Hello, I Have a strange Issue and I hope someone could help me.
We installed in our offices an Rb2011UAS.
I have attached to this RB:
--> eth1: Adsl connection subnet/29
--> eth2-8: BridgeLAN, subnet/24
--> eth9: WiMax Provider, subnet /32
--> eth10: Hyperlan Wisp, subnet /29 used for backup
Actually we are using the ADSL Connection to route Public IPS to servers inside the LAN.
We use prerouting marking to route the server throughthe correct interface.
I made masquerade rules to mask IPS when i go out the Internet Interfaces.
External Routing to the server is ok.
Internal routing to Internet is ok. (when i surf the web i use WIMAX provider, and when servers go out to the internet use adsl connection).
The problem is when I try to reach a server inside the lan using the domain name, example mail.mymailserver.it;
If I do ping to the DNS name i get reply from it, but i I try to access the webserver for example connection drops.
I found an article in WIKI regarding HAIRPIN NAT, I think it would work, but not for me.
I tried to follow that article but I had no luck, I obtained the same thing.
CAN AnyOne HELP ME???
Re: HOW TO REACH SERVER on SAME SUBNET
Hairpin NAT is what you need and it doesn't work for you most likely because of some tiny mistake (e.g. a filter rule may block the packets or something like that).
Make sure you understand what Hairpin NAT does and why, wiki article explains it well. Then it should not be hard to fix, just add few logging rules at strategic places and watch if packets really go where they are supposed to go, if address changes correctly and if they don't get blocked.
It might help to use some different port for debugging, instead of the real one, where there's probably enough other traffic going already and it would get in the way. If you make e.g. Netcat listen on port like 33333, then you can use logging rules with only protocol and port specification without addresses, which helps when you change them yourself and you need to see if it does not work as you expect.
Make sure you understand what Hairpin NAT does and why, wiki article explains it well. Then it should not be hard to fix, just add few logging rules at strategic places and watch if packets really go where they are supposed to go, if address changes correctly and if they don't get blocked.
It might help to use some different port for debugging, instead of the real one, where there's probably enough other traffic going already and it would get in the way. If you make e.g. Netcat listen on port like 33333, then you can use logging rules with only protocol and port specification without addresses, which helps when you change them yourself and you need to see if it does not work as you expect.
Re: HOW TO REACH SERVER on SAME SUBNET
SOB, thanks of Your answer i am really a newbie.in router os programming, but I am very enthusiastic about the potential it can give.
Although, all these features in one device sometimes make me very confused.
I will try to follow your suggestion and will reply as soon as possible on what I did.
THANKS AGAIN..
Although, all these features in one device sometimes make me very confused.
I will try to follow your suggestion and will reply as soon as possible on what I did.
THANKS AGAIN..
Re: HOW TO REACH SERVER on SAME SUBNET
I was making several test, but i cannot reach servers in my subnet.
I create a firewall rule for: lansubnet/24 to wansubnet/29 action masquerade
but it does not work. the count does not increase at all.
Since I am a newbie in routeros programming i don't know how to access logging level on the ruterboard so to view what's happening.
I put the firewall rule on top, but I had no luck, so i moved along the firewall pyramid in several positions and got no luck.
If someone knows how to do PLEASE help me!!!
I think the problem is that all traffice in the lan subnet is masquerade to a different WAN.
I Explain.
Servers are masquerade to WAN1
LAN is masquerade to WAN2
each server (mailserver, pbxserver and intranet) are marked in prerouting each one with a mark prerouting rule, where src-address is the server IP and all other things are blank excepte for mark routing where i put an identifier for each server.
in routing table, i have a rule 0.0.0.0/0 distance 2 with rouning-mark blank and gateway the one in wan2
and for each server a rule 0.0.0.0/0 distance 1 witch routing-mark equal to the one of each server (ex. mailserver, pbx, intranet).
infact if i resolve my ip from inside the server i get the exact ip address of each server in the space address of wan1 and when i resolve my ip from inside the lan i get the ip address of the gateway in wan2
I hope someone can help me!!
I create a firewall rule for: lansubnet/24 to wansubnet/29 action masquerade
but it does not work. the count does not increase at all.
Since I am a newbie in routeros programming i don't know how to access logging level on the ruterboard so to view what's happening.
I put the firewall rule on top, but I had no luck, so i moved along the firewall pyramid in several positions and got no luck.
If someone knows how to do PLEASE help me!!!
I think the problem is that all traffice in the lan subnet is masquerade to a different WAN.
