Community discussions

MikroTik App
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Forward private ip to filter

Wed Aug 24, 2011 10:40 am

hello all.

i am installing a new untangle web filter server to basically do some filtering for web content.
my plan is to set it up like this:

internet <--> untangle <--> routeros <--> users.

obviously the untangle box will have the public ip for the internet and the routeros will be inside of a private sub-net.

what i need from routeros is each time a user makes a request it would forward their internal ip so the untangle box would log it and i know who visited what... without routeros forwarding I'd be stuck with one ip that would show up on the untangle filter logs. that's useless and i wont know what/who violated the filter rules.

request from user to open website http://www.msn.com --> routeros box --> untangle filter --> internet
with the above i need routeros to send for example the hotspot ip it has to the untangle box so it shows up in the logs.

[i assume my solution is somewhere here. in the nat options when i do the masquerading. http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT ]
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Forward private ip to filter

Wed Aug 24, 2011 12:52 pm

It's not masquerading. Masquerading is source NAT. You're trying to change where the packet is going to, so you need destination NAT. Assuming the web filter server has inside IP address 1.1.1.1:
[code]/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80,8080,8888 action=dst-nat to-address=1.1.1.1[code]
If the inside IP address of the web filter server and the client being forwarded to it are on the same broadcast domain also read http://wiki.mikrotik.com/wiki/Hairpin_NAT
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: Forward private ip to filter

Wed Aug 24, 2011 1:13 pm

It's not masquerading. Masquerading is source NAT. You're trying to change where the packet is going to, so you need destination NAT. Assuming the web filter server has inside IP address 1.1.1.1:
[code]/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80,8080,8888 action=dst-nat to-address=1.1.1.1[code]
If the inside IP address of the web filter server and the client being forwarded to it are on the same broadcast domain also read http://wiki.mikrotik.com/wiki/Hairpin_NAT
ok so this rule will be after the masquerading rule thats currently in there?

also 1.1.1.1 is the untangle server in this example, right?
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Forward private ip to filter

Wed Aug 24, 2011 1:22 pm

ok so this rule will be after the masquerading rule thats currently in there?
You should read these links:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
http://en.wikipedia.org/wiki/Network_ad ... ranslation
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Destination NAT and source NAT are two entirely different things. Order matters only within the same chain.
also 1.1.1.1 is the untangle server in this example, right?
Yes:
Assuming the web filter server has inside IP address 1.1.1.1
Though if your RouterOS box uses the filter server as a default gateway as your ASCII diagram sort of indicates (though I'm not sure that's what you meant it to mean) of course you don't need any of this at all since traffic would naturally be flowing through the filter server already.
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: Forward private ip to filter

Thu Aug 25, 2011 11:58 am

doesnt work. in the web filter log it'll only show the routeros box external ip.
routeros isnt passing through the private ip for the filter to see.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Forward private ip to filter

Thu Aug 25, 2011 2:24 pm

If it's showing the wrong source IP address on the filter server it's not that the rule isn't working, it's that you told the router in a different rule to translate the source IP of the packet. The router doesn't change source IP addresses by itself, it only does so when told to do so.
Fix your source NAT rules to not apply source NAT for traffic handed to the filter server - of course you'll have to make sure the filter server has a route back to whatever source IP address is handed to it in the untreated packet header.
If you need help with that, post your configuration here: "/interface print detail", "/ip address print detail", "/ip route print detail", "/ip firewall filter export", and a network diagram. Please wrap all output in
 tags.
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: Forward private ip to filter

Thu Aug 25, 2011 3:09 pm

ok heres the problem.

most of my junk rules i have disabled and deleted so all that stands now are the hotspot rules made by the routeros system and your rule.
my untangle box here is 192.168.5.1
[admin@MikroTik] > /interface print detail 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0     name="opt" type="ether" mtu=1500 l2mtu=1600 

 1  R  name="net" type="ether" mtu=1500 l2mtu=1600 

 2  R  name="users" type="ether" mtu=1500 l2mtu=1600 
[admin@MikroTik] > 
 
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.5.5/24 network=192.168.5.0 broadcast=192.168.5.255 
     interface=net actual-interface=net 

 1   address=192.168.99.1/24 network=192.168.99.0 broadcast=192.168.99.255 
     interface=users actual-interface=users 

[admin@MikroTik] > 
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.5.1 
        gateway-status=192.168.5.1 reachable net distance=1 scope=30 
        target-scope=10 

