Page 1 of 1

Problem with Nat Loopback for port 80, not see the web pages

Posted: Sun Apr 17, 2016 6:08 pm
by javierc
Hi, I have mi router 951G-2HnD with settings for have Nat Loopback to can use my domain name with noip host from my internal network and all ports are workging except the port 80. I need this to can work with my wordpress blog and other services running in the NAS in my network with dinamique ip.

I have the settings with masquerade but if I put the rule for the port 80 then the Nat Loopback fort port 80 work but then not work internet. If I enable that rule and I write in chrome this page for fourm then I see my webserver page not found or my internal webserver

This is the settings that I have:
/ip firewall nat
add action=masquerade chain=srcnat comment="Es el masquerade para peticiones internas a mi host de noip y que lo redirija a mi red interna." out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=masquerade chain=srcnat comment="Es el masquerade para poder usar desde dentro los host noip" dst-address=192.168.47.0/24 src-address=192.168.47.0/24
add action=dst-nat chain=dstnat comment="ESTA SI QUITO in-interface=pppoe-out1 EL SERVIDOR WEB POR EL PUERTO 80 FUNCIONA PERO LAS PÁGINAS WEB DESDE EL EXPLORADOR NO" dst-port=80,443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.47.11
No sé si el masquerade para el NAT Loopback está bien puesto, en principio funciona, pero tengo el problema para el puerto 80 ¿alguien sabe si se puede hacer y qué tendría que cambiar?

I can quit in-interface=pppoe-out1 to have nat loopback for port 80, but then I cant navigate for internet to see eb pages.

Can you help me?

Thanks in advance.

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Sun Apr 17, 2016 11:46 pm
by Sob
In the last rule, replace "in-interface=pppoe-out1" with "dst-address-type=local".

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Mon Apr 18, 2016 12:33 am
by javierc
In the last rule, replace "in-interface=pppoe-out1" with "dst-address-type=local".

Great Sob, it´s working.

Is needed to put in all rules where I have services to need loopback? I only had problem with port 80 http serer.

Thank you very much, I will be eternally grateful, Yo have solved many problems I had with this rule.

Regards

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Mon Apr 18, 2016 12:54 am
by Sob
When forwarding a port, you need some way to limit the scope of dstnat rule. Otherwise it will try to match *any* packet, no matter where from or to it goes. That's why when you had only "protocol=tcp dst-port=80,443", it catched all packets, including those coming from LAN to web servers on internet.

The best way is to use dst-address=<public IP>, if you have static public address. But if not, it does not work with dynamic addresses easily (it can be done using scripting, but it's not practical).

Using in-interface=<WAN> is popular too, but it breaks stuff in cases like yours. And strictly speaking, it's wrong, because it will forward packets destined not only for your public address, but to any address, if they somehow happen to get to your router from WAN interface. But usually it's not a problem.

Last, dst-address-type=local is very nice solution too, because it matches any address owned by router. But it can also break something, because it will match even router's internal address. So you might want to also add dst-address=!192.168.47.1 (assuming 192.168.47.1 is router's internal address; also don't miss the "!", which means "not").

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Mon Apr 18, 2016 1:33 am
by javierc
Thanks for the detailed explanations certainly help me to learn.

I have a server with more image and video service that works each for a given port. I had configured as the last rule that I wrote at first but I not know any problem with that.

As the port 80 is a special case becouse is used for many things not like other ports, the question is if all rules that have services that I have to put the no-ip hostname from my network, if also I have to add in all these rules the "dst-address-type=local" and "dst-address=!192.168.47.1" so I suppose this will be more effective as in the case of port 80.

It is correct?

Regards

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Mon Apr 18, 2016 1:45 am
by Sob
Yes, it's good idea to make your rules react only on traffic you want.

If you have more port fowarding rules, it's probably best to use dedicated chain like this:
/ip firewall nat
add action=jump chain=dstnat dst-address-type=local dst-address=!192.168.47.1 \
    jump-target=port-forward
add action=dst-nat chain=port-forward dst-port=5100-5199 protocol=tcp \
    to-addresses=192.168.80.10
add action=dst-nat chain=port-forward dst-port=53 protocol=tcp \
    to-addresses=192.168.80.2
add action=dst-nat chain=port-forward dst-port=53 protocol=udp \
    to-addresses=192.168.80.2
This way you can avoid entering/writing some conditions over and over.

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Mon Apr 18, 2016 6:38 pm
by soonwai
Thanks Sob, this is great info and very clear explanation.

I've always been using "in-interface=<WAN>" for port forwarding. I learn something new here today.

Thank you for sharing.

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Sat May 07, 2016 2:15 pm
by javierc
Hi, Nat Loopback Is working, but the access to the wordpress blog that I have in my network is very slow if I connect from my network and more fast out of my net by internet.

Wich can be the problem?

Regards

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Sat May 07, 2016 3:15 pm
by Sob
Nothing obvious comes to mind. What kind of slow is it? Does it take long time before it connects, or do you mean transfer speed, or something else?

Re: Problem with Nat Loopback for port 80, not see the web pages

Posted: Tue May 31, 2016 12:48 am
by javierc
Nothing obvious comes to mind. What kind of slow is it? Does it take long time before it connects, or do you mean transfer speed, or something else?
Hi, I have a wordpress blog In mi house. Not is optimized now and it´s slow, but is more slow into my network thant from internet.

Regards