Community discussions

MUM Europe 2020
 
Southerntelcom
just joined
Topic Author
Posts: 5
Joined: Sat Dec 02, 2006 12:28 am

Firewall Reflection

Sat Dec 02, 2006 12:50 am

I believe that I'm experiencing a form of firewall reflection.

I have a single public IP on a wan interface with nat-masquerade to inside private interface

There is a webserver @ 192.168.1.31

port 80 requests on the public (66.76.129.58) interface are dst-nat to 192.168.1.31

this is working fine.

But when you browse to http://www.4stn.com which resolves to 66.76.129.58 and you are inside on
the private side you get "page cannot be displayed" but from anywhere else in the world it works fine.

How do you resolve this?
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Sat Dec 02, 2006 1:40 pm

Split the DNS or use a hosts file.

Regards

Andrew
 
Southerntelcom
just joined
Topic Author
Posts: 5
Joined: Sat Dec 02, 2006 12:28 am

Wed Dec 06, 2006 12:26 am

This is the reply from support:

You need to add 'src-nat' for the web-server, where 'src-address' is local
address and 'to-addresses' is public address.
Then web-server located in the local network should work for all clients
(including from the local network).

\

But this still didn't resolve this issue.
 
User avatar
Equis
Forum Veteran
Forum Veteran
Posts: 888
Joined: Mon Jun 06, 2005 6:48 am

Wed Dec 06, 2006 10:48 am

Can you post your firewall settings?

It works for me
 
Southerntelcom
just joined
Topic Author
Posts: 5
Joined: Sat Dec 02, 2006 12:28 am

Wed Dec 06, 2006 6:47 pm

how do I do that?

Can I somehow extract just the firewall rules?
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Wed Dec 06, 2006 7:09 pm

From the console:
/ip firewall filter print
Regards

Andrew
 
Southerntelcom
just joined
Topic Author
Posts: 5
Joined: Sat Dec 02, 2006 12:28 am

Wed Dec 06, 2006 7:35 pm

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.1.31 protocol=tcp src-port=80
action=src-nat to-addresses=66.76.129.58 to-ports=80

1 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=8100
icmp-options=0:0 action=dst-nat to-addresses=192.168.2.51 to-ports=80

2 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.1.31 to-ports=80

3 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=2222
action=dst-nat to-addresses=192.168.1.31 to-ports=22

4 chain=dstnat src-address=139.76.164.8 dst-address=66.76.129.58
action=dst-nat to-addresses=192.168.1.60 to-ports=0-65535

5 chain=dstnat dst-address=66.76.129.58 protocol=udp dst-port=1644-1647
action=dst-nat to-addresses=192.168.5.244 to-ports=1644-1647

6 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=10000
action=dst-nat to-addresses=192.168.5.244 to-ports=10000

7 chain=dstnat src-address=66.76.129.135 dst-address=66.76.129.58
protocol=tcp src-port=3306 dst-port=3306 action=dst-nat
to-addresses=172.28.50.40 to-ports=3306

8 chain=dstnat src-address=66.76.129.135 dst-address=66.76.129.58
protocol=tcp src-port=3306 dst-port=3306 action=dst-nat
to-addresses=172.28.50.40 to-ports=3306

9 chain=dstnat dst-address=66.76.129.58 protocol=udp dst-port=4569
action=dst-nat to-addresses=192.168.2.20 to-ports=4569

10 chain=dstnat src-address=208.54.234.200 dst-address=66.76.129.58
action=dst-nat to-addresses=192.168.2.20 to-ports=0-65535

11 chain=srcnat out-interface=ether3 action=masquerade

12 chain=dstnat dst-address=66.76.129.58 protocol=tcp dst-port=2224
action=dst-nat to-addresses=172.28.50.49 to-ports=22
-- [Q quit|D dump|up|down]
 
Southerntelcom
just joined
Topic Author
Posts: 5
Joined: Sat Dec 02, 2006 12:28 am

Wed Dec 06, 2006 7:36 pm

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] >

Who is online

Users browsing this forum: dalami, silencio and 92 guests