Community discussions

MikroTik App
 
ge0rge
just joined
Topic Author
Posts: 7
Joined: Wed Jul 21, 2021 12:03 pm

Secure connection to webserver on different subnet

Sat Aug 28, 2021 1:14 pm

I get my internet access via a radio link to another MT that has it's own WAN address. Please see attached diagram for network layout. Both routers are RB4011s.

I have a webserver behind router B. It was on the same subnet as the rest of my house, and I had a hairpin on router A which worked fine to provide secure access from both inside and outside the network using my domain name. Because I'm a sucker for punishment / like to tinker, it's now on a separate subnet, but still behind router B. I would like to be able to access it using it's domain name from a different subnet behind router B, not the private IP address.

From everything I have read, this would be almost trivial if router B was directly connected to the internet, however...

I can access the server (192.168.110.10) using my domain name from outside my network - ssl cert valid etc. I can also access it from behind router B using the private IP address from 192.168.100.0/24, but obviously then the cert isn't valid. I understand that this is no longer a hairpin situation - that has been removed from router A. I am hoping that it's something to do on router B, as that's at my house. Getting to router A requires a journey - neither router can be manged from the other's network.

/export hide-sensitive for router B is shown below - it's very simple, as router A does the firewall etc for both locations.

Hints / suggestions / examples to read all greatly appreciated.
Thanks.
# aug/28/2021 22:01:55 by RouterOS 6.48.4
# software id = XNUF-D3YG
#
# model = RB4011iGS+
# serial number = D44A0D3F03F5
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.110.200-192.168.110.254
add name=dhcp_pool4 ranges=192.168.100.200-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether4 name=dhcp2
add address-pool=dhcp_pool4 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip address
add address=192.168.120.1/24 interface=ether10 network=192.168.120.0
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
add address=192.168.110.1/24 interface=ether4 network=192.168.110.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.100 gateway=192.168.100.1
add address=192.168.110.0/24 dns-server=1.1.1.1 gateway=192.168.110.1
/ip firewall address-list
add address=192.168.120.0/24 list=Allowed_Internet
add address=192.168.100.0/24 list=Allowed_Internet
add address=192.168.110.0/24 list=Allowed_Internet
/ip firewall filter
add action=accept chain=forward comment="Our Networks <-> Our Networks" dst-address-list=Allowed_Internet src-address-list=Allowed_Internet
add action=accept chain=forward comment="Our Networks -> Internet" out-interface=ether10 src-address-list=Allowed_Internet
add action=accept chain=forward comment="Internet -> Our Networks" dst-address-list=Allowed_Internet in-interface=ether10
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.120.0/24
add action=masquerade chain=srcnat dst-address=192.168.120.0/24 src-address=192.168.100.0/24
/ip route
add distance=1 gateway=192.168.120.6
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.120.6
/system clock
set time-zone-name=Pacific/Auckland 
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Secure connection to webserver on different subnet

Sat Aug 28, 2021 3:58 pm

You don't need hairpin NAT to access server from any other subnet (except from server's own subnet), including the other subnet off router B. You only need appropriate DNS entries served to computers in subnet 192.168.100.0/24 and appropriate routing (for router A subnets) ... If you reconfigure router A so that it knows about subnets 192.168.100.0/24 and 192.168.110.0/24 (being behind 192.168.120.1), you won't need any of NAT on router B (neither src-nat nor dst-nat).

BTW, the second static route on router B (pointing towards 192.168.1.0/24) is redundant, default route already covers it.
 
ge0rge
just joined
Topic Author
Posts: 7
Joined: Wed Jul 21, 2021 12:03 pm

Re: Secure connection to webserver on different subnet

Sun Aug 29, 2021 8:28 am

Thanks for taking the time to reply, I'm a big step closer now thanks to that.
I have a PiHole sitting behind router B on x.x.100.100. The DHCP DNS on router B points at that, and I was able to add a couple of static address in the PiHole today - "mydomain.com" and "jellyfin.mydomain.com" -> x.x.110.10. I can now access the webpages from behind router B using the domain name.
One thing I did notice though - when accessing from behind router B, "mydomain.com" comes up as having a valid cert but "jellyfin.mydomain.com" doesn't - they both do when accessed from outside the WAN though. Is this because the DNS is behind router B? It seems odd that it works for one site and not the other.

I have included the /export from router A in case its something I have missed in there.
[admin@MikroTikRB4011] > /export hide-sensitive 
# aug/29/2021 16:55:46 by RouterOS 6.48.4
# software id = CA70-VWAJ
#
# model = RB4011iGS+
# serial number = D44A0DA8360B
/interface vlan
add interface=ether1 name=ether1.10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1.10 name=pppoe-out1 user=xxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=sfp-sfpplus1 name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether2 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether3 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ether10 list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=sfp-sfpplus1 network=192.168.1.0
add address=192.168.120.6/24 interface=ether10 network=192.168.120.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:2c:c8:1b:3c:ed:f1 comment="Mikrotik 24 Port" mac-address=2C:C8:1B:3C:ED:F1 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=isp.server.1,isp.server.2
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add list=Port25
add address=192.168.110.0/24 list=LAN
add address=192.168.120.0/24 list=LAN
/ip firewall filter
add action=add-src-to-address-list address-list=Port25 address-list-timeout=none-dynamic chain=forward comment="List attempts at port 25 before dropping" dst-port=25 log=yes protocol=tcp
add action=drop chain=forward comment="Drop port 25" port=25 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=SWAG 80 dst-address=192.168.110.10 dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="SWAG 443" dst-address=192.168.110.10 dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Wireguard 51820" dst-address=192.168.100.10 dst-port=51820 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=1452 out-interface=pppoe-out1 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin Nat 192.168.100.0/24" dst-address=192.168.100.0/24 protocol=udp src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1 src-address-list=LAN
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address-list=LAN
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.110.0/24
add action=dst-nat chain=dstnat comment="SWAG 80" dst-address=isp.static.ip dst-port=80 protocol=tcp to-addresses=192.168.110.10 to-ports=80
add action=dst-nat chain=dstnat comment="SWAG 443" dst-address=isp.static.ip dst-port=443 protocol=tcp to-addresses=192.168.110.10 to-ports=443
add action=dst-nat chain=dstnat comment="Wireguard 51820" dst-address=isp.static.ip dst-port=51820 protocol=udp to-addresses=192.168.100.10 to-ports=51820
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.100.0/24 gateway=192.168.120.1
add distance=1 dst-address=192.168.110.0/24 gateway=192.168.120.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTikRB4011
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And thanks for the pointer about the static route - removed.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Secure connection to webserver on different subnet

Sun Aug 29, 2021 10:14 am

Strange, the DNS part should not have anything to do with it (anymore), if both resolve to the same backend IP-adres (so "mydomain.com" and "jellyfin.mydomain.com") then the job of the DNS is done.
Are there details in the cert-info that indicate why its not trusted? I assume you are using Let's Encrypt type of certs ?
Probably/potentially related to a trust-matter in the chain, related to the fact of using RFC1918 internal IP's on client & server side without the possibility for your client/browser to trust it. Unless you manually intervene and push the CA-cert into your client or something.


I always use hairpin-NAT (even inside my network) using FQDN's like I would be using on Internet, but in your case this mean traffic needs to travel a bit extra and this might not be optimal.

Who is online

Users browsing this forum: dioeyandika, mtest001 and 46 guests