I Explain.
Servers are masquerade to WAN1
LAN is masquerade to WAN2
each server (mailserver, pbxserver and intranet) are marked in prerouting each one with a mark prerouting rule, where src-address is the server IP and all other things are blank excepte for mark routing where i put an identifier for each server.
in routing table, i have a rule 0.0.0.0/0 distance 2 with rouning-mark blank and gateway the one in wan2
and for each server a rule 0.0.0.0/0 distance 1 witch routing-mark equal to the one of each server (ex. mailserver, pbx, intranet).
infact if i resolve my ip from inside the server i get the exact ip address of each server in the space address of wan1 and when i resolve my ip from inside the lan i get the ip address of the gateway in wan2
I hope someone can help me!!
Re: HOW TO REACH SERVER on SAME SUBNET
Rather than guessing what exactly is happening, run "/export compact" in console/terminal and post the output here.
Re: HOW TO REACH SERVER on SAME SUBNET
You can add static entry for domains in DNS in rb .... IP>DNS>static>add local IP with domain name ... Use only routerboard as DNS server in computers... IP>DHCP server>Networks> setDNS server - IP of rb(probably same as gateway)
Re: HOW TO REACH SERVER on SAME SUBNET
Thank you kubco2, that was I exactly DID at first while I was trying to find a solution.
Infact, doing so, everything works.
The problem is that this thing should not happen.
With my old zyxel router, i did not have to enter static entry in the dns to fake the router...
I think there is another solution.
SOB, i would post my compact tomorrow. TNX
Infact, doing so, everything works.
The problem is that this thing should not happen.
With my old zyxel router, i did not have to enter static entry in the dns to fake the router...
I think there is another solution.
SOB, i would post my compact tomorrow. TNX
Re: HOW TO REACH SERVER on SAME SUBNET
Hello SOB here is my configuration.
For security reasons i removed sensible information about subnets and public iPS.
X.X.X.0/29 is my Adsl Subnet
Y.Y.Y.120/29 is my WiFi Backup Subnet
L.L.L.254/24 is my router IP, and L.L.L.0/24 is my lan subnet
K.K.K.1/24 is my WiMax Provider Router
all traffic is routed using routing-mark to make server use the correct connection and masquerade with the correct public IP.
actually Y.Y.Y subnet is not used
all the traffic which is not marked is routed via K.K.K.1
For security reasons i removed sensible information about subnets and public iPS.
X.X.X.0/29 is my Adsl Subnet
Y.Y.Y.120/29 is my WiFi Backup Subnet
L.L.L.254/24 is my router IP, and L.L.L.0/24 is my lan subnet
K.K.K.1/24 is my WiMax Provider Router
all traffic is routed using routing-mark to make server use the correct connection and masquerade with the correct public IP.
actually Y.Y.Y subnet is not used
all the traffic which is not marked is routed via K.K.K.1
Code: Select all
# may/06/2013 00:39:10 by RouterOS 6.0rc13
# software id = PV4Z-8KV1
#
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment="bridge lan" l2mtu=1598 \
name=bridge-lan protocol-mode=rstp
/interface ethernet
set 0 comment=gateway-adsl name=ether1-gateway-adsl
set 1 comment=lan
set 7 comment="ponte nubiqua" name=ether8-Nubiqua
set 8 comment="gateway linkem" name=ether9-LInkem
set 9 comment="gateway wi-fi" name=ether10-gateway-wifi
set 10 disabled=yes name=sfp1-gateway speed=100Mbps
/ip neighbor discovery
set ether1-gateway-adsl comment=gateway-adsl
set ether2 comment=lan
set ether8-Nubiqua comment="ponte nubiqua"
set ether9-LInkem comment="gateway linkem"
set ether10-gateway-wifi comment="gateway wi-fi"
set bridge-lan comment="bridge lan"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp_pool1 ranges=L.L.L.21-L.L.L.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-lan name=dhcp1
/port
set 0 name=serial0
/queue tree
add name=voip packet-mark=servervoip parent=global priority=1 queue=default
add name=tuttalalan packet-mark=retelan parent=global queue=default
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
/ip address
add address=L.L.L.254/24 comment="Indirizzi su LAN" interface=bridge-lan \
network=L.L.L.0
add address=Y.Y.Y.122/29 comment="Indirizzi su WIFI" interface=\
ether10-gateway-wifi network=Y.Y.Y.120
add address=Y.Y.Y.123/29 interface=ether10-gateway-wifi network=\
Y.Y.Y.120
