Community discussions

 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Cant get to local Webserver

Fri Apr 07, 2017 10:40 pm

good day

let try this again

new to the Hex Lite router, we used DD WRT software before

useing WinBox to access the router

Problem is I can not access the webserver via the local network and I need to

how can I do this ?

is there something I missed while programming ?

I would rather not enter the IP address of the websever all the time

Thanks
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sat Apr 08, 2017 8:02 pm

anyone ??
 
romihg
newbie
Posts: 28
Joined: Tue Jun 24, 2014 9:07 am
Location: SLOVENIA

Re: Cant get to local Webserver

Sat Apr 08, 2017 9:34 pm

 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: Cant get to local Webserver

Sat Apr 08, 2017 10:34 pm

Instead of hairpin NAT you can have the webserver revolved to the internal IP address. Just user thee DNS server in thee MT.
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sat Apr 08, 2017 10:52 pm

why would this NOT work like a consumer router ,

My computer on x.114 wants to see a web page google.ca
so it goes through the router to the modem and out to the internet

now I want to see my own web site again computer x.114 want to see cmrk.net
will it should go to the router and out to the net and back into the router and to the webserver on x.99

it will not connect to the web server , yet if I put in the LOCAL ip /cmrk/ I can get to the webserver

never had this problem on a router I can go get at staples

this is ONLY for computers behind the HEX lite , other computers on the web can find the site with NO problems at all , I can get to the site with my pad via Cell data


so question is why cant local computers get to it ( www.cmrk.net) yet will see the outside world no problems

Thank you
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sat Apr 08, 2017 11:47 pm

Like the others said, you need to do:

Have the web-site resolve to the local IP at your DNS server for queries on your local network. In most small implementations the DNS resolver is running on MikroTik so you can just add a static entry there.

or ...

Perform what is typically referred to as a HAIRPIN NAT on the MikroTik. The document can be found here https://wiki.mikrotik.com/wiki/Hairpin_NAT.

Last, as to why a router does this automatically from Staples on and not on a MikroTik ... Largely because HAIRPIN NAT has been a point of contention of over the years. It has always been something that was a bit tricky for new engineers to get working on any of the major "enterprise" brand firewalls (ASA, etc ...). Thankfully on the Linux / MikroTik side it is pathetically easy. So, long story short, it's possible and I'd quit whinging about having to run a command or manage DNS to get it to work. Either methods are super easy on the MikroTik side.
 
skuykend
Member Candidate
Member Candidate
Posts: 270
Joined: Tue Oct 06, 2015 7:28 am

Re: Cant get to local Webserver

Sat Apr 08, 2017 11:49 pm

This isn't a router you can get a Staples that can just do one subnet and maybe a guest wireless.

It is a full featured industrial router with many more options that can be configured in millions of different ways and therefore has to be correctly setup for your unique situation,

Hairpins are not always desirable and therefore should be set up separately.

If you need a simple router, then get a simple router.
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 1:38 am

Like the others said, you need to do:

Have the web-site resolve to the local IP at your DNS server for queries on your local network. In most small implementations the DNS resolver is running on MikroTik so you can just add a static entry there.
can you point me in this direction please I am using winbox to access the router , it has been fun and a pain it the butt to learn this system ,

I can see the advantage of this unit for a larger set up but for my SOHO it can be a pain LOL this is the last thing that has to be done , and of course most of the info I can is command line ,

Thank you
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 2:22 am

No worries. If you are using the DNS Cache / Resolver on the MikroTik (It comes on by default I believe). You can add a static entry for your web-site like:

For cmrk.net at the local IP of 10.1.1.99:
/ip dns static add address=10.1.1.99 name=cmrk.net
You may want www.cmrk.net to work as well so add a second entry for that:
/ip dns static add address=10.1.1.99 name=www.cmrk.net
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 2:23 am

ok went into the router and added my local DNS server address 192.x.x.x to it , still cant resolve getting to any of the domains I have on the webserver
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 2:25 am

No worries. If you are using the DNS Cache / Resolver on the MikroTik (It comes on by default I believe). You can add a static entry for your web-site like:

For cmrk.net at the local IP of 10.1.1.99:
/ip dns static add address=10.1.1.99 name=cmrk.net
You may want http://www.cmrk.net to work as well so add a second entry for that:
/ip dns static add address=10.1.1.99 name=www.cmrk.net
that would work but I have 10 domains on that webserver , and more to come as my Kids want to put up a web site
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 2:28 am

An alternative would be to just do the hairpin NAT method. It's not reliant on the name.

You use 1 rule to translate the destination from the public to private IP and another rule to translate the source IP from the computers IP to the routers inside IP. This forces the server to respond to router which can then tweak the packet to show a source IP of your web-servers public IP which is what the client computer is expecting.

