Urgent help please

RouterOS Beginner Basics
1

Hello! Here's the thing: I connected WAN (public IP) to MT and forwarded port 80 through NAT to my webserver, which has a local IP address (as presented here: RouterOS - RouterOS - MikroTik Documentation ). Works like a charm, but when I look into my server's log, there is only one source IP for all the connections, and that is MT's IP. Is there a way to forward port 80 AND have the real IPs of users who visit my site?


/ip address print detail

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; added by setup
address=46.45.xxx.xxx/27 network=46.45.xxx.xxx interface=WAN actual-interface=WAN

1 address=192.168.99.131/24 network=192.168.99.0 interface=Local actual-interface=Local

2 address=178.211.99.11/27 network=178.211.99.0 interface=WAN actual-interface=WAN


/ip route print detail

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S ;;; added by setup
dst-address=0.0.0.0/0 gateway=46.45.xxx.xxx gateway-status=46.45.xxx.xxx reachable via WAN distance=1 scope=30 target-scope=10

1 S ;;; added by setup
dst-address=0.0.0.0/0 gateway=46.45.xxx.xxx gateway-status=46.45.xxx.xxx reachable via WAN distance=1 scope=30 target-scope=10

2 ADC dst-address=46.45.xxx.xxx/27 pref-src=46.45.xxx.xxx gateway=WAN gateway-status=WAN reachable distance=0 scope=10

3 ADC dst-address=178.211.99.0/27 pref-src=178.211.99.11 gateway=WAN gateway-status=WAN reachable distance=0 scope=10

4 ADC dst-address=192.168.99.0/24 pref-src=192.168.99.131 gateway=Local gateway-status=Local reachable distance=0 scope=10

/interface print detail

Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="Local" default-name="ether4" type="ether" mtu=1500 mac-address=00:50:56:AD:25:01 fast-path=no

1 R name="WAN" default-name="ether1" type="ether" mtu=1500 mac-address=00:50:56:AD:47:9D fast-path=no

2 X name="eth2" default-name="ether3" type="ether" mtu=1500 mac-address=00:50:56:AD:11:E0 fast-path=no

3 X name="sozlukbu" default-name="ether2" type="ether" mtu=1500 mac-address=00:50:56:AD:42:99 fast-path=no

/ip firewall export"

/ip firewall filter
add chain=forward protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=178.211.99.11 dst-port=80 protocol=tcp to-addresses=192.168.99.251 to-ports=80
add action=masquerade chain=srcnat

Problem with forwarding port 80
Urgent help please (Hairpin NAT)
2

Use hairpin nat

http://wiki.mikrotik.com/wiki/Hairpin_NAT

3

This is not the solution. Please understand my request.

The client receives the reply packet it expects, and the connection is established.

However, the web server only ever sees a source IP address of 192.168.1.1 for all requests from internal clients regardless of the internal client's real IP address. There is no way to avoid this without either using a router that can do application level DNS inspection and can rewrite A records accordingly, or a split DNS server that serves the internal clients the internal server IP address and external clients the external server IP address.

This is called - among other terms - hair pin NAT because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin.

4

Please help. I’ waiting..

5

The following rule:

add action=masquerade chain=srcnat

should only be applied to traffic leaving your WAN interface - i.e. add an out-interface selection to it. At the moment it is masquerading all traffic which is causing your problem.

6

…and don’t cross post. I will not respond to the other post from now on.

7

Mikrotik was re-established and configured. A clean installation. All information is as follows,

[memolipascal@MikroTik]  /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=accept protocol=tcp dst-port=80 



[memolipascal@MikroTik]  /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; added by setup
        0.0.0.0/0                          46.45.169.97              1
 1 ADC  46.45.169.96/27    46.45.169.123   WAN                       0
 2 ADC  178.211.39.0/27    178.211.39.11   mywebsite                 0
 3 ADC  192.168.99.0/24    192.168.99.50   LAN                       0



[memolipascal@MikroTik] /ip address print     
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                          
 0   ;;; added by setup
     46.45.169.123/27   46.45.169.96    WAN                                                                                                
 1   ;;; Local IP
     192.168.99.50/24   192.168.99.0    LAN                                                                                                
 2   ;;; my website IP sozlukbu.com
     178.211.39.11/27   178.211.39.0    mywebsite  



[memolipascal@MikroTik] /ip firewall nat> print            
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade 

 1   chain=dstnat action=dst-nat to-addresses=192.168.99.251 protocol=tcp dst-address=!192.168.99.0/24 dst-address-type=local dst-port=80 

 2   chain=dstnat action=dst-nat to-addresses=192.168.99.251 to-ports=80 protocol=tcp dst-address=178.211.39.11 dst-port=80
8

Same issue. Specify the out-interface as your WAN interface in this rule:

0   chain=srcnat action=masquerade

If you need hairpin NAT make sure that you properly constrain the masquerade rule so that it doesn’t affect traffic from the WAN side.

9 



[memolipascal@MikroTik] /ip firewall nat> print            
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=WAN 

 1   chain=dstnat action=dst-nat to-addresses=192.168.99.251 protocol=tcp dst-address=!192.168.99.0/24 dst-address-type=local dst-port=80 

 2   chain=dstnat action=dst-nat to-addresses=192.168.99.251 to-ports=80 protocol=tcp dst-address=178.211.39.11 dst-port=80

Like this? Now the website does not work.

