Community discussions

 
User avatar
MarHazK
just joined
Topic Author
Posts: 22
Joined: Wed Mar 29, 2017 8:31 pm

DMZ local ip to another without dstnat/port-forward the ports

Sat May 11, 2019 6:09 pm

Hi,

I have 1 PC (192.168.0.100) connected to 1 mikrotik device (192.168.0.1/24) at ether2.
Then 2 servers which:
- Web Server A (192.168.1.10) connected to same mikrotik device (192.168.1.1/24) at ether3.
- Web Server B (192.168.1.11) connected to same mikrotik device (192.168.1.1/24) at ether3.

So, what I planned to do this is, I create another:
- ip address (192.168.0.10 under ether2) and it that will DMZ/dsnat to 192.168.1.10 (ether3) (Web server A)
- ip address (192.168.0.11 under ether2) and it that will DMZ/dsnat to 192.168.1.11 (ether3) (Web server A)

My objective are:
- the PC can access to the web server A via 192.168.0.10 without using other port (no dstnat/port-forward 81->80, just listening 192.168.0.10:80 (ether2) > 192.168.1.10:80 (ether3))
- the PC can access to the web server B via 192.168.0.11 without using other port (no dstnat/port-forward 82->80, just listening 192.168.0.11:80 (ether2) > 192.168.1.11:80 (ether3))

Should I use IPTunnel or dstnat? or any idea how/other solution how?
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: DMZ local ip to another without dstnat/port-forward the ports

Sat May 11, 2019 6:17 pm

Draw a diagram so what you have setup is clearer.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4796
Joined: Mon Apr 20, 2009 9:11 pm

Re: DMZ local ip to another without dstnat/port-forward the ports  [SOLVED]

Sat May 11, 2019 8:33 pm

It sound like all you need are two new addresses and simple NAT:
/ip address
add address=192.168.0.10/24 interface=ether2
add address=192.168.0.11/24 interface=ether2
/ip firewall nat
add action=netmap chain=dstnat dst-address=192.168.0.10 in-interface=ether2 to-addresses=192.168.1.10
add action=netmap chain=dstnat dst-address=192.168.0.11 in-interface=ether2 to-addresses=192.168.1.11
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: DMZ local ip to another without dstnat/port-forward the ports

Sat May 11, 2019 10:55 pm

why not just route: just connect to .1.10/11 address?

gateway of 0.100 is 0.1 = Tik right?
and Tik knows how to get to 1.1x...
 
Sob
Forum Guru
Forum Guru
Posts: 4796
Joined: Mon Apr 20, 2009 9:11 pm

Re: DMZ local ip to another without dstnat/port-forward the ports

Sun May 12, 2019 12:18 am

That sure does sound like the most simple and obvious solution. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
MarHazK
just joined
Topic Author
Posts: 22
Joined: Wed Mar 29, 2017 8:31 pm

Re: DMZ local ip to another without dstnat/port-forward the ports

Sun May 12, 2019 12:00 pm

why not just route: just connect to .1.10/11 address?

gateway of 0.100 is 0.1 = Tik right?
and Tik knows how to get to 1.1x...
never tried route both gateways/afraid both will have conflicts due differences of ISPs for both gateway, in other word, 192.168.0.1/24 route to public ip A (ISP A), 192.168.1.1/24 route to public ip B (ISP B). Probably I don't know how to route both gateways I pressume.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: DMZ local ip to another without dstnat/port-forward the ports

Sun May 12, 2019 3:38 pm

So you have two wans and two lans. How do you isolate them? VRF?
instead of natting, routing info needs to be update. List your config (/export hide-sensitive compact)

Who is online

Users browsing this forum: No registered users and 38 guests