Page 1 of 1

DMZ local ip to another without dstnat/port-forward the ports

Posted: Sat May 11, 2019 6:09 pm
by MarHazK
Hi,

I have 1 PC (192.168.0.100) connected to 1 mikrotik device (192.168.0.1/24) at ether2.
Then 2 servers which:
- Web Server A (192.168.1.10) connected to same mikrotik device (192.168.1.1/24) at ether3.
- Web Server B (192.168.1.11) connected to same mikrotik device (192.168.1.1/24) at ether3.

So, what I planned to do this is, I create another:
- ip address (192.168.0.10 under ether2) and it that will DMZ/dsnat to 192.168.1.10 (ether3) (Web server A)
- ip address (192.168.0.11 under ether2) and it that will DMZ/dsnat to 192.168.1.11 (ether3) (Web server A)

My objective are:
- the PC can access to the web server A via 192.168.0.10 without using other port (no dstnat/port-forward 81->80, just listening 192.168.0.10:80 (ether2) > 192.168.1.10:80 (ether3))
- the PC can access to the web server B via 192.168.0.11 without using other port (no dstnat/port-forward 82->80, just listening 192.168.0.11:80 (ether2) > 192.168.1.11:80 (ether3))

Should I use IPTunnel or dstnat? or any idea how/other solution how?

Re: DMZ local ip to another without dstnat/port-forward the ports

Posted: Sat May 11, 2019 6:17 pm
by anav
Draw a diagram so what you have setup is clearer.

Re: DMZ local ip to another without dstnat/port-forward the ports  [SOLVED]

Posted: Sat May 11, 2019 8:33 pm
by Sob
It sound like all you need are two new addresses and simple NAT:
/ip address
add address=192.168.0.10/24 interface=ether2
add address=192.168.0.11/24 interface=ether2
/ip firewall nat
add action=netmap chain=dstnat dst-address=192.168.0.10 in-interface=ether2 to-addresses=192.168.1.10
add action=netmap chain=dstnat dst-address=192.168.0.11 in-interface=ether2 to-addresses=192.168.1.11

Re: DMZ local ip to another without dstnat/port-forward the ports

Posted: Sat May 11, 2019 10:55 pm
by sebastia
why not just route: just connect to .1.10/11 address?

gateway of 0.100 is 0.1 = Tik right?
and Tik knows how to get to 1.1x...

Re: DMZ local ip to another without dstnat/port-forward the ports

Posted: Sun May 12, 2019 12:18 am
by Sob
That sure does sound like the most simple and obvious solution. :)

Re: DMZ local ip to another without dstnat/port-forward the ports

Posted: Sun May 12, 2019 12:00 pm
by MarHazK
why not just route: just connect to .1.10/11 address?

gateway of 0.100 is 0.1 = Tik right?
and Tik knows how to get to 1.1x...
never tried route both gateways/afraid both will have conflicts due differences of ISPs for both gateway, in other word, 192.168.0.1/24 route to public ip A (ISP A), 192.168.1.1/24 route to public ip B (ISP B). Probably I don't know how to route both gateways I pressume.

Re: DMZ local ip to another without dstnat/port-forward the ports

Posted: Sun May 12, 2019 3:38 pm
by sebastia
So you have two wans and two lans. How do you isolate them? VRF?
instead of natting, routing info needs to be update. List your config (/export hide-sensitive compact)