traffic to a webserver sitting behind a router

5aberD · December 11, 2020, 4:45pm

Hello forum
is there a way to make the traffic incoming to a web server on a private IP behind a Mikrotik router use its real IP rather than the router’s IP? My goal is to make my webserver log the IP of the incoming traffic rather than the router’s IP when using NAT.

Sob · December 11, 2020, 4:52pm

Yes, there is, fix your broken srcnat config. You probably have something like:

/ip firewall nat
add chain=srcnat action=masquerade

and it touches even traffic you don’t want it to. Adding out-interface= to it could be the fix, unless you have some special requirements.

anav · December 11, 2020, 11:11pm

How the frig do you know that LOL,
In any case
/export hide-sensitive file=anynameyouwish

should reveal the issues…

5aberD · December 12, 2020, 6:39am

Yes, there is, fix your broken srcnat config. You probably have something like:
/ip firewall nat
add chain=srcnat action=masquerade
and it touches even traffic you don’t want it to. Adding out-interface= to it could be the fix, unless you have some special requirements.

I’ll have to try this at night, I don’t want my active webserver to drop connections at the time LOL

5aberD · December 12, 2020, 6:45am

I’ll post the NAT configuration in the meantime since the file is too big, if there’s anything else tell me.

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="real ip" disabled=yes dst-address=\
    REALIP log-prefix=OSS to-addresses=192.168.0.12
add action=dst-nat chain=dstnat comment=EVALUATION dst-address=REALIP \
    dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.5 \
    to-ports=80
add action=dst-nat chain=dstnat comment=VTE dst-address=REALIP \
    dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.240 \
    to-ports=80

anav · December 12, 2020, 1:48pm

That would appear to be a problem.
Do what SOB noted, it wont cause any issues.

As for the destination nat rule, how bout you tell me, how the router will know where to send a connection that is coming in on port 80???

Sob · December 12, 2020, 6:43pm

It can cause issues if there’s need for hairpin NAT, i.e. when you connect to REALIP:80 not only from internet, but also from same LAN where server is. In that case it would need another srcnat rule:

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masquerade

Reasons are explained in https://wiki.mikrotik.com/wiki/Hairpin_NAT.

As for the two rules, router won’t have any doubt about which one to use. User’s expectations and their result is another matter.

anav · December 12, 2020, 6:58pm

Geez smarty sob, of course by the order of rules, and you know what I meant, no need to get nit picky LOL

5aberD · December 13, 2020, 10:26am

It can cause issues if there’s need for hairpin NAT, i.e. when you connect to REALIP:80 not only from internet, but also from same LAN where server is. In that case it would need another srcnat rule:
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masquerade
Reasons are explained in https://wiki.mikrotik.com/wiki/Hairpin_NAT.

As for the two rules, router won’t have any doubt about which one to use. User’s expectations and their result is another matter.

yep I was reading about the HairpinNAT and I was waiting to try it since if I’m connected to the router I can’t open the websites hosted, and I think hairpin was the solution for it but ill have to try it on Monday. but as for the original goal, I haven’t read anywhere if Hairpin can solve that problem (Source IP logging in the webserver, rather than the router’s IP)

mkx · December 13, 2020, 12:36pm

As @sob mentioned: your src-nat was too greedy and did it’s magic also for the incoming traffic. Without it your web server would have seen original clients’ IP addresses.
However, this is not possible for clients which need hair pin NAT for their connections … for those you’ll see router’s LAN IP as client’s address.

Sob · December 13, 2020, 5:09pm

With the original broad srcnat rule, you already had working hairpin NAT, because it applied to all connections passing trough router. But one thing it does, it hides real addresses. It’s easy choice for connections from LAN, because you can either have wrong source address, or not connect at all. But you don’t want it for connections from elsewhere.

5aberD · December 22, 2020, 1:49pm

hai Sob thanks for the previous advice it worked on one router but the other one it’s not working at all I sat it up the same as the other one it’s just not working, does having a Vlan have any effect on the process since I have Vlan on the unworking router?

anav · December 22, 2020, 2:38pm

post your config…

Sob · December 22, 2020, 7:51pm

^^^ What he wrote.

And there’s nothing special about VLANs, except when you mess with bridge’s Use IP Firewall option, then things can become quite unexpected.

5aberD · December 23, 2020, 11:45am

so I’ll put the interface config and the NAT config of the thing I used, just noting that I have one DSL WAN internet connection and another Fibre on VLAN 2370 on ethernet port 12 so I have two.

/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=DSL~WAN~E2 speed=100Mbps
set [ find default-name=ether1 ] name=LAN~E1 speed=100Mbps
set [ find default-name=ether3 ] name=Tamreed~E3 speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
/interface vlan
add interface=ether12 name="vlan 2370" vlan-id=2370
/interface bridge port
add bridge=bridge1 interface=LAN~E1 trusted=yes

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat  dst-address=RealIP  dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.9  to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.232 to-ports=80
add action=dst-nat chain=dstnat  dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.12  to-ports=80
add action=dst-nat chain=dstnat  dst-address=RealIP  dst-port=8818 log-prefix=OSS protocol=tcp to-addresses=192.168.0.16   to-ports=8818
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=1433  protocol=tcp time=0s-23h,sun,mon,tue,wed,thu,fri,sat to-addresses=  192.168.0.120 to-ports=1433

and when I tried the NAT config you advised and it either breaks the internet connection in the ORG or doesn’t show the source real IP it shows the Router’s IP.
I attached the NAT screenshot that breaks the internet also (bear with me I’m not that of an expert in Mikrotik)

anav · December 23, 2020, 1:51pm

add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.9 to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.232 to-ports=80

In the top line the masquerade rule is incomplete, and if you have a fixed wanip, then one should probably use sourcenat vice masquerade.
For the first two rules, do you actually think that any request for port 80 will get to 192.168.0.232 ???
(a basic port forwarding no no)

5aberD · December 24, 2020, 6:22am

I tried fixing the first NAT one but it wasn’t fixed it either worked or didn’t work at all if I used src-IP and dst-IP 192.168.0.0/24 is there anything I’m missing.

For the first two rules, do you actually think that any request for port 80 will get to 192.168.0.232 ???
(a basic port forwarding no no)

yes that’s exactly whats happening any request into real IP over port 80 goes directly to the specified IP over port 80