Port forwarding

leopepe · July 21, 2008, 3:14am

Hi Everybody, what’s up? I’m working with Mikrotiks routers for some time but I’m having problems with port forwarding and that’s why i’m contacting you.

Let’s start, I have some servers behing a Mikrotik RB 150, I’ve fordwarded the ports like everybody does with a NAT rule and it works great.

;;;; Server 
chain=dstnat action=dst-nat to-addresses=192.168.x.x to-ports=80 dst-address=xxx.xxx
.xxx.xxx dst-port=80 protocol=tcp

(the x is just to not show the IP)

But the problem is around the logs in the server. As it’s a NAT, all the external IPs (public IPs) from internet are changed to Gateway’s IP of the internal network. So then, all the logs have as IP 192.168.x.x (private) instead of the real external public IP of the visitor.

I have no idea how to solve this. I mean, that my
Apache server log the public IPs instead of the private one.

Any clue? Did anybody had this problem?

Thanks and hope I’ve been clear with the problem.

n2m · July 21, 2008, 6:27am

Yes this is interesting and it would be great if it could be done without assigning a public ip to the webserver. I have set a webserver like this too but this problem causes me some other problems with web aplications. I hope someone knows if it can be done anything!

Chupaka · July 21, 2008, 7:21am

leopepe, just disable a rule that masquerades all packets on your internal interface - why do you need it at all?

leopepe · July 21, 2008, 4:52pm

OK, it’s works.

It is my new masquerade Rule.

chain=srcnat action=masquerade src-address=192.168.1.1-192.168.1.254

If I just disable this rule, the port forwarding works, but the servers can’t conect to Internet.

Chupaka · July 23, 2008, 4:04pm

Personally I prefer to use ‘out-interface=your_uplink’ instead of ‘src-address=’

leopepe · July 23, 2008, 7:30pm

Yes, I now. It’s the best option, but I don’t have time. I use the first option than works, in some days maybe i will change to ‘out-interface’.

Thanks.