Server and public ip

k750 · April 9, 2016, 12:36pm

Hello everyone,
I have a router Mikrotik CCR1009-8G-1S-1S + PC and Synology DS-713 + Server
It connects to the server via a domain name
My problem is that a friend or me via my tablet and Free computer network or reach us connect to the server via my public IP
I would stop it but how?.
Thank you in advance

Sorry for my bad English

ShayanFiroozi · April 9, 2016, 4:23pm

Hi,
Drop packets which NOT coming from your LAN subnet and going to Synology device , use IP/Firewall/Filter Rules
Or it’s better to set this rule when you are NATTING your packets to Synology

k750 · April 9, 2016, 11:14pm

Hello and thank you for your answer
Unfortunately I know nothing has it all
I like doing what rule ?
Thank you in advance

ShayanFiroozi · April 10, 2016, 6:12am

Send your NAT configuration here

k750 · April 10, 2016, 6:56am

Hello,
Here is my setup my nat rules

/ip firewall nat
add action=masquerade chain=srcnat log-prefix=vlan832-orange out-interface=vlan832-orange to-addresses=0.0.0.0
add action=masquerade chain=srcnat log-prefix=“Port Ethernet” out-interface=all-ethernet
add action=jump chain=dstnat dst-address=!192.168.0.0/16 dst-address-type=local jump-target=pinholes log-prefix=Voir-192.168.0.0
add action=masquerade chain=srcnat comment=“default masquerade” out-interface=vlan832-orange
add action=dst-nat chain=dstnat comment=“dnat to my server” dst-port=80,443,5000 in-interface=vlan832-orange protocol=tcp to-addresses=192.168.1.198

Server : 192.168.1.198

Thank you

ShayanFiroozi · April 10, 2016, 7:45am

So if you wanna make your Server public , it’s public !
you have destination NAT to your Server.
it is reachable from internet because you want this.

if you limit your source IP addresses its publicity has no meaning
it’s better to secure your Server with strong username and password

k750 · April 10, 2016, 8:09am

My server already has a username and password but it’s not my question
My question is how to restrict access to my server via my public IP but only through my domain name

ShayanFiroozi · April 10, 2016, 8:36am

that’s i don’t know ,
Since it’s about DNS and public IP and they are the same now ! i don’t think Mikrotik could help you , but it’s better to wait for an expert

k750 · April 10, 2016, 8:56am

Well I’ll wait for a specialist networks
I do not think it’s complicated, but I know nothing about networks
thank you very much

gotsprings · April 10, 2016, 1:45pm

I would try to help… but I just don’t understand the question.

You want someone from the INTERNET or WAN to be able to reach the server when they use the FQDN (Like http://something.somethingelse.com. But not if they use the IP address of 65.54.254.3 which is the FQDNs actual IP?

ShayanFiroozi · April 10, 2016, 5:08pm

Yes , that’s his problem

Sob · April 10, 2016, 5:43pm

There’s no simple solution for this. Hostnames get resolved on client side and the following connection to server is same on IP level, you can’t tell the difference. In any case it’s connection to :.

For http, it could be done using reverse proxy and allowing only given hostname (web proxy in RouterOS could be used for this, but I don’t think it’s a good idea) or using L7 filter and closing connections with “Host: ” (but it would not be completely reliable, so I don’t think it’s good idea either).

Most importantly, I fail to see the problem. You have public server. Who cares if it can be accessed also using numeric address? It’s not like it brings any real security problems or anything. If it really bothers you, then configure server to only accept requests for selected hostname.

k750 · April 10, 2016, 7:34pm

Sorry for the bad Google translation French → English
Example, with my tablet as if I type link my local ip, http://80.255.74.4 example I arrive on my server
And I do not like, how to avoid this ?
With my domain name that works well
I wonder if it is on the server I get
I feel that it is on the router
I came across a page that tells me this: “The page you are looking for can not be found (errreur 404)”

gotsprings · April 10, 2016, 11:19pm

/Ip firewall nat export

Print that here.

k750 · April 10, 2016, 11:51pm

Here nat rules

/ip firewall nat
add action=masquerade chain=srcnat log-prefix=vlan832-orange out-interface=vlan832-orange to-addresses=0.0.0.0
add action=masquerade chain=srcnat log-prefix="Port Ethernet" out-interface=all-ethernet
add action=jump chain=dstnat dst-address=!192.168.0.0/16 dst-address-type=local jump-target=pinholes log-prefix=Voir-192.168.0.0
add action=masquerade chain=srcnat comment="default masquerade" out-interface=vlan832-orange
add action=dst-nat chain=dstnat comment="Photo Station" dst-port=80,443 in-interface=vlan832-orange protocol=tcp to-addresses=192.168.1.198
add action=dst-nat chain=dstnat comment="Serveur DSM 6.0" dst-port=5000 in-interface=vlan832-orange protocol=tcp to-addresses=192.168.1.198

WAN = vlan832-orange
Server = 192.168.1.198

gotsprings · April 12, 2016, 1:30am

Add a filter rule in forward chain to allow by dst-nat. That will take care of passing the firewall once you make a nat rule.

Keep default masq out.
Keep your server 80 and 443.

Disable the others for a test.

k750 · April 12, 2016, 11:48am

Hello,
I do not have access to the server
I must put in IPFilter as what rule
For clarity here’s my problem

gotsprings · April 12, 2016, 4:27pm

/ip firewall filter add chain=forward comment="NAT'd" connection-nat-state=dstnat place-before=2

Don’t forget that one. That will allow your port forwards to actually work.