I cannot get to communicate from LAN using Public IP Addresss, to a server behind same NAT.
I cannot use DNS, cause I need to use only public ip addressses.
2 years ago I found how to solve the problem on an old Mikrotik, but now I cant.!
The scenario is simple, One SERVER on local network and I want to access it using its public ip from local network.
I searched this foro forward and back and tried lots of examples and I still cannot get to work. Some other user said he solved adding another rule for UDP. but didnt work too.
romaxe -
A little more info would be helpful - is your NAT’ing router a Mikrotik? Where is it located in your network (public / private)? Where is ‘your’ local LAN in regards to the server (routers in between?)?
Yes, of course, I am using a mikrotik (bought 6 months ago).
Router is in the middle, between Internet and LAN. (is my gateway).
I saw this problem on a lot of people. (not professionals, like me, if I can say that). I know this is not a problem, is just that users without the right knowledge cant make it work.
The scenario is, I have a webserver inside my local network. I can access my webserver from the internet without any problems, but not from inside my local network.
[admin@Mikrotik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Masquerade Red Local
chain=srcnat action=masquerade src-address=10.10.0.0/24
1 ;;; Entrada para web
chain=dstnat action=dst-nat to-addresses=10.10.0.1 to-ports=80
dst-address=200.10.22.10 in-interface=Internet_Uplink dst-port=80 protocol=tcp
Put the rules in order as below - rule ‘0’ stays where it’s at.
1;;; to local web server from LAN
chain=dstnat action=dst-nat to-addresses=10.10.0.1 to-ports=80
dst-address=200.10.22.10 in-interface=LAN INTERFACE NAME dst-port=80 protocol=tcp
2;;; Entrada para web from the Internet
chain=dstnat action=dst-nat to-addresses=10.10.0.1 to-ports=80
dst-address=200.10.22.10 in-interface=Internet_Uplink dst-port=80 protocol=tcp
I have 2 internet connections and I have mangle rules to always reply using the same link the connection came from.
This is where I took the example for what I am using on my mikrotik, and is working fine.
Maybe this could be making some trouble on the anothers rules you told me.
Hello galaxynet, I checked again and you are correct. you are right.
I disabled all mangle rules for a few seconds and then I tried a telnet to webserver, and worked. then I re-enabled all mangle rules and telnet didnt work again.
That’s a big step. PROBLEM FOUNDDD.
Now, I have to figure out how to make it work all together.!!
romaxe-
Perhaps something like this as your FIRST mangel rule will help…
chain=prerouting in-interface=3-Internal dst-address=200.10.22.10 action=mark-connection new-connection-mark=INTERNAL WEB SERVER passthrough=no
This would mark the connection as something different than your other connections and also would not allow the connection to go through anymore mange rules (passthrough=no). It might have to be in the forward chain - since I do not know what else you have in your router I am just giving you may work and/or what to look at to get you to the correct answer.
Yes… something like this is what I was trying last night. But MT is producing a delay of about almost 2 seconds before server replies. very weird… i know.
The problem I have is that all another rules marks routes, for routing through specific gateways. And on my local network I dont have a gateway…
Sorry, I am noobish. For me everithing is trial and error…
I will try again later when I put my hand into MT.
Hello.
I have the same problem mentioned above, but none of the solutions seem to work.
I have two interfaces on the router - Internal and External, and there is a webserver on the internal network.
But this doesn’t work, if requests to webserver come from internal network.
How it works> When a client from internal network (192.168.0.31) asks for 85.254.xxx.xxx, the webserver(192.168.0.100) receives a request from 192.168.0.31 and it replies to 192.168.0.31 but client expects reply from 85.254.xxx.xxx so nothing works in the end. Router applies only my NAT rule 1 and it keeps the source address 192.168.0.31
How it should work> Router should first apply my NAT rule 0, as the connection actually goes through the External interface. Only then it should apply the rule 1 and webserver should receive request from 85.254.xxx.xxx, then reply to 85.254.xxx.xxx and finally NAT back to 192.168.0.31
This is also the way, all cheap routers do.
Then why doesn’t it work as it should on RouterOS? I have tried to change many things, but I only get Connection Timed Out.
BTW, I use RouterOS 2.9.46
Do you have DNS entry to your web server? You’ll need it for this to work - or at least a DDNS address…
First - If you want to masq the internal to the external make sure you use your internal address space as the ‘qualifier’ - as in if your internal address space is 192.168.0.0/24 then be sure to add that as the src-addr and then use the outgoing interface. This keeps ‘stray’ address space from getting masq’d as well.
Second - Since you are using dst-nat - make sure to use your ‘External’ interface as the qualifier as the ‘incoming’ interface - that will also keep spoofing down to minimum.
Once you do the above that should fix your issue. Please post back your results so others can learn as well.
Thank you for your reply.
I have a DNS server on the same machine where the webserver, but DNS works fine also from internal network, since the DNS query goes through the ISP’s server and then comes back.
And now as I write external address in the browser window, there is no more dst-nat to the server, but Mikrotik’s webbox interface comes up. From outside everything works fine.
I am confused. Isn’t an IP adress associated with an interface? If I send something to external IP adress, shouldn’t it also go through external interface? Seems that it does not. Does this really work for all those, who use this dst-nat?
The “Bridge” thing is only requred as if my device would be something like network switch. It is not needed for routing. ← is this correct?
There also is a section called “NAT” in the Bridge section. In the manual there is a zero explanation what this section actually does.
What you are describing sounds like you only have a single IP address - is that correct?
I did not take in account your rules and the order above. Your webserver has to have it’s address src-nat’d (not masq’d) BEFORE you masq the rest of your internal network. Rules are executed in order (by scr-nat then dst-nat).
An IP can be associated with an Interface - it can also be associated to other IP addresses with NAT and Masq. There is also bridging and routing which can make IP addresses appear in other locations - out of the scope of this thread but felt it was worth mentioning because of your comments above.
NAT under bridge works the same way as ‘normal’ nat. You just have to use it under the Bridge interface and not the standard IP/ Firewall / Nat section.
Yes, I have a single IP address and my internal network is masqed behind it.
It seems that nothing works for me Anyway, it is acctually not very important for me right now to access my webserver from internal network, so I’ll just leave it as it is. Just wanted to figure out what I do wrong, because I took the configuration rules from manual and from wiki.mikrotik.com
By the way. Are there really any other differences between src-nat and masquerade, than I have to manually enter to-address and to-port for src-nat, but to-address is determinated automatically for masquerade?
AigarsABCD -
It is still possible to see your webserver with only 1 IP address - I just needed to know what you had… You should be able to change the www port on the router - to say 81 or 8080 and then your dst-nat rule will work. You websever will still have port 80 as the ‘default’ web server port while the MT will have 81 or 8080…
There are reasons for src-nat and masq once you’ve done this a while it will be apparent. But as you surmised the main difference is you have the option to designate ports in src-nat and dst-nat, whereas masq has no such options…
Hi again!
I finally have found a solution to my problem discussed above.
I had 2 NAT rules, but the second did not work from the internal network. I just took out the bolded part and it seems to work now.
So why is the out-interface so important there? I have seen it in every example. Looks that it just makes problems.
Now everything that comes from internal network through the router, is masqed whether it goes really out to external or not. Am I right?
Anyway, it is acctually not very important for me right now to access my webserver from internal network, so I’ll just leave it as it is. Just wanted to figure out what I do wrong, because I took the configuration rules from manual and from