add address=Y.Y.Y.124/29 interface=ether10-gateway-wifi network=\
Y.Y.Y.120
add address=Y.Y.Y.125/29 interface=ether10-gateway-wifi network=\
Y.Y.Y.120
add address=X.X.X.2/29 comment="Indirizzi su ADSL" interface=\
ether1-gateway-adsl network=X.X.X.0
add address=X.X.X.3/29 interface=ether1-gateway-adsl network=X.X.X.0
add address=X.X.X.4/29 interface=ether1-gateway-adsl network=X.X.X.0
add address=X.X.X.5/29 interface=ether1-gateway-adsl network=X.X.X.0
add address=X.X.X.6/29 interface=ether1-gateway-adsl network=X.X.X.0
add address=Y.Y.Y.126/29 interface=ether10-gateway-wifi network=\
Y.Y.Y.120
add address=K.K.K.10/24 comment="Ip Interfaccia Linkem" interface=\
ether9-LInkem network=K.K.K.0
add address=192.168.1.250/24 comment="ponte nubiqua" interface=ether8-Nubiqua \
network=192.168.1.0
/ip dhcp-server network
add address=L.L.L.0/24 dns-server=L.L.L.10,L.L.L.12 domain=\
mycompany.local gateway=L.L.L.254 netmask=24 next-server=\
L.L.L.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=servervoip \
src-address=L.L.L.1
add action=mark-routing chain=prerouting new-routing-mark=patton src-address=\
L.L.L.201
add action=mark-routing chain=prerouting new-routing-mark=mailserver \
src-address=L.L.L.12
add action=mark-routing chain=prerouting new-routing-mark=intranet \
src-address=L.L.L.11
add action=mark-routing chain=prerouting new-routing-mark=webcam src-address=\
L.L.L.15-L.L.L.18
add action=mark-packet chain=forward new-packet-mark=servervoip src-address=\
L.L.L.1
add action=mark-packet chain=forward dst-address=L.L.L.1 \
new-packet-mark=servervoip
add action=mark-packet chain=forward new-packet-mark=retelan src-address=\
L.L.L.2-L.L.L.254
add action=mark-packet chain=forward dst-address=L.L.L.2-L.L.L.254 \
new-packet-mark=retelan
/ip firewall nat
add action=src-nat chain=srcnat comment="centralino out" src-address=\
L.L.L.1 to-addresses=X.X.X.5
add action=src-nat chain=srcnat comment="server teip out" src-address=\
L.L.L.80 to-addresses=Y.Y.Y.125
add action=src-nat chain=srcnat comment="mail out" src-address=L.L.L.12 \
to-addresses=X.X.X.3
add action=src-nat chain=srcnat comment="shareserver out" src-address=\
L.L.L.11 to-addresses=X.X.X.4
add action=masquerade chain=srcnat comment="NAT Adsl" out-interface=\
ether1-gateway-adsl to-addresses=X.X.X.1
add action=masquerade chain=srcnat comment="NAT Wifi" out-interface=\
ether10-gateway-wifi to-addresses=Y.Y.Y.121
add action=masquerade chain=srcnat comment="Nat LInkem" out-interface=\
ether9-LInkem
add action=dst-nat chain=dstnat comment="virtualserver RDP" dst-address=\
X.X.X.2 dst-port=3389 protocol=tcp to-addresses=L.L.L.2 to-ports=\
3389
add action=dst-nat chain=dstnat comment="mailserver IN" dst-address=\
X.X.X.3 dst-port=25 protocol=tcp to-addresses=L.L.L.12 to-ports=\
25
add action=dst-nat chain=dstnat dst-address=X.X.X.3 dst-port=80 protocol=\
tcp to-addresses=L.L.L.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=X.X.X.3 dst-port=143 protocol=\
tcp to-addresses=L.L.L.12 to-ports=143
add action=dst-nat chain=dstnat dst-address=X.X.X.3 dst-port=443 protocol=\
tcp to-addresses=L.L.L.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=X.X.X.3 dst-port=110 protocol=\
tcp to-addresses=L.L.L.12 to-ports=110
add action=dst-nat chain=dstnat dst-address=X.X.X.3 dst-port=587 protocol=\
tcp to-addresses=L.L.L.12 to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.3 dst-port=995 protocol=\
tcp to-addresses=L.L.L.12 to-ports=995
add action=dst-nat chain=dstnat dst-address=X.X.X.3 dst-port=3389 \
protocol=tcp to-addresses=L.L.L.12 to-ports=3389
add action=dst-nat chain=dstnat comment="shareserver IN" dst-address=\
X.X.X.4 dst-port=80 protocol=tcp to-addresses=L.L.L.11 to-ports=\
80
add action=dst-nat chain=dstnat dst-address=X.X.X.4 dst-port=443 protocol=\
tcp to-addresses=L.L.L.11 to-ports=443
add action=dst-nat chain=dstnat dst-address=X.X.X.4 dst-port=3389 \
protocol=tcp to-addresses=L.L.L.11 to-ports=3389
add action=dst-nat chain=dstnat dst-address=X.X.X.4 dst-port=4060 \
protocol=tcp to-addresses=L.L.L.11 to-ports=4060
add action=dst-nat chain=dstnat comment="teipserver IN" dst-address=\
Y.Y.Y.125 dst-port=25 protocol=tcp to-addresses=L.L.L.80 \
to-ports=25
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.125 dst-port=80 \
protocol=tcp to-addresses=L.L.L.80 to-ports=80
