port forwarding several server

caonabo · February 29, 2012, 11:14pm

This is the info for my rb493g Router OS ver 5.14
"diagram at the bottom"
[admin@MikroTik] > ip address print

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; Wan
96.xx.xx.xx/30 96.xx.xx.xx 96.xx.xx.xx ether1
1 ;;; Lan
192.168.1.1/24 192.168.1.0 192.168.1.255 ether2
2 192.168.2.1/24 192.168.2.0 192.168.2.255 ether4
3 192.168.3.1/24 192.168.3.0 192.168.3.255 ether9

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.1.0/24
dst-address=0.0.0.0/0 out-interface=ether1

1 chain=dstnat action=netmap to-addresses=192.168.1.10 to-ports=80
protocol=tcp dst-address=96.xx.xx.xx dst-port=80

2 chain=srcnat action=masquerade src-address=192.168.2.0/24
dst-address=0.0.0.0/0 out-interface=ether1

3 chain=dstnat action=netmap to-addresses=192.168.2.20 to-ports=8080
protocol=tcp dst-address=96.xx.xx.xx dst-port=8080

4 chain=srcnat action=masquerade src-address=192.168.3.0/24
dst-address=0.0.0.0/0 out-interface=ether1

5 chain=dstnat action=netmap to-addresses=192.168.3.30 to-ports=0-65535
protocol=tcp dst-address=96.xx.xx.xx

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ether1 1
1 ADC 96.xx.xx.xx/30 96.xx.xx.xx ether1 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2 0
3 ADC 192.168.2.0/24 192.168.2.1 ether4 0
4 ADC 192.168.3.0/24 192.168.3.1 ether9 0
[admin@MikroTik] >

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ether1 1
1 ADC 96.xx.xx.xx/30 96.xx.xx.xx ether1 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2 0
3 ADC 192.168.2.0/24 192.168.2.1 ether4 0
4 ADC 192.168.3.0/24 192.168.3.1 ether9 0

I want to be able to access the second web server from the outside and the application server.
the first server on ether2 port 80 is working fine.
How do I setup the rules for the other two servers.
I look everywhere for some info on how to set up more than one web server facing the outside.
I want the traffic to be directed to the proper place either server1, server2 or the application server.
Thank You.

rodolfo · March 1, 2012, 6:58pm

you must set action=dstnat
you can also use a single masquerade rule:
chain=srcnat action=masquerade out-interface=ether1

caonabo · March 1, 2012, 8:57pm

3 chain=dstnat action=netmap to-addresses=192.168.2.20 to-ports=8080
protocol=tcp dst-address=96.xx.xx.xx dst-port=8080

action=netmap should be change to action=dstnat for rule 3 and 5

dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters

5 chain=dstnat action=netmap to-addresses=192.168.3.30 to-ports=2050
protocol=tcp dst-address=96.xx.xx.xx dst-port=2050

I made the change for rule 3 and 5 but I am not to able to view the web server2 or 3
the other rule remain the same.

caonabo · March 2, 2012, 10:09pm

I simplify the rule by following suggestion from the forum, but the problem still persist. I am not able to access the 2nd server from the outside. (view my web site).
my cheap router was able to do.
The 1st server is viewable from the outside on port 80.
All 3 server are able to connect to the net (I can use the browser and teamviewer).
The 2nd and 3rd servers are not accessible from the net ( can not connect to port 8080).
I added two mangle rule to see if it work but nothing happen.
Any suggestion will be appreciated.

0 chain=srcnat action=masquerade src-address=0.0.0.0/0 dst-address=0.0.0.0/0
out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=80
protocol=tcp dst-address=96.xx.xx.xx

2 chain=dstnat action=dst-nat to-addresses=192.168.2.20 to-ports=8080
protocol=tcp dst-address=96.xx.xx.xx dst-port=8080

3 chain=dstnat action=dst-nat to-addresses=192.168.3.30 to-ports=0-65535
protocol=tcp dst-address=96.xx.xx.xx

4 ;;; hairpin local server see each other
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24
dst-address=192.168.2.20 out-interface=ether2

added mangle rule to see if that solve the problem:
[admin@MikroTik] > ip firewall mangle print

0 chain=input action=accept protocol=tcp dst-address=96.xx.xx.xx
in-interface=ether1 dst-port=8080

1 chain=forward action=accept protocol=tcp dst-address=192.168.2.20

rodolfo · March 2, 2012, 10:34pm

have you some ip firewall filter rules ?

caonabo · March 3, 2012, 12:24am

no , the only rule that i have are the one above.

rodolfo · March 3, 2012, 9:14am

the error could be in the web servers ?
are you shure they are reachable at ports 8080 and 2050 ?
have you trid this connecting to them directly (bypassing the nat).

p.s. rule 3 could be also:

