Dear all,
I need some logical help with this topic if possible (I am not sure at all).
I have this network:
1.jpg
Now my Mikrotik is working only as a switch. But I’d like to configure it so the Host 1 to be able to access the web server on port 80 by using the 192.168.1.2 address. Please advise what to do! Should I use a port forwarding and how?!
Most of options i have involve changing some settings on the other routers. So, assuming you don’t have access there, I can only suggest one thing, more or less complicated, depending on if you can change WebServer network settings.
The general idea of the steps below is to make Mikrotik(MT) look like the web server (WS) itself for both clients from the 192.168.1.0/24 network and the 10.0.0.0/30 network.
For clarity, I will name the interfaces on Mikrotik:
ether-local - to the 192.168.1.0/24 network
ether-ws - to the web server
ether-remote - to the 10.0.0.1 router
- Break the bridge on you Mikrotik, your interfaces should be separate now
- Assign 10.0.0.2/30 to the ether-remote interface (highjack the WS address)
3* change the ether-ws network to something local like 169.254.1.1/30 (MT) ↔ 169.254.1.2/30 (WS) - Create a DNAT to 169.254.1.2 rule for all packets arriving from ether-remote OR ether-local (! ether-ws)
4.1 You may want to introduce some exclusions from the rule for you to be able to connect to the router itself - Add masquerade rule for packets coming out of the other two interfaces (ether-local and ether-remote)
- In case you can’t change webserver address, it becomes serious. I am not sure here, but it may be possible to do the following:
→ Assign 10.0.0.1/30 to ether-ws (yes!, a conflict with the other router, but on a different interface)
→ Mark packets coming in from ether-remote OR ether-local (! ether-ws) with a to-ws routing-mark by a filter mangle prerouting rule
→ Create DNAT to 10.0.0.2 rule for all packets having the to-ws routing-mark (!yes, this is your own address, but I think it will work, since the packet will have a routing mark by the time it will be routed)
→ Disable default dynamic routes by /routing filter add chain=connected-in prefix=10.0.0.0/30 action=discard
→ manually create the two routes:
/ip route add dst-address=10.0.0.0/30 gateway=ether-remote
/ip route add dst-address=10.0.0.0/30 gateway=ether-ws routing-mark=to-ws
→ Add masquerade rule for packets coming out of interfaces ether-local and ether-remote
First of all - thanks a lot for your help!
Unfortunately I have access only to the Mikrotik. Not to the web server and the other routers.
On the other hand the web service should be accessible only from 192.168.1.0/24 network. So is there any way to redirect all http traffic from the web server to the 192.168.1.0/24 network through the Mikrotik? I need all traffic from source IP 10.0.0.1/30 to be send out of (as you have said) ether-local - to the 192.168.1.0/24 network?
Sorry, I saw the second part too late 
I’ll try your suggestion and give you a feedback ASAP…