Community discussions

 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

port forwarding several server

Thu Mar 01, 2012 1:14 am

This is the info for my rb493g Router OS ver 5.14
"diagram at the bottom"
[admin@MikroTik] > ip address print

# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; Wan
96.xx.xx.xx/30 96.xx.xx.xx 96.xx.xx.xx ether1
1 ;;; Lan
192.168.1.1/24 192.168.1.0 192.168.1.255 ether2
2 192.168.2.1/24 192.168.2.0 192.168.2.255 ether4
3 192.168.3.1/24 192.168.3.0 192.168.3.255 ether9


[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.1.0/24
dst-address=0.0.0.0/0 out-interface=ether1

1 chain=dstnat action=netmap to-addresses=192.168.1.10 to-ports=80
protocol=tcp dst-address=96.xx.xx.xx dst-port=80

2 chain=srcnat action=masquerade src-address=192.168.2.0/24
dst-address=0.0.0.0/0 out-interface=ether1

3 chain=dstnat action=netmap to-addresses=192.168.2.20 to-ports=8080
protocol=tcp dst-address=96.xx.xx.xx dst-port=8080

4 chain=srcnat action=masquerade src-address=192.168.3.0/24
dst-address=0.0.0.0/0 out-interface=ether1

5 chain=dstnat action=netmap to-addresses=192.168.3.30 to-ports=0-65535
protocol=tcp dst-address=96.xx.xx.xx


[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 ether1 1
1 ADC 96.xx.xx.xx/30 96.xx.xx.xx ether1 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2 0
3 ADC 192.168.2.0/24 192.168.2.1 ether4 0
4 ADC 192.168.3.0/24 192.168.3.1 ether9 0
[admin@MikroTik] >

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 ether1 1
1 ADC 96.xx.xx.xx/30 96.xx.xx.xx ether1 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2 0
3 ADC 192.168.2.0/24 192.168.2.1 ether4 0
4 ADC 192.168.3.0/24 192.168.3.1 ether9 0

I want to be able to access the second web server from the outside and the application server.
the first server on ether2 port 80 is working fine.
How do I setup the rules for the other two servers.
I look everywhere for some info on how to set up more than one web server facing the outside.
I want the traffic to be directed to the proper place either server1, server2 or the application server.
Thank You.
router.jpg
You do not have the required permissions to view the files attached to this post.
 
rodolfo
Long time Member
Long time Member
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: port forwarding several server

Thu Mar 01, 2012 8:58 pm

you must set action=dstnat
you can also use a single masquerade rule:
chain=srcnat action=masquerade out-interface=ether1
rodolfo
IZ0UQV
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Thu Mar 01, 2012 10:57 pm

3 chain=dstnat action=netmap to-addresses=192.168.2.20 to-ports=8080
protocol=tcp dst-address=96.xx.xx.xx dst-port=8080


action=netmap should be change to action=dstnat for rule 3 and 5

dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters


5 chain=dstnat action=netmap to-addresses=192.168.3.30 to-ports=2050
protocol=tcp dst-address=96.xx.xx.xx dst-port=2050

I made the change for rule 3 and 5 but I am not to able to view the web server2 or 3
the other rule remain the same.
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Sat Mar 03, 2012 12:09 am

I simplify the rule by following suggestion from the forum, but the problem still persist. I am not able to access the 2nd server from the outside. (view my web site).
my cheap router was able to do.
The 1st server is viewable from the outside on port 80.
All 3 server are able to connect to the net (I can use the browser and teamviewer).
The 2nd and 3rd servers are not accessible from the net ( can not connect to port 8080).
I added two mangle rule to see if it work but nothing happen.
Any suggestion will be appreciated.

0 chain=srcnat action=masquerade src-address=0.0.0.0/0 dst-address=0.0.0.0/0
out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=80
protocol=tcp dst-address=96.xx.xx.xx

2 chain=dstnat action=dst-nat to-addresses=192.168.2.20 to-ports=8080
protocol=tcp dst-address=96.xx.xx.xx dst-port=8080

3 chain=dstnat action=dst-nat to-addresses=192.168.3.30 to-ports=0-65535
protocol=tcp dst-address=96.xx.xx.xx

4 ;;; hairpin local server see each other
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24
dst-address=192.168.2.20 out-interface=ether2


added mangle rule to see if that solve the problem:
[admin@MikroTik] > ip firewall mangle print

0 chain=input action=accept protocol=tcp dst-address=96.xx.xx.xx
in-interface=ether1 dst-port=8080

1 chain=forward action=accept protocol=tcp dst-address=192.168.2.20
 
rodolfo
Long time Member
Long time Member
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: port forwarding several server

Sat Mar 03, 2012 12:34 am

have you some ip firewall filter rules ?
rodolfo
IZ0UQV
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Sat Mar 03, 2012 2:24 am

no , the only rule that i have are the one above.
 
rodolfo
Long time Member
Long time Member
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: port forwarding several server

Sat Mar 03, 2012 11:14 am

the error could be in the web servers ?
are you shure they are reachable at ports 8080 and 2050 ?
have you trid this connecting to them directly (bypassing the nat).

p.s. rule 3 could be also:

3 chain=dstnat action=dst-nat to-addresses=192.168.3.30 to-ports=2050
protocol=tcp dst-address=96.xx.xx.xx dst-port=2050
rodolfo
IZ0UQV
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Sun Mar 04, 2012 7:27 am

