RB750G port forwarding

ozolsk · December 5, 2010, 1:26pm

Hello,
i set up port forward
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234

Now it works from outside, for example 159.148.60.20:1234, (my IP)
but when i try to connect from computer in my network, it doesn’t forward to right computer.

I need to create another rule?

mrz · December 6, 2010, 12:52pm

This is because devices are from the same network and can reach each other directly.

http://wiki.mikrotik.com/wiki/Hairpin_NAT

ozolsk · December 6, 2010, 8:46pm

thanks for your replay!

but i have another question.
In the link, there is note:
“The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service.”

How to make it “broader”, if i have multiple servers and ports?

fewi · December 6, 2010, 8:49pm

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.2 protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade

becomes

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.0/24 \
  out-interface=LAN action=masquerade

That would be about as broad as you could get. Of course you need to adjust for your own IP addressing scheme.

DonGould · January 3, 2011, 7:41am

What do I need to set up to make a dns entry resolve to the right places?

eg.

www.my750g.co.nz → myPublicIP… -->iface1<–RB750G–>iface2(192.168.2.1)<-dumb switch->192.168.1.150(MyWebServer)

How do I set up the dns correctly so that my desktop(192.168.1.123) also sees ‘myWebServer’ for port 80…

With my old linux box this was simple… I just ran the web server on 192.168.2.1 and if I wanted to expose the web server on .150 I’d just use a rewrite rule on apache on .1 to write the content from .150.

But with my new 750 as the firewall I’m not running a web server on it but I still want my domain name to resolve correctly for each service.

ssh for example I want to go to the 750.

SMTP & www I want on .150

Can anyone point me to what I need to read or share some example set up scripts?

TIA

D

fewi · January 3, 2011, 2:06pm

Just port forward only the relevant services to whatever machine runs them. Maybe I’m misunderstanding what you’re trying to do?

DonGould · January 4, 2011, 12:10am

In my case I just recently had a site where the customer was using an ip address to direct traffic at a database/application server.

The client software was configured the same for users both in the building on the local lan and outside the building at remote sites.

The Thompson router supplied by the ISP simply redirected the requests for the ip/port combination to the internal machine.

Even the internal machine (server) was being used as a client, and it’s client software would send requests to the router which would then come back at it self. (Yes I know how dumb that sounds, but it worked and they weren’t about to pay anyone to set up a more technically better solution).

However, I can see what the 750 can do, so I think I’ll go off and have a play and just nut it out.