webserver NAT help

RouterOS Beginner Basics
1

I have 2 ISP provider going to the same router

ADDRESS NETWORK INTERFACE

0 192.168.0.1/24 192.168.0.0 LAN0-0
1 192.168.2.1/24 192.168.2.0 wlan0
2 192.168.1.1/24 192.168.1.0 LAN1-0
3 192.168.3.1/24 192.168.3.0 wlan1
4 D 2yy.2yy.1yy.1yy/32 2yy.2yy.1yy.1yy DSL1 (STATIC IP)
5 D 6x.1xx.1xx.7x/32 2xx.2xx.1xx.1xx DSL0

Traffic from 192.168.0.1/24 and 192.168.2.1/24 (bridge0) will leave from DSL0
Traffic from 192.168.1.1/24 and 192.168.3.1/24 (bridge1) will leave from DSL1

98 ;;; toLAN0
chain=prerouting action=mark-routing new-routing-mark=toLAN0
passthrough=no dst-address=192.168.0.0/24
99 ;;; toLAN1
chain=prerouting action=mark-routing new-routing-mark=toLAN1
passthrough=no dst-address=192.168.1.0/24
100 ;;; toDSL0
chain=prerouting action=mark-routing new-routing-mark=toDSL0
passthrough=no src-address=192.168.0.0/24
101 ;;; toDSL1
chain=prerouting action=mark-routing new-routing-mark=toDSL1
passthrough=no src-address=192.168.1.0/24

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 DSL0 1 (toDSL0)
1 A S 0.0.0.0/0 bridge0 1 (toLAN0)
2 A S 0.0.0.0/0 bridge1 1 (toLAN1)
3 A S 0.0.0.0/0 DSL1 1 (toDSL1)
4 A S ;;; default route for router
0.0.0.0/0 DSL0 1
5 ADC 192.168.0.0/24 192.168.0.1 bridge0 0
6 ADC 192.168.1.0/24 192.168.1.1 bridge1 0
7 ADC 192.168.2.0/24 192.168.2.1 bridge0 0
8 ADC 192.168.3.0/24 192.168.3.1 bridge1 0
10 ADC 2yy.2yy.1yy.1yy/32 2yy.2yy.1yy.1yy DSL1 0
11 ADC 2xx.2xx.1xx.1xx/32 6x.1xx.1xx.7x DSL0 0

I have a webserver on 192.168.1.123.

External client can see my website throught the static ip provided by my ISP

18 chain=forward action=accept protocol=tcp dst-address=192.168.1.123 in-interface=DSL1 dst-port=80
19 chain=forward action=accept protocol=udp dst-address=192.168.1.123 in-interface=DSL1 dst-port=80

4 chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=DSL0
5 chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=DSL1
9 chain=dstnat action=dst-nat to-addresses=192.168.1.123 to-ports=80 protocol=tcp in-interface=DSL1 dst-port=80
10 chain=dstnat action=dst-nat to-addresses=192.168.1.123 to-ports=80 protocol=udp in-interface=DSL1 dst-port=80

I can see my website using my internal ip 192.168.1.123 (client on 192.168.0.0/24)

I would like to see my website using the STATIC IP address provided by my ISP with clients on 192.168.0.0/24

Thanks

TONY

2

http://wiki.mikrotik.com/wiki/Hairpin_NAT

3

I’ve read the acticle before posting. Traffic does not actually leave and come back on
the same interface. It goes from bridge0 to bridge1.

Also I have 2 IP from my ISPs.
How does the router know which IP to NAT?

Based on the wiki, I’ve tried this on my setup…

3 chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.1.123

It does not work.

Thanks

4

Sorry, didn’t read carefully enough.
The problem is that you’re setting a routing mark in prerouting for all traffic leaving br0 or br1. Then you destination NAT traffic to the webserver, so traffic SHOULD go from br0 to br1 - but the routing mark is still attached to the packet, so the route routes accordingly to the routing mark and doesn’t actually send the packet out via br1 to the webserver.

The simplest solution is to make an address list of all your local IP addresses:

/ip firewall address-list 
add list=local-addresses address=192.168.0.0/22
add list=local-addresses address=2yy.2yy.1yy.1yy
add list=local-addresses address=6x.1xx.1xx.7x

And then edit your prerouting mangle rules that set routing marks and add “dst-address-list=!local-addresses”. That way packets sent to any private IP address on your network or either of your public IPs on the two WAN interfaces don’t match (because the destination IP of the packet is on the local-addresses list, so the negated qualifier doesn’t match) and no routing mark is set on those packets.

5

That works.

Thanks

TONY