Hi all, I have two WAN interfaces, both business ADSL with static IP’s. I would like to use one of them for a couple of web-sites hosted on a local server. The Public2 interface is configured as 63.xxx.69.42/29. The web-server has three NICs. each locally addressed [192.168.8.xx] and the sites are browse-able using the local ip, but I can’t hit them from the outside. I am trying to use 63.xxx.69.43 as an external address. The A records and DNS point correctly, but I’m overlooking something simple… I guess how to break out the individual IP’s from the /29? I have created a dst-nat entry to point port 80 from the .43 to the local 192.168.8.12. I also added DNS entries for the domain name to the local IP. I know I have a range of IP’s available from .42-.46, and the DSL modem is a gateway at .41, so I suppose my problem is basic subnetting. What am I missing?
thomaspc -
So - what is the problem - is it you are outside your network you can’t see the internal webserver on it’s ‘now’ public IP address or is it that you can not see the internal webserver by name http://www.xxx.xxx from ‘inside’ your network?
Reading your post again…looks like you are trying to say that your internally addressed webserver is not accessible from outside your network even though you have added a dst-nat rule… Did you also add a src-nat rule for the private IP to get src-nat’d to when it leaves the router in response to a web request to the correct public IP? If you have not - remember one thing - the rules in the firewall are excuted in numerical order. So if you have a src/dst-nat or masq rule that appears BEFORE the ‘new’ rules (numerically 0, 1, 2, etc) for the webserver chances are the rules above the new rules are getting excuted first and the new rules are never being seen…
R/
I created a srn-nat rule, and bumped the applicable rules up on top of the masq rule, but still can’t hit it from the outside. I can’t ping those IP’s either, .42 or .43 although I can ping the gateway, .41. Do I need to specify a route?
thomaspc -
Ping won’t work if you have not port forwarded the icmp protocol to that IP…
Post your dst-nat and src-nat rules here (obfascate your public IPs as necessary)…
do a traceroute and port here…
from the command prompt / terminal / telnet;
/ip firewall nat print [enter]
R/
Thom
Here’s the NAT I was originally using the other Public interface for my lan, but do to already changing my reverse dns entries after some mail issues I had to change the default gateway and distance, leaving the other Public interface unused, so I know it did allow traffic in and out before, but I must be missing something obvious.
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=63.194.6xx.43 src-port=80
protocol=tcp
1 chain=dstnat action=dst-nat to-addresses=192.168.8.12 to-ports=80
dst-address=63.194.xx.43 in-interface=Public1 dst-port=80 protocol=tcp
2 chain=srcnat action=masquerade out-interface=Public1
3 chain=srcnat action=masquerade out-interface=Public2
4 chain=dstnat action=dst-nat to-addresses=192.168.8.2 to-ports=80
dst-address=75.23.xx.225 dst-port=80 protocol=tcp
5 chain=dstnat action=dst-nat to-addresses=192.168.8.2 to-ports=443
dst-address=75.23.xx.225 dst-port=443 protocol=tcp
6 chain=dstnat action=dst-nat to-addresses=192.168.8.2 to-ports=4125
dst-address=75.23.xx.225 dst-port=4125 protocol=tcp
7 chain=dstnat action=dst-nat to-addresses=192.168.8.5 to-ports=25
dst-address=75.23.xx.225 dst-port=25 protocol=tcp
8 X chain=dstnat action=dst-nat to-addresses=192.168.8.2 to-ports=25
src-address=192.168.8.5 protocol=tcp
9 chain=dstnat action=dst-nat to-addresses=192.168.8.2 to-ports=3389
dst-address=75.23.xx.225 dst-port=3389 protocol=tcp
10 X chain=dstnat action=dst-nat to-addresses=192.168.8.2 to-ports=3389
dst-address=75.23.xx.225 dst-port=3389 protocol=tcp
11 chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=80
dst-address=63.194.xx.46 dst-port=80 protocol=tcp
12 chain=dstnat action=dst-nat to-addresses=192.168.12.1 to-ports=443
dst-address=63.194.xx.46 dst-port=443 protocol=tcp
13 chain=dstnat action=dst-nat to-addresses=192.168.8.2 to-ports=1723
dst-address=75.23.xx.225 dst-port=1723 protocol=tcp
thomaspc -
Aswered you back via email…
R/
Thom