Port forward multiple IP's on same interface

jkevlin · December 22, 2009, 10:17pm

I would like to port forward multiple ips on the same interface.
69.69.69.100 eth1 → admin interface to Mikrotik
69.69.69.101:80 eth1 → 192.168.2.101:80 eth2
69.69.69.102:80 eth1 → 192.168.2.102:80 eth2
69.69.69.103:80 eth1 → 192.168.2.103:80 eth2
69.69.69.104:80 eth1 → 192.168.2.104:80 eth2

/ip address
add address=69.69.69.100/24 interface=eth1
add address=69.69.69.101/24 interface=eth1
add address=69.69.69.102/24 interface=eth1
add address=69.69.69.103/24 interface=eth1
add address=69.69.69.104/24 interface=eth1

All of the 192.168.2 addresses are on a subnet connected to eth2

I have set up the nat rules.
/ip firewall nat add chain=dstnat dst-address=69.69.69.101 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.2.101 to-ports=80
/ip firewall nat add chain=dstnat dst-address=69.69.69.102 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.2.102 to-ports=80
etc…

right now a request to http://10.10.10.102 will get the Mikrotik webbox interface.

Is there anyway around this?

Chupaka · December 22, 2009, 11:21pm

so what’s wrong? you want to disable webbox? disable www in IP → Services =)

jkevlin · December 23, 2009, 12:00am

if i go to http://69.69.69.100 id like to to to the web admin interface of the Mikrotik
if i go to http://69.69.69.101 i’d like to go to the web server at 192.168.2.101

butche · December 23, 2009, 1:37am

This looks like 2.8.x syntax. Is that correct?

jkevlin · December 23, 2009, 2:06am

the mikrotik is 4.3, i typed that by hand.

butche · December 23, 2009, 2:29am

sorry…I’m not sure what I was thinking. It’s been a long day. Either way, the syntax all looks correct. Do your rules match when you try to connect to the public IP?

jkevlin · December 23, 2009, 2:42am

not sure, what your asking, but I do have the corresponding srcnat rules with the IP’s reversed.

butche · December 23, 2009, 2:58am

Ok. Webserver at actual IP of 10.10.10.10. You want it on public IP of 69.69.69.10, you would do:

/ip firewall nat
add chain=dstnat dst-address=69.69.69.10 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.10 to-ports=80

(there is no need for src-nat unless you want that, too).

When you look at winbox, you will see a packet counter and byte counter. Does that packet counter increase when you open a web browser to http://69.69.69.10/

jkevlin · December 23, 2009, 2:48pm

Ok, here is my setup.
Public IP’s 10.10.10.10/25 and 10.10.10.104/25 on interface=Public
Local address 192.168.30.104/24 the server is located on a private network with a gateway on interface=Local

My basic question is, can a single interface with 2 or more IP’s be used to port forward to different servers?

/ip address
add address=10.10.10.10/25 broadcast=10.10.10.127 comment=“” disabled=no
interface=Public network=10.10.10.0
add address=10.10.10.104/25 broadcast=10.10.10.127 comment=“” disabled=no
interface=Public network=10.10.10.0
add address=192.168.30.254/24 broadcast=192.168.30.255 comment=“” disabled=no
interface=Local network=192.168.30.0

/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration”
connection-state=established disabled=no in-interface=Public
add action=accept chain=input comment=“default configuration”
connection-state=related disabled=no in-interface=Public
add action=accept chain=input comment=“winbox” disabled=no dst-port=8291
in-interface=Public protocol=tcp
add action=accept chain=input comment=“port forward” disabled=no dst-address=
10.10.10.104 dst-port=80 in-interface=Public protocol=tcp
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=Public

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=Public
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=80 protocol=
tcp src-address=10.10.10.104 to-addresses=192.168.30.104 to-ports=80

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
10.10.10.126 scope=30 target-scope=10

When I try to access http://10.10.10.104 i get the winbox interface=Public(10.10.10.10) instead of the webserver on 192.168.30.104.

jkevlin · December 23, 2009, 3:04pm

Doh! I found the problem. I should have used dst-address instead of src-address
Change
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=80 protocol=
tcp src-address=10.10.10.104 to-addresses=192.168.30.104 to-ports=80
to
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=80 protocol=
tcp dst-address=10.10.10.104 to-addresses=192.168.30.104 to-ports=80

Thanks butche and Chupaka.

rpress · December 23, 2009, 5:55pm

You can also do:

add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=80 protocol=
tcp dst-address=10.10.10.101-10.10.10.104 to-addresses=192.168.30.101-192.168.30.104

for multiple IPs.