redirection to a webserver problem

anathema · April 18, 2011, 10:02am

Hi

I’m using 450g
I have a planet adsl modem that conected to port 0 (poe) and I change its name to gate in winbox. and the mikrotik conected to my local network by port one (local 1).

I set the modem to bridge mode and i made a ppoe client on mikrotik, so mikrotik conected to the internet and its made and interface called ppoe1, and i change the name to the internet.

i made a srcnat rule and set action to masquerade so all cleint on my local network when set their gateway to 192.168.50.106 (mikrotik port 1 IP) have internet.

local1 = 192.168.50.106
gate (poe) = 192.168.50.105
adslmodem = 192.168.50.104
ppoe (internet) = 178.173.. (Static Valid IP)

i have 2 problems :

1- i cannot ping adsl modem and i do not have access to web interface of modem configuration

2- i wrote a dstnat rule that when we access to 178.173.**** redirect us to a local webserver on 192.168.50.1 BUT IT IS NOT WORKING!!

fewi · April 18, 2011, 1:27pm

Rather than describe stuff, can you please post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram.

Make sure to wrap command line output in

 tags when posting here so that things stay readable.

anathema · April 18, 2011, 4:43pm

IP ADDRESS

 #   ADDRESS            NETWORK         BROADCAST       INTERFACE               
 0   192.168.50.105/32  192.168.50.105  192.168.50.105  gate                    
 1   192.168.50.106/24  192.168.50.0    192.168.50.255  local1                  
 2   178.173.xxx.xxx/32 178.173.143.105 178.173.xxx.xxx internet                
 3 D 178.173.xxx.xxx/32 80.191.122.18   0.0.0.0         internet

ROUTE

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          80.191.122.18      1       
 1 ADC  80.191.xxx.xxx/32   178.173.xxx.xxx internet           0       
 2 ADC  178.173.xxx.xxx/32 178.173.xxx.xxx internet           0       
 3 ADC  192.168.50.0/24    192.168.50.106  local1             0       
 4 ADC  192.168.50.105/32  192.168.50.105  gate               0

INTERFACE

 #     NAME                                         TYPE             MTU   L2MTU
 0  R  gate                                         ether            1500  1524 
 1  R  local1                                       ether            1500  1524 
 2     local2                                       ether            1500  1524 
 3     local3                                       ether            1500  1524 
 4     local4                                       ether            1500  1524 
 5  R  internet                                     pppoe-out        1480

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=gate
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=gate
add action=accept chain=input comment="" disabled=no in-interface=internet
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    internet
add action=dst-nat chain=dstnat comment="" connection-type="" disabled=no \
    dst-address=178.173.xxx.xxx dst-port=80 protocol=tcp to-addresses=\
    192.168.50.1 to-ports=80
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

when I remove the dstnat rule and type the ip addres in internet explorer I see the mikrotik page and I can remotely connect to mikrotik by telnet and winbox from my home.
Sorry for hiding valid ip, just for security reasons.

Feklar · April 18, 2011, 6:12pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Though that is an ugly setup to do. It would be much better and cleaner for you if you could put the server on it’s own routed interface, with firewall rules, NAT etc, than doing it like that.

Issue number 2, is you have the same subnet on two different routed interfaces. Things will not work properly like that. Give your local LAN some different subnet, and you should then be able to reach the modem fine since you already have the NAT rule you need.

anathema · April 19, 2011, 3:52am

hi

tnx Feklar, but I cant setup like that. i have 5 servers + 3 virtualized

any other solution?

instead of giving my local lan diff subnet i will give the modem diff subnet, It will be Ok?!

because my lan is huge and I do not want to fail it.

Feklar · April 19, 2011, 11:30am

As long as you have control over your modem and can change the subnet, you can modify your “WAN” without any problem.

anathema · April 24, 2011, 4:04am

I still have my redirection problem!

bax · April 25, 2011, 8:50am

What is your ROS verzion ? I have something similar … Im runing ROS 4.15 on RB433 and hm …
really funny … same dstnat for http, pop,smpt,ftp is not working but for p2p,news and vnc port forwarding is working …
Also i normally connect winbox on my public IP via another provider.
I will try new version … 4.17
My server is login to my mikrotik via pppoe (and mikrotik asing him ip 192.168.3.191) … and mikrotik is conected on adsl modem via pppoe-out - wan1 …

Export:

/ip firewall nat export
add action=dst-nat chain=dstnat comment="server web - 80" disabled=no dst-port=80 in-interface=wan1 protocol=tcp to-addresses=192.168.3.191 to-ports=80
add action=dst-nat chain=dstnat comment="server smpt - 25" disabled=no dst-port=25 in-interface=wan1 protocol=tcp to-addresses=192.168.3.191 to-ports=25
add action=dst-nat chain=dstnat comment="server pop - 110" disabled=no dst-port=110 in-interface=wan1 protocol=tcp to-addresses=192.168.3.191 to-ports=110
add action=dst-nat chain=dstnat comment="server news 119" disabled=no dst-port=119 in-interface=wan1 protocol=tcp to-addresses=192.168.3.191 to-ports=119
add action=dst-nat chain=dstnat comment="FTP Server" disabled=no dst-port=21 in-interface=wan1 protocol=tcp to-addresses=192.168.3.191 to-ports=20-21
add action=dst-nat chain=dstnat comment="UltraVNC Viewer 5900 " disabled=no dst-port=5900 in-interface=wan1 protocol=tcp to-addresses=192.168.3.191 to-ports=5900
add action=dst-nat chain=dstnat comment="torent 6880 \B5Torrent" disabled=no dst-port=6880 in-interface=wan1 protocol=tcp to-addresses=192.168.3.191 to-ports=6880

Even more funny is that is everything work to before few days … but it stop alone … I did not change anything … also I see in winbox that nat packet is growning … but I cant acess my web pages … really strange .
Maybe some guru see something wrong in my config?