Hi Guys!
In my office I have a pretty extensive hardware (and software) configuration, but anything special really. I also have two www servers, on two different machines. One for production access, one for testing. Both servers are using virtualhosts based on my public IP DNS resolution.
Apache configuration, DNS configuration, local access are not in discussion here.
Main router is an hAP AC (enough for my office needs). Generic masquerading config for NAT to local hosts, and TCP 80 dst-nat-ed to production www. And - of course, masquerade for hairpin NAT for the same.
I'd like to have the possibility to access - from ONE specific host inside (local IP) or even from ALL local hosts (doesn't bother me) - the testing www server, instead the production one. And I can't seem to success in that.
Maybe worth to mention that I can access testing server from any specific public IP, while all other clients are served from production server.
Short relevant config:
1.1.1.1 - public IP on ether1-gateway on hAP AC
2.2.2.2 - remote public IP that can access testing server instead of production (HOME)
192.168.0.0/24 - local network
192.168.0.254 - bridge local interface on hAP AC
192.168.0.250 - production www
192.168.0.246 - testing www
Now the relevant code:
Code: Select all
/ip firewall nat
# default masquerade rule
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1-gateway
# HTTP dst-nat and masquerading to PRODUCTION server
add action=masquerade chain=srcnat comment="HTTP services PROD" dst-address=192.168.0.250 dst-port=80 log=yes out-interface=bridge-local protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=192.168.0.250
# HTTP dst-nat to TESTING server from external IP
add action=dst-nat chain=dstnat comment="HTTP services to HOME" dst-address=1.1.1.1 dst-port=80 protocol=tcp src-address=2.2.2.2 to-addresses=192.168.0.246
Code: Select all
# # HTTP dst-nat to TESTING server from local IP
add action=masquerade chain=srcnat comment="HTTP from MAIN - TEST" dst-address=192.168.0.246 dst-port=80 log=yes protocol=tcp src-address=192.168.0.1
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80 log=yes protocol=tcp src-address=192.168.0.1 to-addresses=192.168.0.246
Now it works. Why didn't the first time?! Hard to say, possible typo from my side. I made it also using address-list as src, but this is not important.
I also tried different chains, with jump rules, and so on ...
As I said in the begining, there are other ways in doing that (non-mikrotik related), but it's frustrating that something that seemed such easy at first view is not working!
Any other method (maybe easier) in acquiring the above?
Thanks,
T
