Redirect to Internal Web Server without PPPoE or Hotspot

fabricioviana · July 18, 2008, 1:26am

Hi! Need some help!

I don´t use HotSpot or PPPoE. I just use IPxMAC to give access to the machines inside my backboone with NAT.
I use MK 2.9.49

If I use the following rules:

/ ip firewall nat
add chain=dstnat action=dst-nat to-addresses=200.98.249.120 to-ports=80
src-address=10.0.0.248 dst-address=!10.0.0.2 dst-port=80 protocol=tcp
connection-limit=!1,24 comment=“” disabled=no

10.0.0.248 = my machine
10.0.0.2= my gateway
200.98.249.120= ip from any website

with these rules everything works fine: when I open the browser I see the website page on 200.98.249.120 only once intead my Internet Explorer initial page. When I click on “reload” everything comes back to normal.

But, if I redirect to a internal machine with a server (web server) the rule doesn´t work:

/ ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.0.200 to-ports=80
src-address=10.0.0.248 dst-address=!10.0.0.2 dst-port=80 protocol=tcp
connection-limit=!1,24 comment=“” disabled=no

If I type in my browser http://10.0.0.200 I can see the webpage on the webserve, so the problem is in my MK.

Now, if I type these rules:

/ ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=889
src-address=10.0.0.248 dst-address=!10.0.0.2 dst-port=80 protocol=tcp
connection-limit=!1,24 comment=“” disabled=no

I see the MK Adm Page only once and when I click “refresh” I can see my initial page!!!

So I realized that I can redirect to a webpage outsite my network or to the MK machine itself, but can´t do this redirection to a machine inside my network.

A friend told me to use this rule under my rules:

add chain=srcnat out-interface=(internal interface) action=masquerade comment=“NAT - Internal Web Server” disabled=no

but no success again…

Could anyone help me to solve this question?

I found many solutions but from people that uses HotSpot or PPPoE, but this is not my case.

Thanks!

Fabricio

galaxynet · August 4, 2008, 1:51pm

fabricioviana -

Well it sounds like you are trying to redirect ‘someone’ to your internal web server that is coming in on your internal interface…

Now the way you put things in general above, this web server has a public IP that can be seen from the outside world, you are just trying to redirect everyone ‘inside’ your network to this web server.

This is an ‘old’ issue that has several fixes. It all depends on what your end goal is… The basic issue is that when you go to the 'net , the IP address is resolved via DNS. Your re-direction rules are trying to get to your internal web server via the public IP for the web server - because you have NAT turned on and DNS says the web server is here (Public IP) not there (private IP) - so the short answer is - redirect the requests to your public IP for the server you want.

example;
chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=80 in-interface=Local_lan dst-address=xxx.xxx.xxx.xxx dst-port=80 protocol=tcp

where xxx.xxx.xxx.xxx is the public IP of your internal web server.
where 192.168.1.2 is the internal IP of the web server.

Be forewarned - this will re-direct EVERY web request to this address…

R/