Port forwarding with (loop) please help.

turalo · October 18, 2012, 3:14pm

Hi guys, I need a little advice urgently, I have a web-server on my local network, now to make it accessible from outside I added this to the router :

/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.45 \ to-ports=80

/ip firewall filter
add action=accept chain=input disabled=no dst-port=80 protocol=tcp place-before=3

Now when I access the server from outside(another location external IP) , and use the menu’s on the website it works fine.

But the problem is when I access this web-server from inside the local network, like I’m on : 192.168.1.3 and web-server on 192.168.1.45 then I can access the web-server, but as soon I use menu’s I get 404 error, the problem is that the web-server software was configured wrongly, it’s menu is configured to my external IP (ISP given) so when I click on Home button it goes to my external IP and from there /home.html
This is a kind of looping, so instead of going outside the local network it should stay inside on 192… network, but because the web-server software is closed code, I’m not able to change the external IP in the settings now, so I need to make sure this looping works.

On my other simple routers, Draytek Vigor, and Lynksys it works fine, but on Mikrotik it blocks it, please help, how can I make sure that the router accepts the loop.

please anybody help asap.

thanks in advance.

tws101 · October 18, 2012, 9:45pm

Well it does not make sense to me that a web server is internally referring to an IP. It should just refer to a directory.

Are you sure you DNS is setup correctly on the Mikrotik to access the web server from within?

turalo · October 18, 2012, 9:55pm

Yes the guy who set that, he set it somehow wrongly, but he’s not available for comming few weeks so I have to solve it somehow temporary.

here you can see the links copy, I clicked right mouse on one of the menu’s and copied the link location :

http://xx.xx.x25.137/en.menu_5_1_1.html

it makes no sense you are right, but it is that way

and it works fine in de basic routers as vigor draytek linksys , netgear etc… but not in this one.

turalo · October 19, 2012, 8:40pm

anybody any idea ?

Caci99 · October 20, 2012, 9:15am

The answer is Hairpin NAT:
http://wiki.mikrotik.com/wiki/Hairpin_NAT

turalo · October 20, 2012, 7:10pm

I have tried it , but it didnot help

this is the code I’v used :

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.1.45 protocol=tcp dst-port=80
out-interface=ether2-master-local action=masquerade

the : 192.168.1.45 is my www server, the main lan interface is ether2-master-local

I still have this problem, the article from your link describes my situation precisely but the code does not help

any advice much appreciated.

thanks in advance.

Caci99 · October 20, 2012, 7:42pm

Try it without specifying the dst-port:

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.45 protocol=tcp \
out-interface=ether2-master-local action=masquerade

Also, do you have any bridge interface where ether2 is included? If yes, you should put as out-interface the bridge and not ether2

turalo · October 20, 2012, 10:15pm

ok, this one is better but not 100% after adding this code, now when I go to the local IP of the www : 192.168.1.45
it directly shows that my external IP in the adress field and status bar, and after a while it load the text only page with links, so no full page is loaded,
and yes you are right I have a bridge interface, without putting it in the out interface as you said it does not work at all, so we are near but not there yet
any ideas from here ? I’v never seen something like that, nor have I seen any router with so many complicated stuff

Caci99 · October 22, 2012, 8:21am

But you should put the external IP in the address bar, right? That is why the rule is for.

It is not “complicated”, it is just different from every day routers, with more features and flexibility to achieve what you want.

turalo · October 22, 2012, 9:21am

Does not matter if I put external or internal IP, it’s opening but only in text mode, so no styles nothing is loaded, it’s just a blank page with links from menu (blue colored) and no images etc… images are X like blocked.
when I put the internal IP of the server, it changes it in the procces to external automaticly, and if jus go to external adres it starts to load the text only model of the site, and it’s loading verry slow.

turalo · October 22, 2012, 12:55pm

NO, this one defently does not work, the first home page is loading well, but any sub menu is not loading at all.

please any advice is appreciated.

thanks in advance.

