Hello, I Have a strange Issue and I hope someone could help me.
We installed in our offices an Rb2011UAS.
I have attached to this RB:
→ eth1: Adsl connection subnet/29
→ eth2-8: BridgeLAN, subnet/24
→ eth9: WiMax Provider, subnet /32
→ eth10: Hyperlan Wisp, subnet /29 used for backup
Actually we are using the ADSL Connection to route Public IPS to servers inside the LAN.
We use prerouting marking to route the server throughthe correct interface.
I made masquerade rules to mask IPS when i go out the Internet Interfaces.
External Routing to the server is ok.
Internal routing to Internet is ok. (when i surf the web i use WIMAX provider, and when servers go out to the internet use adsl connection).
The problem is when I try to reach a server inside the lan using the domain name, example mail.mymailserver.it;
If I do ping to the DNS name i get reply from it, but i I try to access the webserver for example connection drops.
I found an article in WIKI regarding HAIRPIN NAT, I think it would work, but not for me.
I tried to follow that article but I had no luck, I obtained the same thing.
Hairpin NAT is what you need and it doesn’t work for you most likely because of some tiny mistake (e.g. a filter rule may block the packets or something like that).
Make sure you understand what Hairpin NAT does and why, wiki article explains it well. Then it should not be hard to fix, just add few logging rules at strategic places and watch if packets really go where they are supposed to go, if address changes correctly and if they don’t get blocked.
It might help to use some different port for debugging, instead of the real one, where there’s probably enough other traffic going already and it would get in the way. If you make e.g. Netcat listen on port like 33333, then you can use logging rules with only protocol and port specification without addresses, which helps when you change them yourself and you need to see if it does not work as you expect.
SOB, thanks of Your answer i am really a newbie.in router os programming, but I am very enthusiastic about the potential it can give.
Although, all these features in one device sometimes make me very confused.
I will try to follow your suggestion and will reply as soon as possible on what I did.
I was making several test, but i cannot reach servers in my subnet.
I create a firewall rule for: lansubnet/24 to wansubnet/29 action masquerade
but it does not work. the count does not increase at all.
Since I am a newbie in routeros programming i don’t know how to access logging level on the ruterboard so to view what’s happening.
I put the firewall rule on top, but I had no luck, so i moved along the firewall pyramid in several positions and got no luck.
If someone knows how to do PLEASE help me!!!
I think the problem is that all traffice in the lan subnet is masquerade to a different WAN.
I Explain.
Servers are masquerade to WAN1
LAN is masquerade to WAN2
each server (mailserver, pbxserver and intranet) are marked in prerouting each one with a mark prerouting rule, where src-address is the server IP and all other things are blank excepte for mark routing where i put an identifier for each server.
in routing table, i have a rule 0.0.0.0/0 distance 2 with rouning-mark blank and gateway the one in wan2
and for each server a rule 0.0.0.0/0 distance 1 witch routing-mark equal to the one of each server (ex. mailserver, pbx, intranet).
infact if i resolve my ip from inside the server i get the exact ip address of each server in the space address of wan1 and when i resolve my ip from inside the lan i get the ip address of the gateway in wan2
You can add static entry for domains in DNS in rb … IP>DNS>static>add local IP with domain name … Use only routerboard as DNS server in computers… IP>DHCP server>Networks> setDNS server - IP of rb(probably same as gateway)
Hello SOB here is my configuration.
For security reasons i removed sensible information about subnets and public iPS.
X.X.X.0/29 is my Adsl Subnet
Y.Y.Y.120/29 is my WiFi Backup Subnet
L.L.L.254/24 is my router IP, and L.L.L.0/24 is my lan subnet
K.K.K.1/24 is my WiMax Provider Router
all traffic is routed using routing-mark to make server use the correct connection and masquerade with the correct public IP.
actually Y.Y.Y subnet is not used
all the traffic which is not marked is routed via K.K.K.1
Masquarade is not good solution… I had masquarade in ovpn box but then logging,auditing has no clue about real IP address. I think your problem is that local PC connect to public IP but server respond to local IP, and local PC has no opened connection for local server IP, therefore PC should use local server’s IP without any masquarading and troubles and to allow real IP log… next reason is that if you want nat only some ports there must be a lot of rules uselessly
You’re right. But it affects only addresses from local network, so it’s something that’s usually possible to live with. The advantage is that things are set up only in one place, not in two. One hostname pointing to external address works for everyone. If you later point it somewhere else, everything will still work. When you have separate dns records for local clients, you must remember to change or remove them. You just have to choose what you like better.
It should work. You can run Tools->Torch on bridge-lan interface, limit it to tcp/3389 and try to connect to e.g. X.X.X.3:3389 from some other machine on LAN (e.g. L.L.L.100). You should see two entries:
src L.L.L.100:random, dst X.X.X.3:3389
src L.L.L.12:3389, dst L.L.L.254:random
If the connection establishes successfully, there will be non-zero both tx and rx rates for both entries. When it’s not possible to connect, e.g. because server does not listen at that port or its firewall blocks it, there will be only rx for 1) and tx for 2). If 2) is missing completely, then masquerade does not work for some reason. And if even 1) isn’t there, you’re probably looking at wrong router.
I tried it and that’s it. Add this rule at the beginning (before you mark routing) and it will work:
/ip firewall mangle
add action=accept chain=prerouting dst-address-type=localIt catches all packets for router itself, so no routing mark will be set for them, which is not needed anyway, because those packets will either end up on router or they will be forwarded back to LAN, they won’t ever go outside.
Btw, you can move the masquerade rule after other srcnat rules for individual servers, that way when you e.g. access web at X.X.X.5 from L.L.L.12, it will look like it’s coming from X.X.X.3, instead of L.L.L.254, which you might like better. Also masquerade rule does not really have to be masquerade, but instead you can srcnat to public adress normally used by LAN clients, i.e. K.K.K.10, which again might look better in logs.