10 
chain=srcnat action=masquerade out-interface=mywebsite

This works fine but. The same problem. Please see : http://www.sozlukbu.com/test.aspx

Visit IP : 192.168.99.50

11

Which version ROS are you using?
Which physical interface is WAN?
Which physical interface is mywebsite?

What is this dstnat for? I would remove it.

1   chain=dstnat action=dst-nat to-addresses=192.168.99.251 protocol=tcp dst-address=!192.168.99.0/24 dst-address-type=local dst-port=80

edit: You should post “/ip firewall filter” also. I can’t even ping that ip.

12

You seem to have 2 ISP connections. You need to masquerade traffic leaving those but not the traffic going to your LAN. You may also have to use some mangle rules to mark connections from each ISP and ensure the traffic is returned correctly.

Post your entire config - output from /export compact.

13

Version : MikroTik RouterOS 6.0
This a virtual server. (On the Vmware ESX 5) and virtual network device. (WAN and mywebsite devices)

[memolipascal@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=accept protocol=tcp dst-port=80




[memolipascal@MikroTik] > ping 192.168.99.251
HOST                                     SIZE TTL TIME  STATUS                                                                             
192.168.99.251                             56 128 0ms  
192.168.99.251                             56 128 0ms  
192.168.99.251                             56 128 0ms  
192.168.99.251                             56 128 0ms
14 



[memolipascal@MikroTik] > /export compact
# feb/08/2014 15:49:30 by RouterOS 6.0
#
/interface ethernet
set 0 name=LAN speed=1Gbps
set 1 mac-address=00:50:56:31:A4:F0 name=WAN
set 2 speed=1Gbps
set 3 name=mywebsite speed=1Gbps
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/ip address
add address=46.45.169.123/27 comment="added by setup" interface=WAN network=46.45.169.96
add address=192.168.99.50/24 comment="Local IP" interface=LAN network=192.168.99.0
add address=178.211.39.11/27 comment="my website IP sozlukbu.com" interface=mywebsite network=178.211.39.0
/ip firewall filter
add chain=forward dst-port=80 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=LAN
add action=dst-nat chain=dstnat dst-address=!192.168.99.0/24 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.99.251
add action=dst-nat chain=dstnat dst-address=178.211.39.11 dst-port=80 protocol=tcp to-addresses=192.168.99.251 to-ports=80
/ip route
add comment="added by setup" distance=1 gateway=46.45.169.97
15

This is exactly what you don’t want!

add action=masquerade chain=srcnat out-interface=LAN

If you masquerade traffic leaving the LAN interface it changes the SRC IP address in the IP header (to the router’s IP address).

Masquerade the traffic leaving the ISP interfaces - not the traffic leaving the LAN interface,

16

Sorry I do not understand. Do exactly what is required.

add action=masquerade chain=srcnat out-interface=LAN
add action=masquerade chain=srcnat out-interface=WAN
add action=masquerade chain=srcnat

Whichever, it is necessary to use?

17

You seem to have 2 ISP connections - the interface you call “WAN” and the interface you call “mywebsite”. These should both be masqueraded. The LAN interface should not be masqueraded.

18 
[memolipascal@MikroTik] > /export compact
# feb/08/2014 17:40:33 by RouterOS 6.0
#
/interface ethernet
set 0 name=LAN speed=1Gbps
set 1 mac-address=00:50:56:31:A4:F0 name=WAN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/ip address
add address=192.168.99.50/24 comment="Local IP" interface=LAN network=192.168.99.0
add address=178.211.39.11/27 interface=WAN network=178.211.39.0
/ip dns
set allow-remote-requests=yes servers=195.175.39.39
/ip firewall filter
add chain=forward dst-port=80 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-address=178.211.39.11 dst-port=80 protocol=tcp to-addresses=192.168.99.251 to-ports=80
/ip route
add comment="added by setup" distance=1 gateway=178.211.39.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes

Has been restructured. But the same problem. I think it is not a solution MikroTik.

19

That config should not cause the public IPs to be hidden from the web server. Make sure that you have cleared your browser cache before testing.

To avoid confusion I suggest that you update to ROS 6.9 - the export seems to from 6.0 .

20

Sorry. Same problem. (6.9) Not a solution to this?

[admin@MikroTik] > /export compact
# feb/09/2014 13:48:47 by RouterOS 6.9
# software id = 731M-816R
#
/interface ethernet
set [ find default-name=ether2 ] name=LAN speed=1Gbps
set [ find default-name=ether1 ] name=WAN speed=1Gbps
/port
set 0 name=serial0
set 1 name=serial1
/ip address
add address=178.211.39.11/27 comment="added by setup" interface=WAN network=178.211.39.0
add address=192.168.99.50/24 interface=LAN network=192.168.99.0
/ip dns
set allow-remote-requests=yes servers=195.175.39.39
/ip firewall filter
add chain=forward dst-port=80 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=178.211.39.11 dst-port=80 protocol=tcp to-addresses=192.168.99.251 to-ports=80
/ip route
add comment="added by setup" distance=1 gateway=178.211.39.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=no

With this code, the website is running. But, visitor IP : 192.168.99.50

add action=masquerade chain=srcnat

But, With this code, the website is not running.

add action=masquerade chain=srcnat out-interface=WAN

Please help.