Server on local network - how redirect to the world ;-)

Kuniarz · August 18, 2005, 11:36am

Hello !

Sorry for me bad English, but im from Poland and never learn this language…
Im use MT 2.8 , this is my small network :

How redirect ports or IP-s from server (192.168.1.200) to outside ? On server runs Apache, from local network is working on browser’s address http://192.168.1.200 , but dont work from internet : http://80.55.159.106.

Please help me.

Best Regards, Robert

normis · August 18, 2005, 11:41am

you probably need this example:
http://www.mikrotik.com/docs/ros/2.8/howto/howto.content#12.2.6

Kuniarz · August 18, 2005, 12:05pm

this one :

How to Link Public Addresses to the Local Ones?

??

I try.

Kuniarz · August 18, 2005, 12:49pm

sorry, but still dont work…

on address 80.55.159.106 actually error 404, but after shows MT logo site

I use this commands :

ip firewall dst-nat :

add dst-address=80.55.159.106/32 action=nat to-dst-address=192.168.1.200

ip firewall src-nat :

add src-address=192.168.1.200/32 action=nat to-src-address=80.55.159.106

still dont work, and I add this :

add src-address=192.168.1.0/24 action=nat to-src-address=80.55.159.106

[admin@MikroTik] ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 src-address=192.168.1.200/32 action=nat to-src-address=80.55.159.106

1 src-address=192.168.1.0/24 action=nat to-src-address=80.55.159.106

2 out-interface=dsl action=masquerade

[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 dst-address=80.55.159.106/32 action=nat to-dst-address=192.168.1.200

still dont work…

wildbill442 · August 18, 2005, 4:34pm

It might help if you specify the ports you are trying to forward. Unless you’re trying to do a 1:1 NAT setup…

Here are the rules to forward all requests to 192.168.1.200 coming from your pubic 80.x.x.x..

DST-NAT rule
add dst-address=80.55.159.106/32 action=nat to-dst-address=192.168.1.200

SRC-NAT rule
add src-address=192.168.1.200/32 action=nat to-src-address=80.55.159.106

remove the rule that encompouses the entire 192.168.1.0/24 network because that is incorrect. Those two posted above are the only ones you’ll need. Make sure there aren’t any rules in the forward filter of your firewall blocking any of the ports you are trying to access (http port 80 for example). Also when this rule is configured you’ll have a tough time accessing the MT router from the WAN interface because all requests are going to be forwarded to 192.168.1.200, so you’ll have to manage the router locally unless you can get a second IP address from your ISP.

cmit · August 18, 2005, 4:45pm

For managing the router from the WAN side it would be sufficient to change the http service port (under “/ip service”) to something else than 80. Then just enter this port number in WinBox connection dialog, like:
1.2.3.4:81, if you changed the web port to port 81…

wildbill442 · August 18, 2005, 4:46pm

yeah he may want to do that anyway so not to confuse the router having two hosts listening on the same IP with the same service.. might cause problems.

Kuniarz · August 19, 2005, 6:32am

Damn… still dont work… ;-((((

DESTINATION-NAT shows any traffic of packets, but SRC-NAT is traffic = zero…
I moved this rule to first position , masquerade to second = still zero traffic…
in “Filter Rules” dont have any rules.

Pls help me, it is very big problem - my company website dont exist…

I make some printscreens for better visualization of my problem :

wildbill442 · August 19, 2005, 10:50am

Try changing the masquerade rule to only masq traffic coming from 192.168.1.0/24 (or however big the network is).

src-address=192.168.1.0/24 instead of src-address=0.0.0.0 (which means all traffic).

I doubt it matters, and I’m not sure if you can do this with NAT rules, but try and move the src-nat rule to the top of the list above the masquerade rule.

Kuniarz · August 19, 2005, 11:51am

i try change src-address - still dont work, moved to the first position - the same effect - dont work…

wildbill442 · August 19, 2005, 5:21pm

is the public IP address for the local client (192.168.1.200) setup on the WAN interface of the router?

If it isn’t you need to add it for this to work.

EDIT::: sorry forgot you’re using only one IP address…

wait.. thats the problem.. the rule isn’t being matched because its always going to have a src-address of 80.xx.xx.xx whatever your public address is because you’re only using 1 static IP address on the WAN side.. so you really don’t need the src-nat rule cause the masquerade rule does practically the same thing…

What you should do is get a second static IP address and use the one you have now for your masqueraded clients and set the new one up for 1:1 NAT.

yancho · August 19, 2005, 7:21pm

/ ip firewall dst-nat 
add dst-address=80.55.159.106/32:80 protocol=tcp action=nat to-dst-address=192.168.1.200 to-dst-port=80  disabled=no

/ ip firewall src-nat 
add action=masquerade disabled=no 
add dst-address=192.168.1.200/32:80 protocol=tcp action=nat to-src-address=192.168.1.2  disabled=no