Hello! Here’s the thing: I connected WAN (public IP) to MT and forwarded port 80 through NAT to my webserver, which has a local IP address (as presented here: http://wiki.mikrotik.com/wiki/Forwarding_a_port_to_an_internal_IP ). Works like a charm, but when I look into my server’s log, there is only one source IP for all the connections, and that is MT’s IP. Is there a way to forward port 80 AND have the real IPs of users who visit my site?
Thank you in advance
Olek
Can you post “/ip firewall nat”? That is usually an errant masquerade doing that.
It goes like this:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade protocol=tcp out-interface=ether1
1 chain=dstnat action=dst-nat to-addresses=192.168.150.100 to-ports=80
protocol=tcp dst-address=xxx.xxx.xxx.xxx in-interface=ether2 dst-port=80
Ether1 is my WAN, ether2 is a webserver with private IP (192.168.150.100). And xxx.xxx.xxx.xxx is my MT address.
Normally, the out-interface and the in-interface would be the same. I do not use a protocol on the masquerade. That could cause problems with UDP on the masquerade.
I would use this:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether11 chain=dstnat action=dst-nat to-addresses=192.168.150.100 to-ports=80
protocol=tcp dst-address=xxx.xxx.xxx.xxx dst-port=80
I reconfigured the NAT exactly like you suggested. Then connected to my website from various computers and still the only IP my stats are showing is MT’s IP. It’s frustrating
Well, there is only one thing I can think of, and I don’t know if it makes a difference, but I disable the www service in the router if I redirect port 80.
/ip service
disable www
Thank you for your advise, but still nothing. It should show users’ IPs from the get go, but still there’s only one IP - MT’s one
When you say “one IP - MT’s one”, do you mean it is showing as 192.168.150.1 or xx.xx.xx.xx?
The public one assigned to MT (xxx.xxx.xxx.xxx).
Uh, that is odd. If it was an errant masquerade in your router, it would have been 192.168.150.1, not the public ip.
Had you previously tried the web server without the router? Assigned it the public ip without the router? Do the logs look ok then?
What model router are you using? And the Mikrotik version?
Yes sir, I tried to put the server directly to the web and it worked just fine - meaning it logged all users’ IPs. But for security reasons (amont others) I’d like it to work from behind MT. My MT model is RB750G, RouterOS 4.11.
Removing the router was not the goal. Just to determine if your ISP had an errant masquerade.
Since it is a RB750, and they are set different, have you removed all the default setup? It comes set as a soho router.
No, I left like it was. All I’ve done was configuring NAT (as I pasted it) and adding two ‘instances’ in /ip adressess - regading my public and private IPs. That’s all.
I just checked with Apache and IIS, and both logs show the correct src-address.
Did you disable the dhcp client on port 0? If you have a public ip static assignment there, you probably should disable that.
/ip dhcp-client
If you are using static assignments on the localnet, you should probably disable the dhcp server there also.
/ip dhcp-server
Did you set these?
/ip route
/ip dns
Thanks to your advises I totally reseted the system again. Then I typed in the NAT rules and IP adressess. Guess what? It worked! the statistics gathered proper IPs. I must mention I am in the public IP class as the MT. When I tried to connect from outside, I couldn’t conect to my webserver. Then I spotted the cause of the problem. It’s /ip route instance that was missing:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibitDST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xxx.xxx.xxx.xxx 1
(xxx.xxx.xxx.xxx is gateway IP given to me by ISP)
Now I can connect to the site, but the statistics are wrong again. They only show the private IP (not the public, like it was earlier) assigned to MT instead of users’ IPs. So the problem is 100% this one /ip route stanza. Now i try to work out the right /ip route…
Since you redid everything, would you please post your new
/ip address
and
/ip firewall nat
I do not believe the route is the problem. That is a srcnat/masquerade problem.
/ip address:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 ether3-local-slave [for MT webconfig]
1 83.xxx.xxx.9/25 83.xxx.xxx.0 83.xxx.xxx.127 ether1-gateway [WAN]
2 192.168.150.2/24 192.168.150.0 192.168.150.255 ether2-local-master [local network]
/ip firewall nat:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1-gateway
1 chain=dstnat action=dst-nat to-addresses=192.168.150.100 to-ports=80
protocol=tcp dst-address=83.xxx.xxx.9 dst-port=80
/ip route:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S 0.0.0.0/0 83.xxx.xxx.1 1
1 ADC 83.xxx.xxx.0/25 83.xxx.xxx.9 ether1-gateway 0
2 ADC 192.168.88.0/24 192.168.88.1 ether2-local-master 0
3 ADC 192.168.150.0/24 192.168.150.2 ether3-local-slave 0
/ip firewall filter:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Added by webbox
chain=input action=accept protocol=icmp
1 ;;; Added by webbox
chain=input action=accept connection-state=established
in-interface=ether1-gateway
2 ;;; Added by webbox
chain=input action=accept connection-state=related
in-interface=ether1-gateway
3 ;;; Added by webbox
chain=input action=drop in-interface=ether1-gateway
Plus I disabled DHCP client- and server-side. That's all, the rest are all factory presets.
You need to remove this.
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 ether3-local-slave [for MT webconfig]
All those etherX-local-slave interfaces are by default assigned to a switch. In my RB433, it is in
/interface ethernet
If you want to use those ethernet ports for separate localnets, you must remove those interfaces from the switch.
I removed that line, I also changed this and that in /interface ethernet:
Flags: X - disabled, R - running, S - slave
0 R ether1... 1500 00:0C:42:A5:DF:C4 enabled none switch1
1 R ether2... 1500 00:0C:42:A5:DF:C5 enabled none switch1
2 XS ether3... 1500 00:0C:42:A5:DF:C6 enabled ether2-local-... switch1
3 XS ether4... 1500 00:0C:42:A5:DF:C7 enabled ether2-local-... switch1
4 XS ether5... 1500 00:0C:42:A5:DF:C8 enabled ether2-local-... switch1
Unfortunately, it didn't help. Still connecting from various places I have only one source IP in my webserver log: 192.168.150.2. I feel totally lost. It should work, but for some reason it looks hopeless!
Never give up! Never surrender! It is only hopeless when the fat lady sings.
Now it is showing the correct source ip for a NAT malfunction. That is the ip your log would show if there were a masquerade on ether2-local-master.
Maybe someone who is a little more experienced with a RB750 will see something else.