Hello everyone,
I have a router Mikrotik CCR1009-8G-1S-1S + PC and Synology DS-713 + Server
It connects to the server via a domain name
My problem is that a friend or me via my tablet and Free computer network or reach us connect to the server via my public IP
I would stop it but how?.
Thank you in advance
Sorry for my bad English
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: Server and public ip
Hi,
Drop packets which NOT coming from your LAN subnet and going to Synology device , use IP/Firewall/Filter Rules
Or it's better to set this rule when you are NATTING your packets to Synology
Drop packets which NOT coming from your LAN subnet and going to Synology device , use IP/Firewall/Filter Rules
Or it's better to set this rule when you are NATTING your packets to Synology
Re: Server and public ip
Hello and thank you for your answer
Unfortunately I know nothing has it all
I like doing what rule ?
Thank you in advance
Unfortunately I know nothing has it all
I like doing what rule ?
Thank you in advance
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: Server and public ip
Send your NAT configuration here
Re: Server and public ip
Hello,
Here is my setup my nat rules
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=vlan832-orange out-interface=vlan832-orange to-addresses=0.0.0.0
add action=masquerade chain=srcnat log-prefix="Port Ethernet" out-interface=all-ethernet
add action=jump chain=dstnat dst-address=!192.168.0.0/16 dst-address-type=local jump-target=pinholes log-prefix=Voir-192.168.0.0
add action=masquerade chain=srcnat comment="default masquerade" out-interface=vlan832-orange
add action=dst-nat chain=dstnat comment="dnat to my server" dst-port=80,443,5000 in-interface=vlan832-orange protocol=tcp to-addresses=192.168.1.198
Server : 192.168.1.198
Thank you
Here is my setup my nat rules
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=vlan832-orange out-interface=vlan832-orange to-addresses=0.0.0.0
add action=masquerade chain=srcnat log-prefix="Port Ethernet" out-interface=all-ethernet
add action=jump chain=dstnat dst-address=!192.168.0.0/16 dst-address-type=local jump-target=pinholes log-prefix=Voir-192.168.0.0
add action=masquerade chain=srcnat comment="default masquerade" out-interface=vlan832-orange
add action=dst-nat chain=dstnat comment="dnat to my server" dst-port=80,443,5000 in-interface=vlan832-orange protocol=tcp to-addresses=192.168.1.198
Server : 192.168.1.198
Thank you
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: Server and public ip
So if you wanna make your Server public , it's public !
you have destination NAT to your Server.
it is reachable from internet because you want this.
if you limit your source IP addresses its publicity has no meaning
it's better to secure your Server with strong username and password
you have destination NAT to your Server.
it is reachable from internet because you want this.
if you limit your source IP addresses its publicity has no meaning
it's better to secure your Server with strong username and password
Re: Server and public ip
My server already has a username and password but it's not my question
My question is how to restrict access to my server via my public IP but only through my domain name
My question is how to restrict access to my server via my public IP but only through my domain name
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: Server and public ip
that's i don't know ,My server already has a username and password but it's not my question
My question is how to restrict access to my server via my public IP but only through my domain name
Since it's about DNS and public IP and they are the same now ! i don't think Mikrotik could help you , but it's better to wait for an expert
Re: Server and public ip
Well I'll wait for a specialist networks
I do not think it's complicated, but I know nothing about networks
thank you very much
I do not think it's complicated, but I know nothing about networks
thank you very much
-
-
gotsprings
Forum Guru
- Posts: 2120
- Joined:
Re: Server and public ip
I would try to help.... but I just don't understand the question.
You want someone from the INTERNET or WAN to be able to reach the server when they use the FQDN (Like http://something.somethingelse.com. But not if they use the IP address of 65.54.254.3 which is the FQDNs actual IP?
You want someone from the INTERNET or WAN to be able to reach the server when they use the FQDN (Like http://something.somethingelse.com. But not if they use the IP address of 65.54.254.3 which is the FQDNs actual IP?
