Hello (I’m sorry i dont have a better subject to explain my situation)

I have this web-server in my local LAN which is suposed to record all visitors IP.
When this server is connected to the ADSL Router (Draytek Vigor2800) it works allright. I have Open Port configured in NAT to the server’s local IP and server’s web app reports REMOTE_ADDR = Visitor’s IP as it is suposed to.

But then, I would prefer to have a MikroTik between ADSL Router and the Web-Server to have a better control over traffic.
So I configured the Draytek DMZ host as MikroTik IP and then port-forward port 80 in MikroTik to web-server.

Web-Server is accessible and works fine. But unfortunaly, all visitors IP appears as MikroTik IP.

Here’s an image. Sometimes it is better than a thousand words

Is there someway in MikroTik that allow passing IP’s from visitors to the webserver just as Draytek does?

Hi,

disable srcnat/masquerade on Ether2 or make srcnat/masquerade only on Ether1

/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT" disabled=no out-interface=ether1

i don’t know if i did it right… i inserted that rule you gave me, and disabled the others
but then i got nothing from the webserver.

these are the rules i had, but only passing the router IP instead of the visitor IP:

/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=no
add action=dst-nat chain=dstnat comment=WWW disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.199 to-ports=80

Hi,

you need this:

/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=no out-interface=ether1
add action=dst-nat chain=dstnat comment=WWW disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.199 to-ports=80

Hi Petrn

I appreciate you’re help but adding the out-interface=ether1 didn’t workout. Not a single packet on that rule.
If i set out-interface=ether2, then it works just like before sending router IP to the destination (instead of visitor’s IP which was the goal).

Here is my routing table, just in case..

 
#      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY                     DISTANCE INTERFACE           
 0 ADS  0.0.0.0/0                          reachable     192.168.0.1                 0        ether1                           
 1 ADC  10.10.10.0/24      10.10.10.254                                              0        ether2              
 2 ADC  192.168.0.0/24     192.168.0.25                                              0        ether1

and IP addresses

 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                                            
 0   10.10.10.254/24    10.10.10.0      10.10.10.255    ether2                                                                                                                                                         
 1 D 192.168.0.25/24    192.168.0.0     192.168.0.255   ether1

this rule is used for connection initiated from server, so it's ok

If i set out-interface=ether2, then it works just like before sending router IP to the destination (instead of visitor's IP which was the goal).

that is reason you don't want out-interface=ether2

Here is my routing table, just in case..

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 ADS 0.0.0.0/0 reachable 192.168.0.1 0 ether1
1 ADC 10.10.10.0/24 10.10.10.254 0 ether2
2 ADC 192.168.0.0/24 192.168.0.25 0 ether1

>

routing is ok, other way nobody will connect at all

> and IP addresses
>
> ```text
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                                            
 0   10.10.10.254/24    10.10.10.0      10.10.10.255    ether2                                                                                                                                                         
 1 D 192.168.0.25/24    192.168.0.0     192.168.0.255   ether1

why dynamic IP on ether1? And it should be 192.168.0.22 according to diagram.
I think posting /ip firewall export will help

There’s no Dst Address in rules so i guess dynamic IP’s not a problem.

Here’s the NAT export:

/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=no
add action=dst-nat chain=dstnat comment=WWW disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.199 to-ports=80

if you have any idea, just say, i’m happy to try it

this we have seen already, what about /ip firewall? May be static ip 192.168.0.22 and

add action=dst-nat chain=dstnat comment=WWW disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.199 to-ports=80 dst-address=192.168.0.22

might work.

Hey Petrn

I appreciate your concern very much, unfortunaly specifing dst-address didn’t do much. Still’s giving router’s address, not visitors address

I could give you /ip firewall but there’s a bunch of “trash” wich I’ve disabled just in case but it didn’t changed things we know unfortunaly.

I’m sure there will be some kind of NAT rule that will allow passing visitor IP like Draytek’s firewall does. I mean, on Draytek you only have to specify simple port forward and that’s it!

What would be the rule in firewall NAT to send Visitor’s IP (src-address i think) to dst-address (web-server). That is the question, i guess.

What petr told you initially is 100% correct according to your network diagram. Add a out-interface=ether1 qualifier to your masquerade rule so that you’re not telling the router to source NAT traffic from the Internet to the web server and rewrite the source IP to the one on the router interface. The question is NOT how to get the router to do what you’re looking to do - leave the source IP unchanged - but how to fix your configuration so that you’re not telling the router to change the source IP. It doesn’t do that by default, you’re telling it to do that, and you’re telling it via the masquerade rule in your NAT configuration.

If that doesn’t work then your network diagram is wrong, or there is a firewall filter blocking traffic. Post your firewall rules. Delete all disabled rules first, if they are disabled you obviously don’t need them.

Well for starting, let’s forget about firewall filter because there’s just filters and I’ve disabled all of them for testing this. Ok?

For the rest, i don’t want to be rude but adding the out-interface=ether1 don’t work at all! I mean, nothing comes out from dst-nat (webserver)

I’m on 3.30. Tomorow i will try on 4.17. It may be a bug or something, i don’t know…

For the rest, i don’t want to be rude but adding the out-interface=ether1 don’t work at all! I mean, nothing comes out from dst-nat (webserver)

masquerade is a source NAT action, so I don’t understand that sentence. Your masquerade rule without an out-interface qualifier, if written in English, means “whenever the router sends a packet from ANY interface it should rewrite the source IP address in the packet header to the IP address on the router interface”. That is why the web server sees the router IP address on all requests - because of that rule. The packet comes from the Internet into the router. The router knows it should send it out ether2. When it does so it rewrites the source IP because that rule is telling it to. To fix that you add a qualifier to the masquerade rule so it doesn’t apply to packets leaving the router through ether2.

