misspelled keywords, I usually use winbox but I can’t get to it now).

The above will get your packets to your server behind the hotspot. Unfortunately, the returning packets will get eaten by the incoming hotspot rules.

To get around this, there is probably some clever use of other nat rules. I tried many
things and none of them worked. Finally, I did the following:

Try to login to your server from the wan side. It won’t answer, but it should now show
up in the list of hosts in the hotspot page. Tell the hotspot server to bind this
address statically. With winbox, a window will open when you click static binding, and you should select the pulldown option of ‘bypass’. This will allow your server to bypass
logging in to the hotspot.

You will now be able to access the server from the public side of your router.

The above will work only if your server is in the IP address space of the dhcp server for the hotspot. If, like I did, you want the server to be outside that range, another complication arises. The hotspot will map the server’s real address to another address within its range. This mapped address is labeled ‘to-address’ in the hotspot host list. If that is your situation, then the above instructions for the dstnat chain should use the mapped address that the hotspot uses as the dst-nat to-address, not the servers actual IP address.

I don’t know what process on the router is doing this mapping. There is no nat rule for it, so I’m guessing the hotspot servlet somehow gets access to the routing engine.

If anyone reading this understands how this is being done, and also why it needs to be done, please let us know. Since the mapping is always to an address in the dhcp space, you wind up wasting two address on the hotspot lan to access one server. I guess it makes sense to just assign the server (or servers) to addresses in the dhcp space. Once they are bound, the dhcp server won’t serve them up to regular users, so no harm in that area.

I have a second server behind my firewall, and I can’t get it to show up in the hotspot hosts list, so I can’t set its bypass flag. I therefore can’t access it from the public side. If anyone has a better way to do this please let us know. Perhaps a better explanation of how the hotspot function works would give us the tools to figure this out for ourselves.

transporter_ii · July 2, 2007, 1:53am

Man, I had no idea that would be so convoluted.

But if all you need to do is get to a management interface located on the private LAN of a Hotspot, it can be done much easier than that.

All you have to do is a VPN using Putty. There is a lot of information on the internet about how to do that, so I’m not going to go into every detail, but basically, you use Putty to SSH into the AP on the public IP, and then you set it to forward ports to the private IP of the host behind the hotspot. You then open up a browser and type in “http://localhost” and it will pull up the private IP address configured in Putty just like you were in the LAN side of the Hotspot (and you are, kind of).

I do this all the time to pull up CPE interfaces of Deliberants behind the Hotspots.

More detailed info:

http://www.quest4.org/etc/pull_up_the_webgui_of_a_deliberant.htm

Now someone show me an easy way for a customer behind a Hotspot to run a web server. Obviously using Putty isn’t going to work.

Jay

sergejs · July 2, 2007, 8:51am

donv, to ensure that server is not blocked by HotSpot, you have to add server IP to ‘ip hotspot ip-binding’ list with action=bypassed, that helps to avoid authenitcation request for server from HotSpot side.