Caci99 · October 23, 2012, 9:03am

The fact that you can reach the page shows that the rule works. Why it is not showing the whole page rightfully it is another matter which I can not think of any reason right now. If you disable the hairpin nat rule, and then access the server using the internal IP, how does the page loads? Anyway, it is better if you post your nat rules and filter rules here to see if maybe any of those is causing the problem

turalo · October 23, 2012, 10:18am

thanks for helping out ,

here is my config :

[admin@mikrotik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway

1 chain=dstnat action=dst-nat to-addresses=192.168.1.45 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=80

2 chain=dstnat action=dst-nat to-addresses=192.168.1.27 to-ports=10000-20000 protocol=tcp in-interface=ether1-gateway dst-port=10000-20000

3 chain=dstnat action=dst-nat to-addresses=192.168.1.5 to-ports=143 protocol=tcp in-interface=ether1-gateway dst-port=143

4 chain=dstnat action=dst-nat to-addresses=192.168.1.5 to-ports=110 protocol=tcp in-interface=ether1-gateway dst-port=110

5 chain=dstnat action=dst-nat to-addresses=192.168.1.5 to-ports=987 protocol=tcp in-interface=ether1-gateway dst-port=987

6 chain=dstnat action=dst-nat to-addresses=192.168.1.5 to-ports=443 protocol=tcp in-interface=ether1-gateway dst-port=443

7 chain=dstnat action=dst-nat to-addresses=192.168.1.27 to-ports=5060 protocol=tcp in-interface=ether1-gateway dst-port=5060

8 chain=dstnat action=dst-nat to-addresses=192.168.1.27 to-ports=5060 protocol=udp in-interface=ether1-gateway dst-port=5060

9 chain=dstnat action=dst-nat to-addresses=192.168.1.5 to-ports=993 protocol=tcp in-interface=ether1-gateway dst-port=993

10 chain=dstnat action=dst-nat to-addresses=192.168.1.5 to-ports=25 protocol=tcp in-interface=ether1-gateway dst-port=25

11 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.45 out-interface=bridge-local

[admin@mikrotik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 chain=input action=accept protocol=tcp dst-port=80

4 chain=input action=accept protocol=tcp dst-port=10000-20000

5 chain=input action=accept protocol=tcp dst-port=143

6 chain=input action=accept protocol=tcp dst-port=110

7 chain=input action=accept protocol=tcp dst-port=987

8 chain=input action=accept protocol=tcp dst-port=443

9 chain=input action=accept protocol=tcp dst-port=5060

10 chain=input action=accept protocol=udp dst-port=5060

11 chain=input action=accept protocol=tcp dst-port=993

12 chain=input action=accept protocol=tcp dst-port=25

13 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
[admin@mikrotik] /ip firewall filter>

Caci99 · October 23, 2012, 10:40am

Nothing wrong there that I can see there. Have you tested disabling the hairpin nat rule and then access the server using the internal IP? How does the page load?
Also, the IP of your LAN is assigned on the bridge interface or on the ether2 interface? It has to be on the bridge interface.

turalo · October 23, 2012, 11:34am

If I disable the nat rule, if I request the website with a local IP, I get the main page 100% good, but as soon as I use the menu’s ( which are configured with external IP) then I get nothing at all.
if I enable the nat rule then I do not get the home page 100% only in text mode, and if I use menu links I get nothing at all.
about the IP of the LAN, I dont have a DHCP, and the all 4 ports have a connection the port number 2(first lan port) is the main, other 3 are slave interfaces.

turalo · October 23, 2012, 5:03pm

ok, I’v got some news

I have gained acces to the web server via single user made myself second root and found the config file of the website, there I have changed the IP to the local IP, now on my local network everything works perfect, we use this server actually for 95% local in our office, so the biggest problem is solved, but a little new one has arised, now the server is not accesable from outside when you try to connect from another location it shows 192.168.1.45 in the status bar of the firefox/explorer.
in my nat and firewal rules I already have set forwarding to this server, but somehow it does not want to work, I have a feeling that this is not the problem of the router, I think that the webserver config is not ok.

Caci99 · October 24, 2012, 8:29am

It is nice that you can pinpoint the problem. Hope you can resolve it as well.