Community discussions

MUM Europe 2020
 
javierc
newbie
Topic Author
Posts: 36
Joined: Sat Aug 03, 2013 4:29 am

Problem with Nat Loopback for port 80, not see the web pages

Sun Apr 17, 2016 6:08 pm

Hi, I have mi router 951G-2HnD with settings for have Nat Loopback to can use my domain name with noip host from my internal network and all ports are workging except the port 80. I need this to can work with my wordpress blog and other services running in the NAS in my network with dinamique ip.

I have the settings with masquerade but if I put the rule for the port 80 then the Nat Loopback fort port 80 work but then not work internet. If I enable that rule and I write in chrome this page for fourm then I see my webserver page not found or my internal webserver

This is the settings that I have:
/ip firewall nat
add action=masquerade chain=srcnat comment="Es el masquerade para peticiones internas a mi host de noip y que lo redirija a mi red interna." out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=masquerade chain=srcnat comment="Es el masquerade para poder usar desde dentro los host noip" dst-address=192.168.47.0/24 src-address=192.168.47.0/24
add action=dst-nat chain=dstnat comment="ESTA SI QUITO in-interface=pppoe-out1 EL SERVIDOR WEB POR EL PUERTO 80 FUNCIONA PERO LAS PÁGINAS WEB DESDE EL EXPLORADOR NO" dst-port=80,443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.47.11
No sé si el masquerade para el NAT Loopback está bien puesto, en principio funciona, pero tengo el problema para el puerto 80 ¿alguien sabe si se puede hacer y qué tendría que cambiar?

I can quit in-interface=pppoe-out1 to have nat loopback for port 80, but then I cant navigate for internet to see eb pages.

Can you help me?

Thanks in advance.
 
Sob
Forum Guru
Forum Guru
Posts: 4995
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with Nat Loopback for port 80, not see the web pages

Sun Apr 17, 2016 11:46 pm

In the last rule, replace "in-interface=pppoe-out1" with "dst-address-type=local".
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
javierc
newbie
Topic Author
Posts: 36
Joined: Sat Aug 03, 2013 4:29 am

Re: Problem with Nat Loopback for port 80, not see the web pages

Mon Apr 18, 2016 12:33 am

In the last rule, replace "in-interface=pppoe-out1" with "dst-address-type=local".

Great Sob, it´s working.

Is needed to put in all rules where I have services to need loopback? I only had problem with port 80 http serer.

Thank you very much, I will be eternally grateful, Yo have solved many problems I had with this rule.

Regards
 
Sob
Forum Guru
Forum Guru
Posts: 4995
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with Nat Loopback for port 80, not see the web pages

Mon Apr 18, 2016 12:54 am

When forwarding a port, you need some way to limit the scope of dstnat rule. Otherwise it will try to match *any* packet, no matter where from or to it goes. That's why when you had only "protocol=tcp dst-port=80,443", it catched all packets, including those coming from LAN to web servers on internet.

The best way is to use dst-address=<public IP>, if you have static public address. But if not, it does not work with dynamic addresses easily (it can be done using scripting, but it's not practical).

Using in-interface=<WAN> is popular too, but it breaks stuff in cases like yours. And strictly speaking, it's wrong, because it will forward packets destined not only for your public address, but to any address, if they somehow happen to get to your router from WAN interface. But usually it's not a problem.

Last, dst-address-type=local is very nice solution too, because it matches any address owned by router. But it can also break something, because it will match even router's internal address. So you might want to also add dst-address=!192.168.47.1 (assuming 192.168.47.1 is router's internal address; also don't miss the "!", which means "not").
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
javierc
newbie
Topic Author
Posts: 36
Joined: Sat Aug 03, 2013 4:29 am

Re: Problem with Nat Loopback for port 80, not see the web pages

Mon Apr 18, 2016 1:33 am

Thanks for the detailed explanations certainly help me to learn.

I have a server with more image and video service that works each for a given port. I had configured as the last rule that I wrote at first but I not know any problem with that.

As the port 80 is a special case becouse is used for many things not like other ports, the question is if all rules that have services that I have to put the no-ip hostname from my network, if also I have to add in all these rules the "dst-address-type=local" and "dst-address=!192.168.47.1" so I suppose this will be more effective as in the case of port 80.

It is correct?

Regards
 
Sob
Forum Guru
Forum Guru
Posts: 4995
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with Nat Loopback for port 80, not see the web pages

Mon Apr 18, 2016 1:45 am

Yes, it's good idea to make your rules react only on traffic you want.

If you have more port fowarding rules, it's probably best to use dedicated chain like this:
/ip firewall nat
add action=jump chain=dstnat dst-address-type=local dst-address=!192.168.47.1 \
    jump-target=port-forward
add action=dst-nat chain=port-forward dst-port=5100-5199 protocol=tcp \
    to-addresses=192.168.80.10
add action=dst-nat chain=port-forward dst-port=53 protocol=tcp \
    to-addresses=192.168.80.2
add action=dst-nat chain=port-forward dst-port=53 protocol=udp \
    to-addresses=192.168.80.2
This way you can avoid entering/writing some conditions over and over.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
soonwai
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Feb 06, 2012 10:50 pm
Location: Kuala Lumpur

Re: Problem with Nat Loopback for port 80, not see the web pages

Mon Apr 18, 2016 6:38 pm

Thanks Sob, this is great info and very clear explanation.

I've always been using "in-interface=<WAN>" for port forwarding. I learn something new here today.

Thank you for sharing.
 
javierc
newbie
Topic Author
Posts: 36
Joined: Sat Aug 03, 2013 4:29 am

Re: Problem with Nat Loopback for port 80, not see the web pages

Sat May 07, 2016 2:15 pm

Hi, Nat Loopback Is working, but the access to the wordpress blog that I have in my network is very slow if I connect from my network and more fast out of my net by internet.

Wich can be the problem?

Regards
 
Sob
Forum Guru
Forum Guru
Posts: 4995
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with Nat Loopback for port 80, not see the web pages

Sat May 07, 2016 3:15 pm

Nothing obvious comes to mind. What kind of slow is it? Does it take long time before it connects, or do you mean transfer speed, or something else?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
javierc
newbie
Topic Author
Posts: 36
Joined: Sat Aug 03, 2013 4:29 am

Re: Problem with Nat Loopback for port 80, not see the web pages

Tue May 31, 2016 12:48 am

Nothing obvious comes to mind. What kind of slow is it? Does it take long time before it connects, or do you mean transfer speed, or something else?
Hi, I have a wordpress blog In mi house. Not is optimized now and it´s slow, but is more slow into my network thant from internet.

Regards

Who is online

Users browsing this forum: DjM, mbovenka, mkx and 99 guests