I’m trying to setup port forwarding from my public ip address to my LAN 172.168.0.10 80/443 ports.
The setup:
I have a ZTE router from the ISP with the ip 192.168.1.1. That is connected to the MikroTik switch.
The switch’s “WAN2” port is getting the ip from the ZTE over dhcp, 192.168.1.2.
There is a “MASTER” bridge for connecting all the other ports on the switch. The web server I want to access remotely is connecting to the MikroTik with the ip of 172.168.0.10.
Yes, I know, double NAT is not ideal, but unfortunately my ISP is not willing/able to bridge the router they gave so this is what I’ve stuck with.
I’ve already set a port forward from the ZTE to the MikroTik (192.168.1.1:80 ==> 192.168.1.2:80) and tried to set it on the MikroTik as well like this:
[admin@MikroTik] /ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; WAN NAT
chain=srcnat action=masquerade out-interface=WAN2 log=no log-prefix=""
1 ;;; Local web services
chain=dstnat action=dst-nat to-addresses= to-ports=80
protocol=tcp dst-address=172.168.0.10 dst-port=80 log=yes log-prefix=""
2 chain=dstnat action=dst-nat to-addresses= to-ports=80
protocol=udp dst-address=172.168.0.10 dst-port=80 log=yes log-prefix=""
You dont have a public IP that is the problem. So yes double nat should work still.
However the weird part is the nat or dhcp once passed the ZTE.
SO I will make some assumptions.
The ZTE gets a public IP but we dont need to know it.
THE ZTE has a LAN structure of 192.168.1.1/24
The Switch is on this LAN on a specific port and is assigned a LANIP of 192.168.1.2
The bridge on the switch is assigning a network of 192.168.0.1/24 to all the other switch interfaces.
Based on the above…
The ZTE is configured correctly for port forwarding
Consider 192.168.1.2 as the WANIP for the MT
The WAN for the MT is on WAN2
0 ;;; WAN NAT
chain=srcnat action=src-nat out-interface=WAN2 to-addresses=192.168.1.2
1 ;;; Local web services
chain=dstnat action=dst-nat dst-port=80 dst-address=192.168.1.2 /
protocol=tcp to-addresses=172.168.0.10
2 chain=dstnat action=dst-nat dst-port=80 dst-address=192.168.1.2 /
protocol=udp to addresses=172.168.0.10
With this it works fine, but - as I’m forwarding port 80 and now 443 as well - the connection for the rest of the boxes on the ports are unable to use http/https which is a con.
So what I came up with is take the web server and separate it from the MASTER bridge and set it up separately. Going to test it in a bit and it will hopefully work (not really see at this point why it wouldn’t). Will check back here later with the results.
So before I continue I was giving this a second thought and what I’m thinking is to forward 80/443 from the ZTE to the MK (192.168.1.2) port 45452 for example and that from the MK forwarded to the respective port of the web server. That way it wouldn’t cause much of an issue for the rest of the network now would it?
Because even if I separate the web sv from the MASTER bridge it would still route traffic from port 80/443 to the web server breaking the internet in the entire building because the gw on the MK remains the same.
Open for suggestions tho, might be a better way of doing this.
Sure, if the port structure is going to interfere, why not use port translation.
There are usually two option change the server port so it doesnt conflict with anything else required on the network OR,
(if not able to change the port used on the server itself) change the port numbering such that the router translates the port to the server at the appropriate time.
Been a while doing anything like this, confirmation helps hehe
Anyhow I tried to modify things a bit to separate the webserver from the rest of the things.
I connected another line from the ZTE to the MK on port 24 and bridged that (new) with port 23 where I have one of the NIC of the web server connected. The web sv has a static ip at 192.168.1.231 and the bridge is getting a static ip over DHCP from the ZTE 192.168.1.3. I added some changes to the firewall, but it seems that I’m not able to forward port 80 from the ZTE to port 45480 192.168.1.3 on the MK. Well I guess I can, but nothing happens. However, from the MASTER bridge I can connect to 192.168.1.3:45480 and it loads the page from 192.168.1.231.
I’m guessing that I’m still missing something to be able to communicate back to the ZTE.
My config: