please help me to setup incoming forwarding rule for 443 ports.
I have to froward incoming traffic on port 443 (SSL - browser) to other device than my router.
My chrome browser gives me message “NET::ERR_CERT_COMMON_NAME_INVALID”
NET::ERR_CERT_COMMON_NAME_INVALID
Subject: http://www.opennas.pl
Issuer: StartCom Class 1 Primary Intermediate Server CA
Expires on: 26 paź 2015
Current date: 22 mar 2015
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIGNzCCBR+gAwIBAgIDE9UqMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
…
It looks that after forwarding 443 port my browser also outgoing trafic gets my ssh cert connected to my domain opennas.pl
How to NAT my incoming traffic on port 443 and not block my outgoing traffic on port 443
Currently you’re telling the router to take all traffic to port 443, going to any address and forward it to your device. And that’s exactly what you’re getting. You need to be more selective, some options are:
a) dst-address=192.168.40.1
b) in-interface=
c) dst-address-type=local
dst-address-type = local
I’d never heard of that option before - that’s awesome for multi-WAN sites.
Keeping the tables lean and mean is always one of my primary goals.
Flexible is another of my primary goals. I hate going in to edit the firewall rules if you change IP addresses.
You should only need one of those 3 options.
I’ve always used suggestion b, personally.
If your rule reads like this, then it should work w/o breaking outbound SSL:
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.50.2 protocol=tcp dst-port=443 in-interface=WAN
If this rule isn’t working, make sure of the following:
no other rule in the dstnat chain is matching packets before they reach this rule.
no filter rule in your forward chain is blocking the transaction
– and the silly things you never think about because they’re “never” why it’s not working:
server is working
server is reachable from Mikrotik (ping works, correct MAC address in arp table)
server has correct IP/netmask/default gw settings.
From Outside works fine, but when I’m checking from my LAN 192.168.2.1 server (192.168.2.2) is unrechable.
2. INSIDE LAN
When I change dst-address to my external IP dst-address=195.123.33.44 domain mydomain.com (195.123.33.44)
server is reachable from inside LAN (192.168.2.1) but is not reachable from outside.
Since you want hairpin, you should just match on the dst-address and not the interface.
Furthermore, for my experiment in a lab, I had to add a src-nat rule for hairpin to work as well. Here are my rules:
Note that when doing this, the internal host cannot see the src IP for internal connections - they will all appear to come from the Mikrotik. (you have to do this for NAT hairpin)
A cleaner solution would be to implement DNS proxy on the Mikrotik.
Either explicitly configure it as the DNS server for your LAN, or else make a redirect rule for udp/53 on the LAN side.
Then create a static DNS host entry for mydomain.com → 192.168.2.2
Your internal hosts will need to use the hostname to reach the server, but that’s normal, and sounds like what you want to do anyway. Doing it this way will allow the logs on the web server to show the actual source IP in all cases, and not just external hosts.
Finally, I would try to get the ISP to put their device in bridge mode and have the public IP directly on the Mikrotik. Being behind double NAT can cause problems with some applications, and requires you to coordinate with the ISP every time you add some new service (unless they just 1:1 all ports to your Mikrotik)
I tested my rules on a lab and they work for LAN->LAN and for WAN->LAN.
It also does not incorrectly redirect 443 for LAN->WAN - these continue to go out correctly to the Internet.
However, DNS proxy is pretty easy.
In Winbox, under IP > DNS, make sure there are servers defined (or dynamic servers learned from your WAN connection). As long as the Mikrotik itself can successfully make DNS lookups, make sure the “Allow Remote Requests” checkbox is checked.
Finally, assign the Mikrotik’s LAN IP as the DNS server in your internal DHCP (IP > DHCP-Server > Networks > 192.168.2.0/24 > DNS Servers: 192.168.2.1
Optionally, you can create a redirect rule in dstnat chain (port 53, udp and tcp) - action=redirect means to intercept the request and handle it with the Mikrotik itself. Interestingly, after doing this - every IP address on the Internet will work as DNS for your client PCs.
FYI - the reason the srcnat is required is this:
request from 192.168.2.99:12345 → 192.168.1.101:443
-DSTNAT-
packet is now 192.168.2.99:12345 → 192.168.2.2:443
-packet forwards to server-
-Server sees source is local IP - sends reply directly to client-
-client receives packet directly from server, Mikrotik is skipped-
packet = 192.168.2.2:443 → 192.168.2.99:12345
-client is confused - it never asked for 192.168.2.99:443 so it drops the packet-
-client never receives reply from 192.168.1.101:443, and sends a re-try-
-retry fails for same reason-
-max retries, connection times out-
because packets coming from ether1-gateway interface won’t ever have 195.123.33.44 as their destination. Packets from outside going to 195.123.33.44 get forwarded by first router to your WAN address 192.168.1.101 and that’s their new destination address.
ZeroByte’s hairpin rules are basically correct, but not exactly in this case (sorry ). If LAN client tries to connect to 195.123.33.44, it goes straight through your router to first one, which actually has 195.123.33.44. And if that router does hairpin NAT, it will send the packet back to your router with source address different from original 192.168.1.101 and you do not have to do anything special, because it will look as regular external connection. You would not need this rule:
The problem here seems to be that the first router does not do hairpin NAT, so it just bounces packet back with original source address 192.168.1.101, your router does not expect it and drops it.
If you wanted it to work from both inside and outside, you’d have to intercept outgoing packets to 195.123.33.44 and redirect them back to server on your router. This should work:
Good catch, sob. Adding the 4th rule to “catch the pinhole early” is needed. I didn’t think about that case.
Honestly, I always hate to find such an installation with double nat.
Get the public IP on your own router, or else have static interior routes w/o NAT.
Don’t add a second NAT to the mix.
(If I had a dollar for every user who had trouble with their wireless because they bought a wireless router, plugged it in, connected their wireless printer to the SSID, and then couldn’t print to it from their lan PC…)
There’s nothing in the world wrong with multiple routers, but most people don’t have experience with static routes and just think nat behind nat behind nat behind nat is normal.
ZeroByte
I know that you are right. My access router is not so advanced and I cant do same thing as with MikroTik.
This access router provides me IPTV, Internet and Phone. Regarding my GPON line parameters they are quite nice:
Upstream : 1.2Gbit/s
Downstream : 2.5Gbit/s
For this moment only one way is to have DMZ from first access router, second router is MikroTik
Better solution from my provider just to avoid double NAT will be to get PPPoE but right now I don’t have choice ;-(
No, you don’t understand. Where do you see it? Like is it something that RouterOS spits out (I don’t think so), or some other program, in that case what program is that and what exactly are you trying to do with it when it happens?
Brother im using Mikrotik Router Board and i have 4 connections
1 is DSL broadband never shown error on that broadband
2. is Online TV Service which i use some time (Once a week)
3. is a wireless broadband by name PTCL 4ji Evdo
4. is a wireless broadband 4g technology wireless modem/router by ZONG
mostly wan 3 and wan 4 used because GB quota is 400 gb on both wans
the error shows by it self anytime in whole day of maybe once in 2 days
i dnt no why i just want that if this error shows the wan automatically shift its self to other wan (for example wan 3 shows error it goes disable or fallback and wan 4 take lead and use as a primary if wan 4 goes down wan 3 also down then wan 1 use…
Using DNS is probably better in your case.