Community discussions

MUM Europe 2020
 
mehdiadust
just joined
Topic Author
Posts: 4
Joined: Thu Dec 16, 2010 8:50 pm

local webserver behind nat

Fri Dec 17, 2010 11:48 am

Dear friends,
my network diagram is very simple .... like
internet ip/30 >>> mikrotik routerOS 3.10 >>> LAN (172.16.95.0/24) gw : 172.16.95.1, dns/web/ftp: 172.16.95.5

the problem is that when users from block 172.16.95.0/24 use 172.16.95.5 as their primary dns they can browse the website: xyz.com (xyz is not a registered domain) hosted in 172.16.95.5.

but when the users use both primary & secondary dns as public dns ip address such as 8.8.8.8 or 4.2.2.1 then they can browse internet but can't browse xyz.com
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5959
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: local webserver behind nat

Fri Dec 17, 2010 12:14 pm

Use "Search". It was asked so many times.
http://wiki.mikrotik.com/wiki/Hairpin_NAT
 
mehdiadust
just joined
Topic Author
Posts: 4
Joined: Thu Dec 16, 2010 8:50 pm

Re: local webserver behind nat

Fri Dec 17, 2010 3:14 pm

NAT config :

0 chain=srcnat action=masquerade out-interface=Internet


I can browse http://172.16.95.5 from any other pc from the block 172.16.95.0/24 with public dns ip address

but when I try with the domain name that is http://www.xyz.com with any public dns ip address, I can't browse xyz.com website

but if I use 172.16.95.5 as client's pc primary dns address then I can browse xyz.com website.

Note : dns server address : 172.16.95.5
web server address : 172.16.95.5
ftp server address : 172.16.95.5

I have tried hairpin as :
/ip firewall nat
add chain=srcnat src-address=172.16.95.0/24 \
dst-address=172.16.95.5 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade
any idea ?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: local webserver behind nat

Fri Dec 17, 2010 4:37 pm

Your configuration is bad - somewhere. So show us your config. At least the output of "/ip address print detail", "/ip route print detail", and "/ip firewall export" wrapped in code tags, together with an nslookup against the DNS records of what you're trying to get to, and preferably a network diagram.
 
mehdiadust
just joined
Topic Author
Posts: 4
Joined: Thu Dec 16, 2010 8:50 pm

Re: local webserver behind nat

Fri Dec 17, 2010 6:17 pm

[sohel@MUSCAT-CITYNET] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 114.130.x.x/30 114.130.x.0 114.130.x.x WAN
1 172.16.95.1/24 172.16.95.0 172.16.95.255 LAN-1

[sohel@MUSCAT-CITYNET] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 reachable 114.130.x.1 1 WAN
1 ADC 172.16.95.0/24 172.16.95.1 0 LAN-1
2 ADC 114.130.x/30 114.130.x.3 0 WAN
[sohel@MUSCAT-CITYNET] >

[sohel@MUSCAT-CITYNET] > ip firewall export
# jan/06/1970 08:04:42 by RouterOS 3.10
# software id = 60SS-PTT
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=445 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=445 protocol=udp src-address=0.0.0.0/0
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=135-139 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/0 dst-port=135-139 protocol=udp src-address=0.0.0.0/0

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no
set pptp disabled=no
[sohel@MUSCAT-CITYNET] >



From Local DNS : 172.16.95.5

[root@ns1 ~]# nslookup 172.16.95.5
Server: 172.16.95.5
Address: 172.16.95.5#53

5.95.16.172.in-addr.arpa name = ns1.xyz.com.

[root@ns1 ~]#

[root@ns1 ~]# nslookup ns1.xyz.com
Server: 172.16.95.5
Address: 172.16.95.5#53

Name: ns1.xyz.com
Address: 172.16.95.5

[root@ns1 ~]#
[root@ns1 ~]# nslookup http://www.xyz.com
Server: 172.16.95.5
Address: 172.16.95.5#53

http://www.xyz.com canonical name = ns1.xyz.com.
Name: ns1.xyz.com
Address: 172.16.95.5

[root@ns1 ~]#

I want to browse http://www.xyz.com, locally from ip block 172.16.95.0/24 whatever may be the clients dns address, it could be google dns, isp dns or open dns.

any idea ?
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: local webserver behind nat

Fri Dec 17, 2010 6:40 pm

This has nothing to do with NAT. You can't expect to use a public DNS server for a domain name that isn't registered to you. The public DNS server cannot possibly how to resolve that name if it isn't registered properly.
 
User avatar
THG
Member
Member
Posts: 472
Joined: Thu Oct 15, 2009 1:05 am

Re: local webserver behind nat

Mon Dec 20, 2010 1:46 pm

Use "Search". It was asked so many times.
http://wiki.mikrotik.com/wiki/Hairpin_NAT
I read this page, and it's for people with static IP addresses. In case of dynamic IP addresses, people need a script to update the address. With the following script, you can use an address list instead of an IP address. This script automatically updates the IP address in the address list.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# BEGINNING OF USER DEFINED CONFIGURATION
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:local "wan-interface" "ether2"
:local "address-list" "wan_ip"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# END OF USER DEFINED CONFIGURATION
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

:global "old-wan-ip"
:local "wan-ip" [ /ip address get [/ip address find interface=$"wan-interface"] address ]
:set "wan-ip" [ :pick $"wan-ip" 0 [:find $"wan-ip" "/" ] ]

:if ( [/ip firewall address-list find list=$"address-list" ] = "" ) do={
/ip firewall address-list add address=$"wan-ip" list=$"address-list"
:log warning "address list: $"address-list" added by script"

} else={

:if ($"wan-ip" != $"old-wan-ip") do={
:foreach a in=[/ip firewall address-list find list=$"address-list"] do={
/ip firewall address-list set $a address=$"wan-ip"
:log warning "WAN IP address changed from: $"old-wan-ip" to $"wan-ip""
:set "old-wan-ip" $"wan-ip"
  }
 }
}
 
mehdiadust
just joined
Topic Author
Posts: 4
Joined: Thu Dec 16, 2010 8:50 pm

Re: local webserver behind nat

Fri Dec 24, 2010 6:39 pm

It's working now ....

RB as the DNS server :

for udp:
chain: dstnat
protocol: udp
dstport: 53

action: redirect
port: 53

for tcp :
only protocol : tcp

..... now local users can browse xyz.com (which is not registered to internet) as well as they can browse the other website ... thanks buddy who post the solution ..... i can not remember his id ....or ... name


Note : I have also added an static dns entry for the domain :

name : www.xyz.com
ip : 172.16.95.5

....... getting more and more dns addresses in dns cache ... any suggestion ?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: local webserver behind nat

Fri Dec 24, 2010 7:19 pm

Of course you're going to get lots of caches DNS records if you're forcing everyone to resolve via your resolver. That's expected.

If you can't live with that the proper solution would be to buy xyz.com and make a proper DNS record.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Who is online

Users browsing this forum: alanpatx, barracuda, BartoszP, heidarren, MSN [Bot] and 134 guests