The wiki page puts it down pretty clearly. If your IP is what http://www.cmrk.net resolves to currently the rules would look something like this if your LAN is 10.1.1.0/24:

(Also, make sure these are above your general outbound masquerade rule)
/ip firewall nat add chain=dstnat action=dst-nat \
    dst-address=24.138.163.218 to-address=10.1.1.99 \
    protocol=tcp dst-port=80

/ip firewall nat add chain=srcnat action=masquerade out-interface=lan \
    dst-address=10.1.1.99 src-address=10.1.1.0/24 \
    protocol=tcp dst-port=80
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 2:50 am

An alternative would be to just do the hairpin NAT method. It's not reliant on the name.

You use 1 rule to translate the destination from the public to private IP and another rule to translate the source IP from the computers IP to the routers inside IP. This forces the server to respond to router which can then tweak the packet to show a source IP of your web-servers public IP which is what the client computer is expecting.

The wiki page puts it down pretty clearly. If your IP is what http://www.cmrk.net resolves to currently the rules would look something like this if your LAN is 10.1.1.0/24:

(Also, make sure these are above your general outbound masquerade rule)
/ip firewall nat add chain=dstnat action=dst-nat \
    dst-address=24.138.163.218 to-address=10.1.1.99 \
    protocol=tcp dst-port=80

/ip firewall nat add chain=srcnat action=masquerade out-interface=lan \
    dst-address=10.1.1.99 src-address=10.1.1.0/24 \
    protocol=tcp dst-port=80
how do I do this , again useing winbox for access
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 3:16 am

Dunno, real men / women use console :)

Download Putty and ssh in like a boss.

If you insist, in WebFig (the web UI). IP -> Firewall -> NAT -> Add New
Last edited by idlemind on Sun Apr 09, 2017 3:18 am, edited 1 time in total.
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 3:17 am

ok figured it out I think .. now get connection to cmrk.net , and times out , I dont see the hit on the web sever witch is right beside me
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 3:18 am

Dunno, real men / women use console :)

Download Putty and ssh in like a boss.

LOL , I found that option in win box so I tried it , now I just get a time out ...
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 3:24 am

MikroTik Forums_HairpinNAT_1.png
Make sure your rules are ordered like above. You want the hairpin rules to come before the generic masquerade that gives you Internet access.
You do not have the required permissions to view the files attached to this post.
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 3:33 am

Here is a look at it
You do not have the required permissions to view the files attached to this post.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 3:39 am

broaden your srcnat masquerade (second to last rule) so the src-address is the whole subnet of 192.168.1.0/24.
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 4:26 am

broaden your srcnat masquerade (second to last rule) so the src-address is the whole subnet of 192.168.1.0/24.
still times out . I am calling it for tonight , also trying to get PHP working ..

Thank you for all your help I will check back later or sunday

again thank you !
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 4:27 am

broaden your srcnat masquerade (second to last rule) so the src-address is the whole subnet of 192.168.1.0/24.
still times out . I am calling it for tonight , also trying to get PHP working ..

Thank you for all your help I will check back later or sunday

again thank you !
Sounds good! Get some rest. Another change to check is the out-interface. It says br2... is that the correct interface?
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 4:38 am

GOT IT !!!

tried one more thing , now all is good !!!

now to hate on PHP a little !!!
router2.JPG
Again a BIG THANK YOU !!!
You do not have the required permissions to view the files attached to this post.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 4:45 am

Good to hear! Onward to the PHP IRC channel we go.
 
RichardSzajkowski
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2017 9:29 pm

Re: Cant get to local Webserver

Sun Apr 09, 2017 4:49 am

have not played with IRC for a long time , maybe time to look into that LOL
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Cant get to local Webserver

Sun Apr 09, 2017 4:51 am

have not played with IRC for a long time , maybe time to look into that LOL
I love it, especially with open source software / projects. A lot of the projects I use have either community reps or actual devs that idle in the channels. You can get some really deep insight into a problem or bump it up in front of good eyes in a way a forum just doesn't occasionally.
 
User avatar
macsrwe
Long time Member
Long time Member
Posts: 655
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Cant get to local Webserver

Tue Apr 11, 2017 5:05 am

No worries. If you are using the DNS Cache / Resolver on the MikroTik (It comes on by default I believe). You can add a static entry for your web-site like:

For cmrk.net at the local IP of 10.1.1.99:
/ip dns static add address=10.1.1.99 name=cmrk.net
You may want http://www.cmrk.net to work as well so add a second entry for that:
/ip dns static add address=10.1.1.99 name=www.cmrk.net
that would work but I have 10 domains on that webserver , and more to come as my Kids want to put up a web site
As of RouterOS 6.38 or so, DNS static records can contain a regular expression, so you can match all xxx.cmrk.net.

Who is online

Users browsing this forum: Bing [Bot] and 19 guests