3 chain=dstnat action=dst-nat to-addresses=192.168.3.30 to-ports=2050
protocol=tcp dst-address=96.xx.xx.xx dst-port=2050

caonabo · March 4, 2012, 5:27am

I will try you suggestion and them post what happen.

caonabo · March 5, 2012, 3:17pm

Example that I found on the web of two web server on one IP address:

http://wiki.mikrotik.com/wiki/Multiple_Web_Servers

reverse proxy server
http://barracudadrive.net/blog/2008/12/Running-two-web-servers-on-one-IP-address

http://lists.netfilter.org/pipermail/netfilter/2005-January/057959.html

#www.server1.edu

-A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to
192.168.0.2:80

#www.server2.edu
-A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to
192.168.0.3:80

iptables -A FORWARD -p TCP -m multiport --dport 80,8080 -j ACCEPT

In other place they talk about web proxy (Squid), Host Header (IIS), net lookback
but I do not if that apply. I am using different subnet for each server.

caonabo · March 7, 2012, 2:32am

I bought a switch (netgear) to see if I could follow the example on the following link
http://wiki.mikrotik.com/wiki/Multiple_Web_Servers.
I try many configuration but nothing seem to work.
The Problem is one ISP ip and three web server.
the web server need to be accessible from the internet, locally and 127.0.0.1
The contents on the servers are dynamic.
The servers are working correctly, I tested them with the old router
(netgear fvs318) and all the server are accessible internet, locally and lookback.

ISP ----(ether1)Mikrotik router(ether2) ----- switch ---- 3 web server

96.xx.xx.xx ISP IP
192.168.1.0/24 (ether 2)

192.168.1.10 server1 IIS
192.168.1.20 server2 Apache
192.168.1.30 server3 Application Server

Any hint would be appreciate.
Any help is welcome.

Mohnki · March 8, 2012, 12:55pm

I might not be understanding your problem correctly but I have 2 web servers on
my network and only one external IP. I use different incoming ports to get it to the
different web servers.

So if you want server 1 you go to http://196.xxx.xxx.xxx
and if you are looking for server 2, http://196.xxx.xxx.xxx:8087

/ip firewall nat
add action=dst-nat chain=dstnat comment=“Server 1” disabled=no
dst-port=80 in-interface=“PPPOE Interface” protocol=tcp to-addresses=
192.168.103.1 to-ports=80
add action=dst-nat chain=dstnat comment=“Server 2” disabled=no
dst-port=8087 in-interface=“PPPOE Interface” protocol=tcp to-addresses=
192.168.104.1 to-ports=80

Might not be the best way but it seems to work for me.

caonabo · March 8, 2012, 4:04pm

Hello Mohnki
I want to do exactly what you are doing.
One ISP ip and several server.
Isp ip= 96.xx.xx.xx
webserver1 192.168.1.10 port 80 dynamic content
webserver2 192.168.1.20 port xxx dynamic content
appserver3 192.168.1.30 port xxx application server (share point)

I will try you suggestion as soon as possible.

Mohnki · March 8, 2012, 6:15pm

Very interested to hear if it works.

Please let me know.

caonabo · March 9, 2012, 2:02am

Thank you Rodolfo and Mohnki the router is working.
I will be posting the code very soon as a result other people can benefit if they are facing the same dilemma.

caonabo · March 9, 2012, 5:43pm

These are the setting, the two servers facing the web are working from the outside (web).
These are the only rule on the router.
I will be adding other later (127.0.0.1 and hairpin - later on security)
Additional Info: that could be helpful

dstnat ===> input --> sent to ----> coming in
srcnat ===> output --> sent from ---> going out
If then
IP Calculator ---- bitckicket

Thank to Rodolfo and Mohnki

IP firewall nat:
0 chain=srcnat action=masquerade src-address=0.0.0.0/0 out-interface=ether1

1 ;;; webserver1
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=80
protocol=tcp dst-address=96.xx.xx.xx dst-port=80

2 ;;; webserver1-oracle
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=1521
protocol=tcp in-interface=ether1 dst-port=1521

3 ;;; webserver2 sharepoint
chain=dstnat action=dst-nat to-addresses=192.168.2.20 to-ports=80
protocol=tcp in-interface=ether1 dst-port=200

4 ;;; webserver2-sharepoint adm
chain=dstnat action=dst-nat to-addresses=192.168.2.20 to-ports=21153
protocol=tcp in-interface=ether1 dst-port=21153

ip address print

ADDRESS NETWORK BROADCAST INTERFACE

0 96.xx.xx.xx/29 96.xx.xx.xx 96.xx.xx.xx ether1
1 192.168.1.1/24 192.168.1.0 192.168.1.255 ether2
2 192.168.2.1/24 192.168.2.0 192.168.2.255 ether3

ip route print

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 96.xx.xx.xx 1
1 ADC 96.xx.xx.xx/29 96.xx.xx.xx ether1 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2 0
3 ADC 192.168.2.0/24 192.168.2.1 ether3 0