Community discussions

MUM Europe 2020
 
User avatar
mbfound
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Tue Jul 01, 2014 1:18 pm
Location: South Africa

Forwarding local traffic on 80 to a specific IP address

Mon Jan 16, 2017 4:03 pm

Hi,

Can someone please assist with the correct firewall rule for forwarding all traffic from the local subnet (192.168.5.0/24) on port 80 and 443 (so websites) to a specific IP/website?

(I don't want them to be able to browse any site other than the one I specify)

Not too clued up on firewall rules, so bear with me.

Currently I have this rule which I got from Googling a bit and is probably completely wrong:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect Test" disabled=no \
dst-port=80,443 in-interface=pppoe-out1 protocol=tcp src-address=\
184.87.168.26 to-addresses=192.168.5.0/24

Can someone point in the right direction please?

Thanks
M
 
Sob
Forum Guru
Forum Guru
Posts: 4874
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding local traffic on 80 to a specific IP address

Mon Jan 16, 2017 5:02 pm

Just take your rule and change it accordingly:
/ip firewall nat
add action=dst-nat chain=dstnat protocol=tcp dst-port=80,443 \
    src-address=192.168.5.0/24 to-addresses=<where it should go>
But it won't work very well. You can configure target webserver to respond to requests for any hostname, that's no problem. But it will only work for plain http. With https, users will get certificate errors.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
mbfound
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Tue Jul 01, 2014 1:18 pm
Location: South Africa

Re: Forwarding local traffic on 80 to a specific IP address

Mon Jan 16, 2017 5:28 pm

Just take your rule and change it accordingly:
/ip firewall nat
add action=dst-nat chain=dstnat protocol=tcp dst-port=80,443 \
    src-address=192.168.5.0/24 to-addresses=<where it should go>
But it won't work very well. You can configure target webserver to respond to requests for any hostname, that's no problem. But it will only work for plain http. With https, users will get certificate errors.
Thanks, it works and we'll make it work with just http.

Who is online

Users browsing this forum: No registered users and 73 guests