Community discussions

MikroTik App
 
User avatar
azoo32
just joined
Topic Author
Posts: 18
Joined: Mon Mar 19, 2018 10:26 pm

port forwarding issue

Tue May 08, 2018 3:45 am

hello guys
i have a web server in my Lan 10.0.0.8 and i want it to be reachable from outside
i know you can do this in two steps
1/ Add rule allowing access to the server from out outside
/ip firewall nat add chain=srcnat src-address=10.0.0.8 action=src-nat \
to-addresses=192.168.1.100
2/Add rule allowing the server to talk to the outer networks having its source address
ip firewall nat add action=dst-nat chain=dstnat \
dst-address=192.168.1.100/24 to-addresses=10.0.0.8

i did this before and it's works fine...and when i go to http://192.168.1.100 it's forwarded my to the server 10.0.0.8 instate of mikrotik webfig
but i don't know what is the issue
server info:

addresses
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.0.0.1/24 10.0.0.0 interface1
1 192.168.1.100/24 192.168.1.0 interface0

firewall nat



1 chain=srcnat action=masquerade

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.0.0.0/24

3 chain=srcnat action=src-nat to-addresses=192.168.1.100
src-address=10.0.0.8

4 chain=dstnat action=dst-nat to-addresses=10.0.0.8 protocol=tcp
dst-address=192.168.1.100 dst-port=80,443
 
mkx
Forum Guru
Forum Guru
Posts: 3943
Joined: Thu Mar 03, 2016 10:23 pm

Re: port forwarding issue

Tue May 08, 2018 11:39 am

...and when i go to http://192.168.1.100 it's forwarded my to the server 10.0.0.8 instate of mikrotik webfig
From where do you try to connect? From your LAN? If yes, then you need to implement "hairpin-nat" ... search around this forum, it's been described quite a few times.
If you're trying to test from internet, then I wonder how you can do it by accessing private IP address (192.168.1.100). If you're doing it from WAN side (e.g. another machine from 192.168.1.0/24 segment), then we'll have to look into the problem.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: port forwarding issue

Tue May 08, 2018 3:13 pm

The link for hairpin nat (sob provided in another thread) is https://wiki.mikrotik.com/wiki/Hairpin_NAT
For the purpose of reaching servers from within ones network but using the public IP address route, vice the direct LANIP.
Your setup is very confusing. Is 10.0.0.8 the lanip of the server or is 192.168.1.100
A diagram of your setup would be very helpful.

My limited understanding of simple port forwarding is that you need dstnat!
General
chain=dstnat, protocol (typically tcp or udp), dst port xxxxx, In-Inteface=WAN (or if dual wan in-interface-list=WAN)
Advanced
source address list (to be used if you have one or more internet external IPs that you can identify which are allowed to access to your server for better security).
Action
action=dstnat (this opens up some additional fields)
to-address= server lanip
(good idea to select log as well).

Your masquerate/sourcenat rules are important such that back and forth traffic is routed properly (private lanip gets public IP associated and return traffic gets back through same wan interface to server). I think you have too many masquerade rules but then again the schematic requested will clear that up.

Hope that helps.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
MangleRule
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon May 07, 2018 1:05 am

Re: port forwarding issue

Tue May 08, 2018 7:12 pm

You definitely need to give more information here:
  • What are your LAN subnets?
  • Is the 192.168.1.100 address your WAN address?

You need to be careful with Masquerade. Masquerade is basically a fancy source NAT used in topologies where your gateway IP address might change. So if you have a dynamic DHCP, PPPoE, etc address and your address changes, Masquerade will go through all src-nat marked connections from Masquerade and tear them all down. If you are using Masquerade, you should just do something like the following:
/ip firewall nat add chain=srcnat out-interface=(gateway interface) action=masquerade
With the above firewall rule, any traffic leaving your gateway interface port would get source NAT'd to whatever your IP address is for your internet connection. Nothing else should be using Masquerade. If your WAN ip address is 192.168.1.100, that is an RFC1918 address and it not internet routable so you can't get to it from outside the network without using some type of VPN technology to get inside the network.

If 192.168.1.0/24 and 10.0.0.0/24 are both LAN subnets, there is no reason to use NAT at all between them. If there are no forward firewall rules blocking traffic between those subnets you can access 10.0.0.8 from anywhere on the LAN. If you want to be able to connect to 10.0.0.8 from the LAN address 192.168.1.100 for whatever reason you just need to use the following:
/ip firewall nat add chain=dstnat dst-address=192.168.1.100 protocol=tcp port=80,443 to-addresses=10.0.0.8
MTCNAMTCREMTCINE | MTCTCE | MTCUME | UBWA

Who is online

Users browsing this forum: bpolat, comet48, gazingbazooka, lava34522, SandroVendramin and 80 guests