If you never need the web server to have source NAT applied to it (other than destination NAT being undone, which takes care of it for connections initiated from the Internet) because the web server will never initiate a connection to the Internet (not even to download OS updates, etc) then you can delete the masquerade source NAT rule entirely because it is unnecessary.

There is no huge, massive NAT bug in 3.30. This is a misconfiguration issue, and a fairly simple one. If all your firewall filters are disabled and your network diagram is correct then the next conclusion is that the web server is misconfigured, or your testing is flawed. This is a very, very simple set up.

that’s a very cool explanation, i liked it a lot, specialy the “written in English” part

Regarding my setence about dst-nat, i must remember you that my web-server (port 80) is available only when these two rules ar together:

/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=no
add action=dst-nat chain=dstnat comment=WWW disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.199 to-ports=80

about the web-server it self, it has 2 ethernet ports and the gateway was set to the other port… (I will post a more detailed diagram of it) anyway i disabled that gateway and set it to the mikrotik router. Now the web-server can ping google.com throught mikrotik.

So, unless the web-server still has some tracking table in cache that could flaw the tests,this situation stays all the same.
The web server is only accessible when the two NAT rules (masquerade and dsn-nat) are enabled in Mikrotik.

(the new diagram will be here in a few)

Hello again

here’s the new diagram. It has the same 2 path i had in the other draws.
The green doted is the one that gives the visitor address and the red doted is the one from mikrotik that’s not giving visitors IP.

In Mikrotik there’s only these 2 rules in firewall

/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=no
add action=dst-nat chain=dstnat comment=WWW disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.199 to-ports=80

They give web-server REMOTE_ADDR = Mikrotik Ip (not visitor IP)

They only work when both are enabled.
Out of curiosity if dstnat is enabled and masquerade is disabled, web-server doesn’t work but i can see packets increasing in dstnat rule on mikrotik. That means mikrotik is passing them, but web-server is not responding, right?

Plus, If i add out-interface=ether2 in masquerade, that changes nothing. It still show mikrotik IP instead of visitors.

Note: i notice i had to reset connecion track (disable/enable) for every change in NAT so i could test the changes made, so maybe i had made some statments before that were not correct because of this. so now goind to re-test all that has been said from the begining

Plus, If i add out-interface=ether2 in masquerade, that changes nothing. It still show mikrotik IP instead of visitors.

Well yes. That specifically tells the Mikrotik to rewrite the source IP to 10.255.255.254. It must be out-interface=ether1.

Crucially your network diagram now shows two IPs on the web server, which it didn’t before. That, in combination with the NAT, is likely your issue. The web server is misconfigured with a default gateway on the 192.168.0.0/24 network. When your NAT rule is malfunctioning and the source IP is rewritten to 10.255.255.254 the web server sends traffic back to the Mikrotik router because that IP is directly connected, so it doesn’t use its default route. The router then undoes all the other NAT and sends traffic back to the client.
When you fix the NAT rule - and I cannot stress enough that adding out-interface=ether1 fixes it - the web server gets the packet with the right source IP, but now that IP is no longer directly connected, so the router sends it back via its wrong default gateway and the Mikrotik router no longer sees the return packet, and it gets lost somewhere because it’s taking a different path (it is not entirely clear how the server connects to that network).

Remove the 192.168.0.0/24 IP address on the server and shut down that interface. Dual homing entirely circumvents the purpose of a DMZ. Then ensure the correct default gateway is set on the server, the default gateway MUST be 10.255.255.254. Add “out-interface=ether1” to the NAT rule. Reboot everything just for good measure. Retest.

That’s it BINGO!!

but it’s a litle bit more complex than it looks, i’ll post a complete diagram in a few…

here’s the full diagram

i’m sorry, i tried to make it simple at the begining of the thread, but them it make me loose some details, which were the cause of the fail.

As Fewi said before, Petrn was right since the beginning, but then Fewi remember me of gateway importance in the webserver, which lead me to the solution. So thank you both guys

Now a litle explanation of what was appening:

In fact the web-server was not the IP that Mikrotik was forwarding port 80 to, because web-server was behind a reverse proxy.

It was the reverse proxy that was connected to the mikrotik, so even if the webserver had the gateway set to mikrotik. That was the reverse proxy server that realy needed to have the mikrotik as gateway.

Now this problem is solved, but i now have another one… because i really need the reverse proxy server directly connected to draytek router and have it as gateway, but at the same time, i would like to have it served by mikrotik for the web-services.

But i guess there’s no turn arround, i mean… could there be a rule in IPTable’s reverse-proxy-server that specifies gateway as mikrotik IP just for the packets comming in port 80 of Ether1 ? I’m thinking of marking packets Mangle’s style but i guess that would be very complicated to do in IPTables.

Certainly doable (after all RouterOS is Linux and bases it’s firewall and routing facilities on it), but outside the scope of this forum.

Whole time i was wandering ho packet destined to 192.168.0.20 can reach webserver.
If this was your network from beginning, i am not going to waste my time in this forums any more. I think i know about networking, but i don’t own crystal ball yet.

Actually, web-server also as an ethernet connection to draytek’s lan, which is missing in this last diagram, but it doesn’t matter since the gateway is on the other ethernet.

Petrn… hey, the complete diagram is bigger than this. It as a lot more web-servers and mikrotik routers, not to mention that many servers are virtualized and with internal networks also virtualized.

That’s the reason i tryed to simplify the question… but in the process i missed some details and that was my fail, i know. i’m realy sorry

I hope you understand that, unlike the machines, humans fail…