NAT routing to internal webserver

rburke · October 14, 2005, 3:02pm

Greetings all,
I am trying to route the pubic IP address of my Mikrotik router v2.9.5 to a webserver on the internal network. However unsuccessful as of yet. The Public IP given to me from my provider funily enough ends /24 and my internal network say 10.11.19.0/24.
I have tried to configure using the example in the 2.9 manual using my own IP addresses where applicable. without using the NAT rule when i load the webpage with the public IP i get the mikrotik webpage, however when i apply the NAT rule, no page will loads at all.

Also I should mention that i have my network mascaraded behind the public IP.

Am I doing something wrong.

thanks in advance,

regards,
rburke

sergejs · October 16, 2005, 6:26pm

you have to configure full nat for web-server, use src-nat instead of masquerade, here is configuration example:
http://www.mikrotik.com/docs/ros/2.8/howto/howto.content#12.2.6
change syntax for 2.9

proxy · October 16, 2005, 8:38pm

i have that problem too, i can’t srcnat :S
what can the problem be?

changeip · October 16, 2005, 9:40pm

I have made this work when you have a separate LAN (DMZ) for your internet facing servers, but never really got it working right … cisco calls this ‘nat on a stick’ - maybe something similiar needs to be configured on mt as well.. anyhow, putting those servers on a different subnet or interface should help.

Sam

jaytcsd · October 17, 2005, 7:59am

I’ve been able to nat with both 2.8 and 2.9 running hotspots to a webcam on my private network.

2.9 rules

0 ;;; masquerade hotspot network
chain=srcnat src-address=10.20.7.0/24 action=masquerade

1 ;;; masquerade private network
chain=srcnat src-address=192.168.0.0/24 action=masquerade

2 chain=dstnat dst-address=xxx.yyy.194.57 action=dst-nat to-addresses=192.168.0.20 to-ports=80

3 chain=src-nat src-address=192.168.0.20 action=src-nat to-addresses=xxx.yyy.194.57 to-ports=80

ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked

MAC-ADDRESS ADDRESS TO-ADDRESS SERVER

0 P 80:80:66:7B:1F:A0 192.168.0.20 xxx.yyy.194.57 hs-hotspot

xxx.yyy.194.57 is my public IP.

If you’re not running a hotspot I don’t think you will need the ip-binding command

rburke · October 17, 2005, 6:48pm

thanks jaytcsd that seemed to work this time round

proxy · October 17, 2005, 7:04pm

i can’t get this work ..
i want that all addresses to be natted to xx.xxx.xx.x and all ports but it doesn’t work.. on 2.8 it worked.. but i don’t know why on 2.9 it doesen’t :S

jaytcsd · October 18, 2005, 12:52am

Are you trying to map a bunch of private IPs to one public IP for outbound traffic, or are you trying to map public IPs to private IPs so traffic can get inside your private network?

proxy · October 18, 2005, 9:31am

Hi , i will try to make it clearly ,
when i was using 2.8 i hat a src nat rule and in that rule i added this config

ip firewall src-nat> add action=nat to-src-address=x1.x23.x14.xx to-s
rc-port=0-65535 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all

the problem is that in 2.9 it doesn’t work..

jaytcsd · October 18, 2005, 4:37pm

I’m not using src-nat / nat rules in my router, only masquerade rules, afraid I can’t help much.

andrewluck · October 18, 2005, 5:14pm

My rules to NAT an internal network and also an IP phone connected to a separate interface:

0 ;;; Internal LAN NAT
chain=srcnat out-interface=Internet src-address=192.168.1.0/24
action=src-nat to-addresses=82.xxx.xxx.205 to-ports=0-65535

1 ;;; Nat for IP phone
chain=srcnat out-interface=Internet src-address=192.168.2.10
action=src-nat to-addresses=82.xxx.xxx.201 to-ports=0-65535

2 ;;; IP Phone
chain=dstnat in-interface=Internet dst-address=82.xxx.xxx.201
action=dst-nat to-addresses=192.168.2.10 to-ports=0-65535

The syntax changed a little with 2.9.

Regards

Andrew

mengong · November 7, 2005, 12:26pm

proxy:

Hi , i will try to make it clearly ,
when i was using 2.8 i hat a src nat rule and in that rule i added this config
ip firewall src-nat> add action=nat to-src-address=x1.x23.x14.xx to-s
rc-port=0-65535 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all
the problem is that in 2.9 it doesn’t work..

at 2.9 u need to define the chain to srcnat and action to src-nat its work to me

proxy · November 11, 2005, 10:32am

i defined that , but still doesn’t work , can u plz post a copy of your config..

jaytcsd · November 12, 2005, 7:15am

when I goto whatismyip.com with any PC other than 192.168.0.47 I get xx.59.194.58 as my address, my WAN IP in the router. When I use the PC at 192.168.0.47 I get xx.59.194.57 as the response.

ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; WAN IP
xxx.59.194.58/24 xxx.59.194.0 xxx.59.194.255 public
1 ;;; ip for internal PC
xxx.59.194.57/24 xxx.59.194.0 xxx.59.194.255 public

ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.0.47 action=src-nat to-addresses=xxx.59.194.57 to-ports=0-65535

1 ;;; masquerade hotspot network
chain=srcnat src-address=10.20.7.0/24 action=masquerade

2 ;;; masquerade private network
chain=srcnat src-address=192.168.0.0/24 action=masquerade

ip route> pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE

0 ADC 10.20.7.0/24 10.20.7.1 hotspot
1 ADC xx.59.194.0/24 xx.59.194.58 public
2 ADC 192.168.0.0/24 192.168.0.10 private
3 A S 0.0.0.0/0 r xxx.59.194.1 public

believewireless · November 19, 2005, 4:00pm

I’m having similar problems and can’t seem to figure out why. Here is what I have:

1 chain=srcnat out-interface=ether3 src-address=192.168.1.0/24
action=masquerade

10 chain=dstnat dst-address=65.XX.XX.203 protocol=tcp dst-port=8021
action=dst-nat to-addresses=192.168.1.21 to-ports=80

11 chain=srcnat src-address=192.168.1.21 protocol=tcp action=src-nat
to-addresses=65.XX.XX.203 to-ports=0-65535

When I go to http://65.XX.XX.203:8021/ I see the Bytes and Packets increase for the dst-nat rule but nothing for either src-nat rule. Connections shows a “syn sent” for the 65.XX.XX.203 address but nothing shows at all for 192.168.1.21.

I can ping the IP and even connect to port 80 from the router using telnet. But trying to reach the web server from an external address isn’t working.

Any ideas on what I’m doing wrong?

Tonda · November 19, 2005, 5:05pm

What about your firewall rules? In order to perform correct mapping it is not only necessary to use src-nat correctly, but also have appropriate firewall filter rules.

wildbill442 · November 19, 2005, 5:08pm

There’s no need to modify the forward chain, unless there’s a rule blocking the port(s) you’re trying to NAT.

Tonda · November 19, 2005, 5:23pm

When I assume your forward rules allow only outgoing connections from internal network and established and related connections from internet to internal network, it is necessary to add appropriate rules.

believewireless · November 19, 2005, 5:32pm

No filter rules have been defined. Didn’t read about having to modify and filter rules in the manual for destination NAT. Masquerading works fine. Is there something else I have to add?

Tonda · November 19, 2005, 5:41pm

Of course it depends on actual router configuration and this is why I asked for these rules..