Bubba
March 22, 2011, 10:27pm
1
Greetings,
I have server behind Mikrotik@Routerboard R750.
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway
1 chain=srcnat action=masquerade
2 chain=srcnat action=masquerade src-address=192.168.88.0/24
3 chain=srcnat action=masquerade src-address=192.168.88.0/24
4 chain=srcnat action=masquerade src-address=192.168.88.254
5 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=80
protocol=tcp in-interface=pppoe-out1 dst-port=80
6 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=22
protocol=tcp in-interface=pppoe-out1 dst-port=22
However, logs on my server indicate all incoming connections from Mikrotik’s IP address.
root@korea:/home/bubba# tail -n 3 /var/log/lighttpd/e/access.log
192.168.88.1 2.718281828459045235360287471352662497757247093699959574966967627.com - [22/Mar/2011:21:21:08 +0100] "GET /supa_revisited_resized.jpg HTTP/1.1" 200 37677 "http://2.718281828459045235360287471352662497757247093699959574966967627.com/hardware.html" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15"
192.168.88.1 2.718281828459045235360287471352662497757247093699959574966967627.com - [22/Mar/2011:21:21:09 +0100] "GET /ddaveuptime.png HTTP/1.1" 200 8037 "http://2.718281828459045235360287471352662497757247093699959574966967627.com/hardware.html" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15"
192.168.88.1 2.718281828459045235360287471352662497757247093699959574966967627.com - [22/Mar/2011:21:21:10 +0100] "GET /favicon.ico HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15"
WAN is PPPoE connection (ADSL) with dynamic IP address.
Is there a way to get real address on my server, instead of Mikrotik’s?
Best regards,
Bruno
fewi
March 22, 2011, 10:38pm
2
Sure. Don’t NAT everything. You’re telling the router to do just that:
1 chain=srcnat action=masquerade
That means “whenever a packet leaves any interface, rewrite the source IP address of the packet to the IP address configured on that interface”. So when a packet comes from the Internet into the WAN interface, and then leaves the router through the LAN interface towards the web server, the source IP is rewritten to the LAN IP of the router. Remove that rule. You can also remove rules 2, 3, and 4. Rule 0 covers them all, they are unnecessary. You may want to review the wiki manual regarding NAT.
Here the commands to do that:
/ip firewall nat
remove [find chain=srcnat]
add chain=srcnat action=masquerade out-interface=ether1-gateway
Bubba
March 23, 2011, 12:37pm
3
fewi:
Sure. Don’t NAT everything. You’re telling the router to do just that:
1 chain=srcnat action=masquerade
That means “whenever a packet leaves any interface, rewrite the source IP address of the packet to the IP address configured on that interface”. So when a packet comes from the Internet into the WAN interface, and then leaves the router through the LAN interface towards the web server, the source IP is rewritten to the LAN IP of the router. Remove that rule. You can also remove rules 2, 3, and 4. Rule 0 covers them all, they are unnecessary. You may want to review the wiki manual regarding NAT.
Here the commands to do that:
/ip firewall nat
remove [find chain=srcnat]
add chain=srcnat action=masquerade out-interface=ether1-gateway
Thanks!
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=80
protocol=tcp in-interface=pppoe-out1 dst-port=80
1 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=22
protocol=tcp in-interface=pppoe-out1 dst-port=22
2 chain=srcnat action=masquerade src-address=192.168.88.0/24
out-interface=pppoe-out1
Now it works like a charm!
Best regards,
Bruno
