Community discussions

 
rich
just joined
Topic Author
Posts: 13
Joined: Tue Mar 12, 2013 12:04 am

[SOLVED] Internet access webserver behind routeros

Wed Mar 20, 2013 11:28 pm

I know this topic has been up a lot in this forum, I've read about 10-15 different threads about it, also the wiki-pages.
However I need some guidance.

I have several servers behind the router, a RB2011UAS-2HnD-IN.
It is connected in the following way
Public IP (DHCP from ISP) - ether 1
ether 2 - L2 Switch.

So what I want to do is to let users access my servers behind the router, in some of the forums they are mentioning the given WAN Ip from the ISP.
However, since I only get IP from DHCP it could change any day which won't be so nice as I would have to manually (or script something) to update the rules.

As I gathered this is how such port "opening" should look like:
chain=dstnat action=dst-nat to-addresses=10.0.10.10 to-ports=80 protocol=tcp dst-port=80
But that only disabled my ability to access the web from my LAN.

Are there any firewall rules I need to set or anything?

This is the output from my router:
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway to-addresses=0.0.0.0
I've not added any NAT here as they didn't work at all for me.
I have also heard about Hairpin NAT, but it looks as it require a static WAN IP as well.

Are there firewall rules I need to add / remove and / or NAT rules?

Thanks in advance.
Last edited by rich on Sun Mar 24, 2013 5:45 am, edited 1 time in total.
 
nmaton
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Fri Feb 18, 2011 12:31 am

Re: Internet access webserver behind routeros

Thu Mar 21, 2013 9:48 pm

Hi,


First start with removing all your nat rules . and add



/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway

This should make sure that you can reach internet again.

Then add

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=yourpublicipaddress dst-port=80 protocol=tcp to-addresses=10.0.10.10 to-ports=8080 comment="port80"


After you have done run the below script with your schedulare at a specified interval.


--------------START SCRIPT---------------
:global currentIP;

:local newIP [/ip address get [find interface="ether1"] address];

:if ($newIP != $currentIP) do={
:put "ip address $currentIP changed to $newIP";
:set currentIP $newIP;
/ip firewall nat set [find comment="port80"] dst-address=<pptp-Citymesh>;
}


--------------END SCRIPT---------------

I havent tested this but try it and maybe youll need to add some modifications.
Nicolas Maton
nicolasmaton@gmail.com

CCNA/ CCDA
MTCNA / MTCTCE

Available for Mikrotik Consulting
 
rich
just joined
Topic Author
Posts: 13
Joined: Tue Mar 12, 2013 12:04 am

Re: Internet access webserver behind routeros

Fri Mar 22, 2013 3:02 am

Thanks a lot. The nat works great.
I will have to test the script later on, I'll have to add all the ports I need first and then I'll add the script to test if it will work.

I think it would be better if you could set "dst-interface" or something instead of "dst-address" as that would be a great improvement for the home users whom are often using dynamically assigned IP addresses.

again, many thanks.
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Internet access webserver behind routeros

Fri Mar 22, 2013 4:37 am

It is easier to specify "in-interface=WAN-INTERFACE" on your NAT rule than having to run that script.

/ip if nat
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=80 protocol=tcp to-addresses=10.0.10.10 to-ports=8080
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
rich
just joined
Topic Author
Posts: 13
Joined: Tue Mar 12, 2013 12:04 am

Re: Internet access webserver behind routeros

Sun Mar 24, 2013 5:44 am

Awesome, that's exactly what I was looking for.

Thanks a lot!

Who is online

Users browsing this forum: No registered users and 32 guests