Community discussions

MikroTik App
 
FinlayDaG33k
just joined
Topic Author
Posts: 23
Joined: Sat Jun 08, 2019 7:29 pm

Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 10:00 pm

Hii there,

Yea, the title may not really make any sense so let me explain.
I have a traefik proxy that proxies data to back-end applications.
let's say my router's WAN IP is 1.2.3.4 and its LAN IP is 10.0.0.1.
Now when I try to access something through the proxy, everything goes fine except one thing: My proxy thinks *everything* is 10.0.0.1 (even when I tell my machine to connect to 1.2.3.4).
This causes some apps behind the proxy to misbehave because they rely on the IP being the IP from the outside *not* the inside.
When I access it through my phones 4G (5.6.7.8), everything works perfectly fine.

So this is basically what I get:
- Phone connects through 4G: traefik sees as 5.6.7.8
- Desktop connects: traefik sees as 10.0.0.1
- Phone connects through wifi: traefik sees as 10.0.0.1

How can I make it so that if I access my proxy using the *external* IP, traefik sees the external IP, not the routers IP?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 10:01 pm

I would love to help but have no idea what a proxy is, what it looks like, its purpose, how it attaches to a router or switch or a pc etc..........
 
FinlayDaG33k
just joined
Topic Author
Posts: 23
Joined: Sat Jun 08, 2019 7:29 pm

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 10:16 pm

In this case, it's basically a webserver that forwards requests to a back-end.
How it's hooked up, how it functions etc. etc. is irrelevant otherwise.
Basically what the MikroTik router does is:
- See if request comes from LAN, destined for 1.2.3.4 (my WAN IP)
- Sends it to the proxy as 10.0.0.1 (the router's LAN IP)

This causes the proxy to think that the client IP is 10.0.0.1, but this causes things to break because some back-end apps rely on the publically accessible IPs to be the client IP.

That's all I know about it, I only know what I expect it to do, but not how to do it and why it misbehaves like this.
Again, this is what the proxy sees (because the router does something to interfere with the IPs):
- Phone + 4G: 5.6.7.8 (correct)
- Laptop from Starbucks or something: 9.1.2.3 (correct)
- Desktop in LAN: 10.0.0.1 (wrong, should be 1.2.3.4, the routers WAN IP)
- Phone in LAN: 10.0.0.1 (wrong, should be 1.2.3.4, the routers WAN IP)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 10:19 pm

Like I said, I dont understand the need for proxies............. or more fundamentally the requirements that you have for your users or devices.
For example why cannot they go out from their PC directly to the internet??
 
FinlayDaG33k
just joined
Topic Author
Posts: 23
Joined: Sat Jun 08, 2019 7:29 pm

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 10:45 pm

The proxy is there so that I can have multiple back-ends on 1 WAN IP (1.2.3.4) and port (443).
Basically the proxy matches from the HTTP headers like this (and forwards request accordingly):
- "test.finlaydag33k.nl" -> 10.0.1.123
- "www.finlaydag33k.nl" -> 10.0.1.133
- "something.finlaydag33k.nl" -> 10.1.234

So if, for example, a device would come in: "send me 1.2.3.4:443 with hostname www.finlaydag33k.nl", the router would take that and forward it as-is to the proxy, proxy then looks at the HTTP header and forwards it to the LAN IP "10.0.1.233".
Else, I would run out of ports really quickly (also, it's not very nice to have people remember and enter all kinds of ports).
Image

Now if I instead wanted to access "test.finlaydag33k.nl", it would just forward the request to the required back-end.
Image

However, if the client is located in the LAN, things get iffy and this becomes the scenario:
Image

Here, the router starts interfering somehow (which is what I'm trying to fix) and the "client-ip" is my router's LAN IP instead of it's WAN IP.
That should be the WAN IP so that the back-end app can do it's thing properly.
I hope this makes more sense?
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 11:00 pm

You're seeing the result of a hairpin-NAT-rule. This is explained here: https://help.mikrotik.com/docs/display/ ... HairpinNAT.
If you just need to change the address to the WAN IP address of the router instead of its LAN IP address, you can do that by changing the "to-addresses" in the src-nat rule. That's the address the source address is changed to. It defaults to the address that a new connection through the egress interface would get, e.g. the LAN address if the connection is routed through the LAN interface.
 
FinlayDaG33k
just joined
Topic Author
Posts: 23
Joined: Sat Jun 08, 2019 7:29 pm

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 11:31 pm

I now have the following two rules according to that wiki article:
[admin@Main Router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade src-address=10.0.0.0/8 dst-address=10.0.0.149 out-interface=bridge1 log=yes log-prefix="[LAN]" 

 1    ;;; Traefik Ingress (HTTPS)
      chain=dstnat action=dst-nat to-addresses=10.0.0.149 to-ports=443 protocol=tcp dst-address=213.93.110.189 dst-port=443 log=no 
      log-prefix=""
But this still results in the IP showing in my app as "10.0.0.1" (if I use my phone from 4G, it still shows the right external IP).
This is what I get in my logs, so it is doing something:
Image
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 11:44 pm

Yes, that's the hairpin-NAT rule. The "masquerade" target changes the source address to the address of the egress interface. Use the "src-nat" target instead and set the "to-addresses" in that rule to the WAN-address.
 
FinlayDaG33k
just joined
Topic Author
Posts: 23
Joined: Sat Jun 08, 2019 7:29 pm

Re: Allow WAN IP to LAN Client within LAN

Sat Jul 24, 2021 11:52 pm

\o/ Victory!

Image

For those that come by this later (read: "dear future self"):
[admin@Main Router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Traefik Ingress (HTTPS)
      chain=dstnat action=dst-nat to-addresses=10.0.0.149 to-ports=443 protocol=tcp dst-address=<WAN IP> dst-port=443 log=no log-prefix=""
 15    ;;; Hairpin (IMPORTANT)
      chain=srcnat action=src-nat to-addresses=<WAN IP> src-address=10.0.0.0/8 dst-address=10.0.0.149 log=no log-prefix=""
Thanks for all the help guys :)

Who is online

Users browsing this forum: jookraw, lurker888, Wave and 43 guests