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.125 dst-port=110 \
protocol=tcp to-addresses=L.L.L.80 to-ports=110
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.125 dst-port=143 \
protocol=tcp to-addresses=L.L.L.80 to-ports=143
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.125 dst-port=443 \
protocol=tcp to-addresses=L.L.L.80 to-ports=443
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.125 dst-port=1723 \
protocol=tcp to-addresses=L.L.L.80 to-ports=1723
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.125 dst-port=3389 \
protocol=tcp to-addresses=L.L.L.80 to-ports=3389
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.125 dst-port=8080 \
protocol=tcp to-addresses=L.L.L.80 to-ports=8080
add action=dst-nat chain=dstnat comment="nethservice IN" dst-address=\
X.X.X.5 dst-port=22 protocol=tcp to-addresses=L.L.L.1 to-ports=22
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=25 protocol=\
tcp to-addresses=L.L.L.1 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=80 protocol=\
tcp to-addresses=L.L.L.1 to-ports=80
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=110 protocol=\
tcp to-addresses=L.L.L.1 to-ports=110
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=143 protocol=\
tcp to-addresses=L.L.L.1 to-ports=143
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=443 protocol=\
tcp to-addresses=L.L.L.1 to-ports=443
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=587 protocol=\
tcp to-addresses=L.L.L.1 to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=4559 \
protocol=tcp to-addresses=L.L.L.1 to-ports=4559
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=5060 \
protocol=tcp to-addresses=L.L.L.1 to-ports=5060
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=8181 \
protocol=tcp to-addresses=L.L.L.1 to-ports=8181
add action=dst-nat chain=dstnat comment="webcam IN" dst-address=X.X.X.5 \
dst-port=8082 protocol=tcp to-addresses=L.L.L.15 to-ports=80
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=86 protocol=\
tcp to-addresses=L.L.L.16 to-ports=80
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=88 protocol=\
tcp to-addresses=L.L.L.17 to-ports=80
add action=dst-nat chain=dstnat dst-address=X.X.X.5 dst-port=90 protocol=\
tcp to-addresses=L.L.L.18 to-ports=80
add action=dst-nat chain=dstnat comment=Patton dst-address=Y.Y.Y.122 \
dst-port=5060 protocol=udp to-addresses=L.L.L.201 to-ports=5060
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.122 dst-port=4864-5375 \
protocol=udp to-addresses=L.L.L.201 to-ports=4864-5375
add action=dst-nat chain=dstnat dst-address=Y.Y.Y.122 dst-port=5060 \
protocol=tcp to-addresses=L.L.L.201 to-ports=5060
/ip route
add distance=1 gateway=X.X.X.1 routing-mark=servervoip
add distance=1 gateway=X.X.X.1 routing-mark=mailserver
add distance=1 gateway=X.X.X.1 routing-mark=intranet
add distance=1 gateway=X.X.X.1 routing-mark=webcam
add distance=1 gateway=Y.Y.Y.121 routing-mark=patton
add distance=2 gateway=K.K.K.1
/lcd
set current-interface=ether1-gateway-adsl
/lcd interface
set 0 disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name="MY COMPANY"
/system ntp client
set enabled=yes mode=unicast primary-ntp=L.L.L.10 secondary-ntp=\
L.L.L.12
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6
add disabled=no interface=ether7
add disabled=no interface=ether8-Nubiqua
add disabled=no interface=ether9-LInkem
add disabled=no interface=bridge-lan
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8-Nubiqua
add interface=ether9-LInkem
add interface=bridge-lan
Re: HOW TO REACH SERVER on SAME SUBNET
Try this:
ros code
/ip firewall nat add chain=srcnat src-address=L.L.L.0/24 dst-address=L.L.L.0/24 action=masquerade
Re: HOW TO REACH SERVER on SAME SUBNET
Masquarade is not good solution... I had masquarade in ovpn box but then logging,auditing has no clue about real IP address. I think your problem is that local PC connect to public IP but server respond to local IP, and local PC has no opened connection for local server IP, therefore PC should use local server's IP without any masquarading and troubles and to allow real IP log.... next reason is that if you want nat only some ports there must be a lot of rules uselessly
Re: HOW TO REACH SERVER on SAME SUBNET
I tried with masquerading L.L.L.0/24 to L.L.L.0/24 I do not obtain anything.