 1 ADC  dst-address=192.168.5.0/24 pref-src=192.168.5.5 gateway=net 
        gateway-status=net reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.99.0/24 pref-src=192.168.99.1 gateway=users 
        gateway-status=users reachable distance=0 scope=10 
[admin@MikroTik] > 
[admin@MikroTik] > /ip firewall filter export
# aug/25/2011 14:56:56 by RouterOS 4.16
# software id = 
#
/ip firewall filter
add action=drop chain=input comment="proxy is NOT a Open Proxy" disabled=no \
    dst-port=8080 in-interface=net protocol=tcp
add action=drop chain=forward comment="drop all known p2p" disabled=no p2p=\
    all-p2p
add action=drop chain=input comment=\
    "limit 100 connections per smakaroo then tarpit" connection-limit=100,32 \
    disabled=no protocol=tcp
add action=drop chain=input comment="proxy is NOT a Open Proxy" disabled=no \
    dst-port=8080 in-interface=net protocol=tcp
add action=tarpit chain=input comment=\
    "limit 100 connections per smakaroo then tarpit" connection-limit=100,32 \
    disabled=no protocol=tcp
add action=drop chain=forward comment="unknown ip high upload" disabled=no \
    dst-address=82.43.225.44
[admin@MikroTik] > 
[admin@MikroTik] /ip firewall nat> print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=pre-hotspot action=accept hotspot=auth,http 

 1 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 2 X ;;; masquerade hotspot network
     chain=srcnat action=masquerade src-address=192.168.99.0/24 

 3   chain=dstnat action=dst-nat to-addresses=192.168.5.1 protocol=tcp 
     dst-port=80,8080,8888 
[admin@MikroTik] /ip firewall nat> 
so if i want to put your rule and disable the masquerade rule here i lose access altogether. so tp restore net access i have to disable your rule and enable masquerade.

on a side note its important to note if i enable your rule + the masquerade rule i get the untangle web page very weird.
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Forward private ip to filter

Thu Aug 25, 2011 3:58 pm

If you need the Untangle server to see the real IP address of the Hotspot client you have to exempt the Hotspot network from having its source IPs translated when being forwarded to the Untangle server. Add this:
/ip firewall nat add chain=srcnat dst-address=192.168.5.1 src-address=192.168.99.0/24 action=accept
Make sure that rule is above the other srcnat rule, and that the Untangle server has a route to 192.168.99.0/24 via 192.168.5.5 if it isn't already using your Mikrotik router as a default route.

I have never heard of Untangle before so I can't tell you how to configure it or why you get certain web pages from it - I can just help you get traffic there.
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: Forward private ip to filter

Thu Aug 25, 2011 5:15 pm

If you need the Untangle server to see the real IP address of the Hotspot client you have to exempt the Hotspot network from having its source IPs translated when being forwarded to the Untangle server. Add this:
/ip firewall nat add chain=srcnat dst-address=192.168.5.1 src-address=192.168.99.0/24 action=accept
Make sure that rule is above the other srcnat rule, and that the Untangle server has a route to 192.168.99.0/24 via 192.168.5.5 if it isn't already using your Mikrotik router as a default route.

I have never heard of Untangle before so I can't tell you how to configure it or why you get certain web pages from it - I can just help you get traffic there.
the only other src-nat rule i have in there is the masquerade rule and according to your post i should disable that and only allow your rule...
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Forward private ip to filter

Thu Aug 25, 2011 5:26 pm

No. That isn't what I said at all.

What I said is that you have to make sure the existing source NAT rules don't interfere with what you want the server to see. Of course you have to source NAT traffic out to the WAN. So I gave you a rule to add above your existing source NAT rule - which should stay enabled - that makes sure that only traffic to the Untangle server doesn't have source NAT applied to it.
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: Forward private ip to filter

Sat Aug 27, 2011 8:57 am

sorry its not working for me.

the minute i disable masquerading i cant open any website then or ping or anything.

both your rules are 17 & 18 in the attached picture...
masquerading is disabled and i have no net.

if 17 & 18 are both enabled i get nowhere ... if even one of them is enabled i cant even get to untangle web interface.

perhaps somehow we can take this into Skype or any IM program chat and you can assist me if you're willing.
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Forward private ip to filter

Sat Aug 27, 2011 6:38 pm

Sorry, I don't do 1:1 support.

Maybe someone else can help you out.
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: Forward private ip to filter

Sat Aug 27, 2011 9:33 pm

thanks for the help so far.

anybody want to help out on this one, please?

Who is online

Users browsing this forum: No registered users and 7 guests