Internal access to server via public IP address RB433AH

preacherx · November 9, 2009, 5:09pm

Question:
Good Evening,

My current situaion is as follows:

I have a customer with a mikrotik RB433AH router with routeros 3.14 assigned a public IP and acting as an edge router with masq. Inside the network is a windows server 2003 PDC using AD and Exchange using a private IP. The PDC handles DHCP and DNS for the internal network. The local domain is .local so using a dns fix for this is not viable.

From the inside network we have flawless internet access, and can browse to http://192.168.1.254/exchange and get the OWA login. When connecting to http://.com/exchange from the outside the network you also get the OWA login.

However, from inside the network accessing http://.com/exchange returns page can not be displayed (timeout).

This is a known issue with many routers and is even brought up and addressed in this question:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23727459.html

Unfortunately when trying to implement the accepted solution to that question the winbox UI returns the following error where xxx.xxx.xxx.xxx is the public IP for the customer:

“Couldn’t change NAT rule <192.168.1.0/24->xxx.xxx.xxx.xxx> - dstnat chain can not contain masquerade/snat actions (6)”

Ibersystems · November 9, 2009, 5:50pm

Hi,

to solve it fast you can use for the internal users companydomain2.com/exchange to access, and create a static dns entry in the router, to redirect to the server IP, it should work..

mmm.. I think that if you create the static entry for your real domain it should work too.

preacherx · November 9, 2009, 6:11pm

as noted in the original post, the mikrotik does not handle ANY dns for the network. A simple dns fix is not a viable solution for this situation.

The required fix is some sort of firewall redirect/masq/nat. I simply don’t know the syntax.

Ibersystems · November 9, 2009, 6:21pm

Can you try it?

preacherx · November 9, 2009, 6:51pm

I’ve tried a local dns entry in the mikrotik, as the Domain controller provides dns and dhcp the pc’s on the network never see the entry. To add the record to the domain controller would require duplicating thier public zone from thier external live DNS. This is a process the customer does not wish to undergo.