Connection is always dropped.
Connection is always dropped.
Re: HOW TO REACH SERVER on SAME SUBNET
You're right. But it affects only addresses from local network, so it's something that's usually possible to live with. The advantage is that things are set up only in one place, not in two. One hostname pointing to external address works for everyone. If you later point it somewhere else, everything will still work. When you have separate dns records for local clients, you must remember to change or remove them. You just have to choose what you like better.I had masquarade in ovpn box but then logging,auditing has no clue about real IP address.
It should work. You can run Tools->Torch on bridge-lan interface, limit it to tcp/3389 and try to connect to e.g. X.X.X.3:3389 from some other machine on LAN (e.g. L.L.L.100). You should see two entries:I tried with masquerading L.L.L.0/24 to L.L.L.0/24 I do not obtain anything.
1) src L.L.L.100:random, dst X.X.X.3:3389
2) src L.L.L.12:3389, dst L.L.L.254:random
If the connection establishes successfully, there will be non-zero both tx and rx rates for both entries. When it's not possible to connect, e.g. because server does not listen at that port or its firewall blocks it, there will be only rx for 1) and tx for 2). If 2) is missing completely, then masquerade does not work for some reason. And if even 1) isn't there, you're probably looking at wrong router.
Re: HOW TO REACH SERVER on SAME SUBNET
I put the rule
on top of firewall NAT
If I try to torch from l.l.l.33 to X.X.X.3 i get only one raw and only rx increases.
So I think masquerading is not working.
the problem is that X.X.X.3 is src-natted to L.L.L.12 and all traffic from L.L.L.12 is marked with routing mark "mailserver".
I think masquerading is not working for that reason, but I can't get rid of this...
Code: Select all
/ip firewall nat
add chain=srcnat src-address=L.L.L.0/24 dst-address=L.L.L.0/24 action=masqueradeIf I try to torch from l.l.l.33 to X.X.X.3 i get only one raw and only rx increases.
So I think masquerading is not working.
the problem is that X.X.X.3 is src-natted to L.L.L.12 and all traffic from L.L.L.12 is marked with routing mark "mailserver".
I think masquerading is not working for that reason, but I can't get rid of this...
Re: HOW TO REACH SERVER on SAME SUBNET
I tried it and that's it. Add this rule at the beginning (before you mark routing) and it will work:
ros code
/ip firewall mangle add action=accept chain=prerouting dst-address-type=localIt catches all packets for router itself, so no routing mark will be set for them, which is not needed anyway, because those packets will either end up on router or they will be forwarded back to LAN, they won't ever go outside.
Re: HOW TO REACH SERVER on SAME SUBNET
Btw, you can move the masquerade rule after other srcnat rules for individual servers, that way when you e.g. access web at X.X.X.5 from L.L.L.12, it will look like it's coming from X.X.X.3, instead of L.L.L.254, which you might like better. Also masquerade rule does not really have to be masquerade, but instead you can srcnat to public adress normally used by LAN clients, i.e. K.K.K.10, which again might look better in logs.
Re: HOW TO REACH SERVER on SAME SUBNET
SOB, you are great!!!!
I Added that mangle rule, and enabled masquerading on TOP of NAT rules.
Everything is ok.
I must make some test from the servers but now I think it's ok.
Tnk U very much....
I Added that mangle rule, and enabled masquerading on TOP of NAT rules.
Everything is ok.
I must make some test from the servers but now I think it's ok.
Tnk U very much....
Who is online
Users browsing this forum: No registered users and 69 guests