Can someone please give me some advice on the following:
We have a ROS 2.8 with three interface cards. RouterOS has 192.168.44.0/24 on one of these NICs. There’s a web server on this subnet having address 192.168.44.112. All 192.168.44.0/24 clients are masqueraded on a single public address. The public IP addresses is NATted to the private 192.168.44.112 address of the web server. Clients on the 192.168.44.0/24 subnet need to have their hosts files updated in order to view websites on the 192.168.44.112 server. What I wish to accomplish is when a client on the 192.168.44.0/24 subnet tries to fetch a page from the public address, he’s automatically redirected to the internal address of the web server (192.168.44.112). Mind you, clients are ON THE SAME network as the web server.
So, say the public address of the web server (which is NOT an interface on the RouterOS itself!) is 87.X.X.X, and internal address of the web server is 192.168.44.112. A client having the address 192.168.44.59 tries to view a page which resolves to 87.X.X.X. I wish to have the user be able to view the page without any intervention on the client machine. Any help is much appreciated!
First out, you should upgrade your version of routeros. It’s implementation of web proxy isn’t as refined as in recent versions.
I think you need transparent web proxy.
Your scenario sounds similar to Example 3 in the following link:
http://wiki.mikrotik.com/wiki/Examples_for_Use_Caching_Server_(5_Main_Idea’s)
Use parent proxy, specifying the web server’s ip address and port instead of the firewall rule. Not to worry, transparent proxy is enabled by default in routeros 3.x
Thank you for the reply. I will give the web proxy solution a try.
Actually, the web proxy solution is less than needed. Accessing web pages from the internal LAN is just one problem. Other problems that arise are the following:
We have an Asterisk PBX on the internal LAN setup form voicemail. When someone leaves voicemail the Asterisk box sends the voice message as an attachment in an email messages. It sends the message to the publicly registered MX records for the domain which is registered in the configs for the SIP user, which is the same server (87.X.X.X). The email message never gets delivered because the Asterisk box tries to send it to 87.x.x.x which it can never reach.
Can our network be so organized that when somebody on the internal LAN attempts to access 87.x.x.x, he actually begins communicating with 192.168.44.112?
Make a MT box your DNS server and add a static entry for your server, but with your local address. All devices using this DNS server will resolve to your static IP first.
I have a bunch of servers in the internal LAN any of which can be made a DNS server. But, the main server at 192.168.44.112 is a hosting server, sites get added and deleted. Everytime a DNS zone is added I would have to add a DNS zone on the second DNS server.
Is there no way of doing this? Some combination of src-nat/dst-nat may be?
Last year I managed to do the following:
Clients connect to the MT box via L2TP and establish a VPN connection. I wanted to have a quick way of seeing their screens while out of the office by connecting the VNC client to the public IP address of the MT box and a certain port. In other words, client X having connected to public_address and been assigned address VPN_address_X, I cannot to him by pointing the VNC client to public_address:port_XXX, for client Y with VPN address VPN_address_Y I cannot to public_address:port_YYY.
I’m sure there has to be some way of doing this, may be similar to the above. I just can’t figure it out in full.
Good luck with that one.
Will you post your stuff here when you found a solution?
Sure, but I’m not getting anywhere so far.
Any luck yet? I’m in the same boat, and have resorted to using a different DNS that maps mail servers and things to the internal IPs.
The problem isnt with getting TO the internal hosts from other internals, but the reply packets. I seem to remember some sort of tcp re-direct that when a request gets sent out, that host (the outside IP) sends a packet back saying where the new host has moved to. I saw this behavior when dealing with two routers on the same subnet, client using Router1, and that router sending to Router2 on the same subnet. Router1 would send a packet pack to the client essentially saying “you should talk to Router2 directly”…
Heres whats going on…
client 192.168.1.50 looks up mail.blah.com, which resolves to 66.11.22.192 (external IP), packet gets sent to MK’s outside IF, then dst nat to 192.168.1.192. However, source is still 192.168.1.50, so the mail server sends the reply to 192.168.1.50 directly… Well, 192.168.1.50 basically is thinking “umm.. I’m waiting for a response from 66.11.22.192, this packet from 192.168.1.192 is bogus”.
So the only solution I can think of is the odd DNS for internal hosts/servers. But if you are constantly adding/deleteing domains, it can get annoying. For me, I make all my domains hosted on a particular server use the same zone file.. sort of like “pleskvhost.db”, thus I only have to play with named.conf for add/del domains.
It would be nice if MT added a feature like the Cisco ASA DNS rewrite - any DNS reply that passes through the firewall and contains an A record that gets NAT’d by the firewall itself gets rewritten to contain an A record with the translated IP. The feature is particularly useful for smaller sites that must host DNS externally. Maintaining split DNS is rather painful and error prone.
Well, I got a call earlier today from a customer who is multihomed, which I forgot about… so playing games with DNS doesnt work sometimes, as theres no telling which link they’ll NAT out of, and what DNS they’ll use.
So I guess that means another vote for sticking the servers on a seperate vlan/subnet, but the servers themselves will still need the whacky DNS to talk amongst themselves (as the origional poster mentioned, the VoIP server sometimes sends mail to the mailserver).
What I’m trying to do now is create a rule that adds a sort of reverse masqurade. So when the internal machine connects to the external ip, MK will do the masqurade and make the src address the external address, and the dst address the dst-nat address. Thus, the internal server will see the request as if it came from the internet (external ip from mikrotik), it’ll send the reply back to mikrotik, which will then masqurade it back to the client.
The problem is how do you apply multiple rules to the same packet to really mangle the heck out of things?
you do not need mangle to masquerade. just /ip firewall nat add chain=srcnat dst-address=your_server’s_address action=masquerade disabled=no place-before=0
but in that case you will lost the ability to distinguish client’s IPs