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: Server and public ip
Yes , that's his problemI would try to help.... but I just don't understand the question.
You want someone from the INTERNET or WAN to be able to reach the server when they use the FQDN (Like http://something.somethingelse.com. But not if they use the IP address of 65.54.254.3 which is the FQDNs actual IP?
Re: Server and public ip
There's no simple solution for this. Hostnames get resolved on client side and the following connection to server is same on IP level, you can't tell the difference. In any case it's connection to <address>:<port>.
For http, it could be done using reverse proxy and allowing only given hostname (web proxy in RouterOS could be used for this, but I don't think it's a good idea) or using L7 filter and closing connections with "Host: <public ip>" (but it would not be completely reliable, so I don't think it's good idea either).
Most importantly, I fail to see the problem. You have public server. Who cares if it can be accessed also using numeric address? It's not like it brings any real security problems or anything. If it really bothers you, then configure server to only accept requests for selected hostname.
For http, it could be done using reverse proxy and allowing only given hostname (web proxy in RouterOS could be used for this, but I don't think it's a good idea) or using L7 filter and closing connections with "Host: <public ip>" (but it would not be completely reliable, so I don't think it's good idea either).
Most importantly, I fail to see the problem. You have public server. Who cares if it can be accessed also using numeric address? It's not like it brings any real security problems or anything. If it really bothers you, then configure server to only accept requests for selected hostname.
Re: Server and public ip
Sorry for the bad Google translation French -> English
Example, with my tablet as if I type link my local ip, http://80.255.74.4 example I arrive on my server
And I do not like, how to avoid this ?
With my domain name that works well
I wonder if it is on the server I get
I feel that it is on the router
I came across a page that tells me this: "The page you are looking for can not be found (errreur 404)"
Example, with my tablet as if I type link my local ip, http://80.255.74.4 example I arrive on my server
And I do not like, how to avoid this ?
With my domain name that works well
I wonder if it is on the server I get
I feel that it is on the router
I came across a page that tells me this: "The page you are looking for can not be found (errreur 404)"
-
-
gotsprings
Forum Guru
- Posts: 2120
- Joined:
Re: Server and public ip
/Ip firewall nat export
Print that here.
Print that here.
Re: Server and public ip
Here nat rules
WAN = vlan832-orange
Server = 192.168.1.198
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=vlan832-orange out-interface=vlan832-orange to-addresses=0.0.0.0
add action=masquerade chain=srcnat log-prefix="Port Ethernet" out-interface=all-ethernet
add action=jump chain=dstnat dst-address=!192.168.0.0/16 dst-address-type=local jump-target=pinholes log-prefix=Voir-192.168.0.0
add action=masquerade chain=srcnat comment="default masquerade" out-interface=vlan832-orange
add action=dst-nat chain=dstnat comment="Photo Station" dst-port=80,443 in-interface=vlan832-orange protocol=tcp to-addresses=192.168.1.198
add action=dst-nat chain=dstnat comment="Serveur DSM 6.0" dst-port=5000 in-interface=vlan832-orange protocol=tcp to-addresses=192.168.1.198
Server = 192.168.1.198
-
-
gotsprings
Forum Guru
- Posts: 2120
- Joined:
Re: Server and public ip
Add a filter rule in forward chain to allow by dst-nat. That will take care of passing the firewall once you make a nat rule.
Keep default masq out.
Keep your server 80 and 443.
Disable the others for a test.
Keep default masq out.
Keep your server 80 and 443.
Disable the others for a test.
Re: Server and public ip
Hello,Keep your server 80 and 443.
Disable the others for a test.
I do not have access to the server
I must put in IPFilter as what rule
For clarity here's my problem
You do not have the required permissions to view the files attached to this post.
-
-
gotsprings
Forum Guru
- Posts: 2120
- Joined:
Re: Server and public ip
Code: Select all
/ip firewall filter add chain=forward comment="NAT'd" connection-nat-state=dstnat place-before=2Who is online
Users browsing this forum: unhuzpt and 53 guests