I will try you suggestion and them post what happen.
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Mon Mar 05, 2012 5:17 pm

Example that I found on the web of two web server on one IP address:

http://wiki.mikrotik.com/wiki/Multiple_Web_Servers

reverse proxy server
http://barracudadrive.net/blog/2008/12/ ... IP-address


http://lists.netfilter.org/pipermail/ne ... 57959.html

#www.server1.edu
> > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to
> > 192.168.0.2:80
> >
> > #www.server2.edu
> > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to
> > 192.168.0.3:80

iptables -A FORWARD -p TCP -m multiport --dport 80,8080 -j ACCEPT
>

In other place they talk about web proxy (Squid), Host Header (IIS), net lookback
but I do not if that apply. I am using different subnet for each server.
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Wed Mar 07, 2012 4:32 am

I bought a switch (netgear) to see if I could follow the example on the following link
http://wiki.mikrotik.com/wiki/Multiple_Web_Servers.
I try many configuration but nothing seem to work.
The Problem is one ISP ip and three web server.
the web server need to be accessible from the internet, locally and 127.0.0.1
The contents on the servers are dynamic.
The servers are working correctly, I tested them with the old router
(netgear fvs318) and all the server are accessible internet, locally and lookback.


ISP ----(ether1)Mikrotik router(ether2) ----- switch ---- 3 web server

96.xx.xx.xx ISP IP
192.168.1.0/24 (ether 2)

192.168.1.10 server1 IIS
192.168.1.20 server2 Apache
192.168.1.30 server3 Application Server

Any hint would be appreciate.
Any help is welcome.
 
User avatar
Mohnki
just joined
Posts: 14
Joined: Wed Mar 23, 2011 7:48 pm

Re: port forwarding several server

Thu Mar 08, 2012 2:55 pm

I might not be understanding your problem correctly but I have 2 web servers on
my network and only one external IP. I use different incoming ports to get it to the
different web servers.

So if you want server 1 you go to http://196.xxx.xxx.xxx
and if you are looking for server 2, http://196.xxx.xxx.xxx:8087

/ip firewall nat
add action=dst-nat chain=dstnat comment="Server 1" disabled=no \
dst-port=80 in-interface="PPPOE Interface" protocol=tcp to-addresses=\
192.168.103.1 to-ports=80
add action=dst-nat chain=dstnat comment="Server 2" disabled=no \
dst-port=8087 in-interface="PPPOE Interface" protocol=tcp to-addresses=\
192.168.104.1 to-ports=80

Might not be the best way but it seems to work for me.
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Thu Mar 08, 2012 6:04 pm

Hello Mohnki
I want to do exactly what you are doing.
One ISP ip and several server.
Isp ip= 96.xx.xx.xx
webserver1 192.168.1.10 port 80 dynamic content
webserver2 192.168.1.20 port xxx dynamic content
appserver3 192.168.1.30 port xxx application server (share point)

I will try you suggestion as soon as possible.
 
User avatar
Mohnki
just joined
Posts: 14
Joined: Wed Mar 23, 2011 7:48 pm

Re: port forwarding several server

Thu Mar 08, 2012 8:15 pm

Very interested to hear if it works.

Please let me know.
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Fri Mar 09, 2012 4:02 am

Thank you Rodolfo and Mohnki the router is working.
I will be posting the code very soon as a result other people can benefit if they are facing the same dilemma.
 
caonabo
just joined
Topic Author
Posts: 10
Joined: Thu Mar 01, 2012 12:11 am

Re: port forwarding several server

Fri Mar 09, 2012 7:43 pm

These are the setting, the two servers facing the web are working from the outside (web).
These are the only rule on the router.
I will be adding other later (127.0.0.1 and hairpin - later on security)
Additional Info: that could be helpful

dstnat ===> input --> sent to ----> coming in
srcnat ===> output --> sent from ---> going out
If <condition> then <action>
IP Calculator ---- bitckicket

Thank to Rodolfo and Mohnki

IP firewall nat:
0 chain=srcnat action=masquerade src-address=0.0.0.0/0 out-interface=ether1

1 ;;; webserver1
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=80
protocol=tcp dst-address=96.xx.xx.xx dst-port=80

2 ;;; webserver1-oracle
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=1521
protocol=tcp in-interface=ether1 dst-port=1521

3 ;;; webserver2 sharepoint
chain=dstnat action=dst-nat to-addresses=192.168.2.20 to-ports=80
protocol=tcp in-interface=ether1 dst-port=200

4 ;;; webserver2-sharepoint adm
chain=dstnat action=dst-nat to-addresses=192.168.2.20 to-ports=21153
protocol=tcp in-interface=ether1 dst-port=21153

ip address print

# ADDRESS NETWORK BROADCAST INTERFACE
0 96.xx.xx.xx/29 96.xx.xx.xx 96.xx.xx.xx ether1
1 192.168.1.1/24 192.168.1.0 192.168.1.255 ether2
2 192.168.2.1/24 192.168.2.0 192.168.2.255 ether3

ip route print

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 96.xx.xx.xx 1
1 ADC 96.xx.xx.xx/29 96.xx.xx.xx ether1 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2 0
3 ADC 192.168.2.0/24 192.168.2.1 ether3 0

Who is online

Users browsing this forum: No registered users and 10 guests