local webserver behind nat

mehdiadust · December 17, 2010, 9:48am

Dear friends,
my network diagram is very simple … like
internet ip/30 >>> mikrotik routerOS 3.10 >>> LAN (172.16.95.0/24) gw : 172.16.95.1, dns/web/ftp: 172.16.95.5

the problem is that when users from block 172.16.95.0/24 use 172.16.95.5 as their primary dns they can browse the website: xyz.com (xyz is not a registered domain) hosted in 172.16.95.5.

but when the users use both primary & secondary dns as public dns ip address such as 8.8.8.8 or 4.2.2.1 then they can browse internet but can’t browse xyz.com

mrz · December 17, 2010, 10:14am

Use “Search”. It was asked so many times.
http://wiki.mikrotik.com/wiki/Hairpin_NAT

mehdiadust · December 17, 2010, 1:14pm

NAT config :

0 chain=srcnat action=masquerade out-interface=Internet

I can browse http://172.16.95.5 from any other pc from the block 172.16.95.0/24 with public dns ip address

but when I try with the domain name that is http://www.xyz.com with any public dns ip address, I can’t browse xyz.com website

but if I use 172.16.95.5 as client’s pc primary dns address then I can browse xyz.com website.

Note : dns server address : 172.16.95.5
web server address : 172.16.95.5
ftp server address : 172.16.95.5

I have tried hairpin as :
/ip firewall nat
add chain=srcnat src-address=172.16.95.0/24
dst-address=172.16.95.5 protocol=tcp dst-port=80
out-interface=LAN action=masquerade
any idea ?

fewi · December 17, 2010, 2:37pm

Your configuration is bad - somewhere. So show us your config. At least the output of “/ip address print detail”, “/ip route print detail”, and “/ip firewall export” wrapped in code tags, together with an nslookup against the DNS records of what you’re trying to get to, and preferably a network diagram.

mehdiadust · December 17, 2010, 4:17pm

[sohel@MUSCAT-CITYNET] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 114.130.x.x/30 114.130.x.0 114.130.x.x WAN
1 172.16.95.1/24 172.16.95.0 172.16.95.255 LAN-1

[sohel@MUSCAT-CITYNET] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 reachable 114.130.x.1 1 WAN
1 ADC 172.16.95.0/24 172.16.95.1 0 LAN-1
2 ADC 114.130.x/30 114.130.x.3 0 WAN
[sohel@MUSCAT-CITYNET] >

[sohel@MUSCAT-CITYNET] > ip firewall export

jan/06/1970 08:04:42 by RouterOS 3.10

software id = 60SS-PTT

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=445 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=445 protocol=udp src-address=0.0.0.0/0
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=135-139 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=135-139 protocol=udp src-address=0.0.0.0/0

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no
set pptp disabled=no
[sohel@MUSCAT-CITYNET] >

From Local DNS : 172.16.95.5

[root@ns1 ~]# nslookup 172.16.95.5
Server: 172.16.95.5
Address: 172.16.95.5#53

5.95.16.172.in-addr.arpa name = ns1.xyz.com.

[root@ns1 ~]#

[root@ns1 ~]# nslookup ns1.xyz.com
Server: 172.16.95.5
Address: 172.16.95.5#53

Name: ns1.xyz.com
Address: 172.16.95.5

[root@ns1 ~]#
[root@ns1 ~]# nslookup http://www.xyz.com
Server: 172.16.95.5
Address: 172.16.95.5#53

http://www.xyz.com canonical name = ns1.xyz.com.
Name: ns1.xyz.com
Address: 172.16.95.5

[root@ns1 ~]#

I want to browse http://www.xyz.com, locally from ip block 172.16.95.0/24 whatever may be the clients dns address, it could be google dns, isp dns or open dns.

any idea ?

fewi · December 17, 2010, 4:40pm

This has nothing to do with NAT. You can’t expect to use a public DNS server for a domain name that isn’t registered to you. The public DNS server cannot possibly how to resolve that name if it isn’t registered properly.

THG · December 20, 2010, 11:46am

I read this page, and it’s for people with static IP addresses. In case of dynamic IP addresses, people need a script to update the address. With the following script, you can use an address list instead of an IP address. This script automatically updates the IP address in the address list.

# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# BEGINNING OF USER DEFINED CONFIGURATION
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:local "wan-interface" "ether2"
:local "address-list" "wan_ip"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# END OF USER DEFINED CONFIGURATION
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

:global "old-wan-ip"
:local "wan-ip" [ /ip address get [/ip address find interface=$"wan-interface"] address ]
:set "wan-ip" [ :pick $"wan-ip" 0 [:find $"wan-ip" "/" ] ]

:if ( [/ip firewall address-list find list=$"address-list" ] = "" ) do={
/ip firewall address-list add address=$"wan-ip" list=$"address-list"
:log warning "address list: $"address-list" added by script"

} else={

:if ($"wan-ip" != $"old-wan-ip") do={
:foreach a in=[/ip firewall address-list find list=$"address-list"] do={
/ip firewall address-list set $a address=$"wan-ip"
:log warning "WAN IP address changed from: $"old-wan-ip" to $"wan-ip""
:set "old-wan-ip" $"wan-ip"
  }
 }
}

mehdiadust · December 24, 2010, 4:39pm

It’s working now …

RB as the DNS server :

for udp:
chain: dstnat
protocol: udp
dstport: 53

action: redirect
port: 53

for tcp :
only protocol : tcp

… now local users can browse xyz.com (which is not registered to internet) as well as they can browse the other website … thanks buddy who post the solution … i can not remember his id …or … name

Note : I have also added an static dns entry for the domain :

name : www.xyz.com
ip : 172.16.95.5

… getting more and more dns addresses in dns cache … any suggestion ?

fewi · December 24, 2010, 5:19pm

Of course you’re going to get lots of caches DNS records if you’re forcing everyone to resolve via your resolver. That’s expected.

If you can’t live with that the proper solution would be to buy xyz.com and make a proper DNS record.