Website Domain

JeremyWJ · May 19, 2008, 8:30pm

Hello,

I have a domain pointing to my IP. I run a web server behind RouterOS. Anyone outside of the network can access the site just fine, but if anyone behind routeros tries to use the domain to access the site, they get the routeros web admin page.

How can I configure routeros to make it so when people from inside my network try to use that domain they get my webserver?

My external IP is dynamic by the way.

EgyCom · May 19, 2008, 8:41pm

post your NAT and IPs configration

JeremyWJ · May 19, 2008, 8:49pm

how would I do that?

EgyCom · May 19, 2008, 8:55pm

in CLI

ip address export
 ip firewall nat export

and post output

JeremyWJ · May 19, 2008, 8:59pm

[admin@MikroTik] > ip address export
# may/19/2008 16:55:34 by RouterOS 2.9.26
# software id = ILTS-NX0
#
/ ip address 
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 \
    interface=ether3 comment="" disabled=no 
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
    interface=ether2 comment="" disabled=no

[admin@MikroTik] > ip firewall nat export 
# may/19/2008 16:56:07 by RouterOS 2.9.26
# software id = ILTS-NX0
#
/ ip firewall nat 
add chain=srcnat out-interface=ether1 action=masquerade comment="" disabled=no 
add chain=dstnat in-interface=ether2 action=netmap to-addresses=192.168.2.100 \
    to-ports=53-80 comment="This is for fake_net" disabled=no 
add chain=dstnat protocol=tcp dst-port=56671 action=netmap \
    to-addresses=192.168.2.201 to-ports=56671 comment="emule TCP" disabled=no 
add chain=dstnat in-interface=ether1 protocol=udp dst-port=6959 action=netmap \
    to-addresses=192.168.2.201 to-ports=6959 comment="emule UDP" disabled=no 
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=80 action=netmap \
    to-addresses=192.168.2.100 to-ports=80 comment="web server" disabled=no 
add chain=dstnat in-interface=ether1 protocol=udp dst-port=88 action=netmap \
    to-addresses=192.168.2.60 to-ports=88 comment="" disabled=no 
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=3074 action=netmap \
    to-addresses=192.168.2.60 to-ports=3074 comment="" disabled=no 
add chain=dstnat in-interface=ether1 protocol=udp dst-port=3074 action=netmap \
    to-addresses=192.168.2.60 to-ports=3074 comment="" disabled=no 
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=445 action=netmap \
    to-addresses=192.168.2.100 to-ports=445 comment="" disabled=no 
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=135-139 \
    action=netmap to-addresses=192.168.2.100 to-ports=135-139 comment="" \
    disabled=no 
add chain=dstnat in-interface=ether1 protocol=udp dst-port=135-139 \
    action=netmap to-addresses=192.168.2.100 to-ports=135-139 comment="" \
    disabled=no 
add chain=dstnat in-interface=ether1 protocol=udp dst-port=445 action=netmap \
    to-addresses=192.168.2.100 to-ports=445 comment="" disabled=no 
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=38565 action=netmap \
    to-addresses=192.168.2.100 to-ports=38565 comment="" disabled=no 
add chain=srcnat out-interface=ether2 action=masquerade comment="" disabled=no

EgyCom · May 19, 2008, 9:06pm

what is your server IP, and also what interface is WAN and what is LAN

JeremyWJ · May 19, 2008, 9:15pm

Ether1: dynamic IP - Internet (WAN)
Ether2: 192.168.1.2 - LAN
Ether3: 192.168.2.1 - LAN

I am only concerned about the Ether3 lan and the WAN being able to access it though.

EgyCom · May 19, 2008, 9:21pm

and your server on Ether2 or Ether3 and what is it’s IP

JeremyWJ · May 19, 2008, 9:22pm

Server is on Ether3, 192.168.2.100

EgyCom · May 19, 2008, 9:32pm

delete your web server nat role and add below

add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.2.100 to-ports=80 comment="web server"

and change your router WWW server from 80 to any other port

JeremyWJ · May 19, 2008, 9:42pm

Changed www service to port 81 … Still doesn’t work ..

External addresses can still access it, but I get “connection timed out” from internal attempts.

iam8up · May 20, 2008, 3:08am

From what I gather…

Ether1: dynamic IP - Internet (WAN)
Ether2: 192.168.1.2 - LAN
Ether3: 192.168.2.1 - LAN
…
Server is on Ether3, 192.168.2.100

If your desktop is also on Ether3 you can not route back to the same interface from which you came. The linux kernel will not allow you to do that.

JeremyWJ · May 20, 2008, 8:23pm

Yea, my desktop is on ether3 … so does that mean I can’t fix this problem?

JeremyWJ · August 5, 2008, 7:23am

UPDATE: I fixed this issue by making a static DNS entry for my domain to my local server. This will work for anyone else also who has this problem as long as their users have their DNS pointing to your routeros. If not, then you will just have to put this static DNS entry on whatever DNS server they do have theirs point towards.