Page 1 of 1

External IP address replaced with router

Posted: Wed May 16, 2007 1:44 am
by Mukah
This may be a dumb question but I recently replaced a router on a customers network with a MT router. After doing this and setting up all of the NAT's to their web servers as DST-NAT's, their log files on their web server show all connections coming from the IP of the router instead of the external IP addresses of Internet users. Is it possible for MT to pass along the actual IP of the customer like other NAT routers do?

Thanks,
Brad

Posted: Wed May 16, 2007 3:42 am
by skynoc
this is normal Mukah , you should setup the MT as bridge , this can solve your situation

Posted: Wed May 16, 2007 6:47 am
by Mukah
If I set it up as a bridge from the External to the Internal interface, will I still use port forwarding or NATing to the machines?

Posted: Wed May 16, 2007 9:07 am
by skynoc
i dont think so , but you should try it .

Posted: Wed May 16, 2007 9:21 am
by tneumann
this is normal Mukah
No, this is not normal. A destination NAT rule does not change the source address of the IP packets, only the destination address. If everything is configured correctly then you should still see the external source address of outside clients on you internal servers.

--Tom

Posted: Wed May 16, 2007 8:27 pm
by skynoc
but it will be translated to the MT ip address

Posted: Wed May 16, 2007 9:00 pm
by tneumann
No, it will not. And why should it? Skynoc, did you try it for yourself? Try it and you'll see.

--Tom

Posted: Thu May 17, 2007 7:07 am
by tgrand
Sounds to me like skynoc is getting confused between dst-nat and src-nat.

Mukah:
Are you sure you are not also getting confused?
You should post your nat configuration, and I am sure the answers will start coming to you.

Posted: Thu May 17, 2007 10:00 am
by Ghassan
As long as I was using this configuration ...
port forward helps you to open up a port in your router or firewall so that you can access your application safely but If you want to access your web server , users can not reach the ip of web server , they'll still see it as ip of router that is because we use or call it as webserver behind a firewall .

I use this configuration to protect my webserver which i give one public ip on Mikrotik Rourters then my webserver could be natted :wink: .

Posted: Thu May 17, 2007 9:41 pm
by Mukah
I have assigned the IP of "71.153.22.22" to the router, then I am doing a DST-NAT to the internal IP of the server "10.1.2.20" but in the logs on the webserver, it always lists every hit as coming from "71.153.22.23" which is an IP on the MT router that is not being used in a NAT.

add chain=dstnat dst-address=71.153.22.22 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.1.2.20 to-ports=80

Posted: Thu May 17, 2007 9:54 pm
by changeip
do you also have any src-nat rules ?

Sam

Posted: Thu May 17, 2007 9:57 pm
by Mukah
Only one which is for internal access out to the internet, is this the reason everything is showing the .23 IP on the inside network?

add chain=srcnat action=src-nat to-addresses=71.153.22.23 to-ports=0-65535

Posted: Fri May 18, 2007 12:37 am
by Ghassan
what I am sure is that you are redirecting incoming requests by any port to your router ip which is 71.153.22.23 .

I think this rule should not work ..

add chain=dstnat dst-address=71.153.22.22 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.1.2.20 to-ports=80


right or am I wrong ?

Posted: Fri May 18, 2007 1:04 am
by Mukah
All of the rules I have setup seem to be forwarding traffic onto the correct servers on the specific ports, it just shows all connections as coming from the .23 IP.

Posted: Fri May 18, 2007 1:50 am
by Ghassan
look I have tried it at my MT and everything is working 100 % , try to check your configuration or move all dst-nat to be the first rule .

Posted: Fri May 18, 2007 1:52 am
by Ghassan
but I am wondering if there a rule that captures all ports or nat by ip which ends 23 .

Re: External IP address replaced with router

Posted: Fri May 18, 2007 11:13 am
by normis
This may be a dumb question but I recently replaced a router on a customers network with a MT router. After doing this and setting up all of the NAT's to their web servers as DST-NAT's, their log files on their web server show all connections coming from the IP of the router instead of the external IP addresses of Internet users. Is it possible for MT to pass along the actual IP of the customer like other NAT routers do?

Thanks,
Brad
If I understand correctly, you have set the SRC-NAT rule with out-interface=all. This will also masquerade connections from outside->in. change the out-interface setting

Re: External IP address replaced with router

Posted: Fri May 18, 2007 11:22 am
by Ghassan
This may be a dumb question but I recently replaced a router on a customers network with a MT router. After doing this and setting up all of the NAT's to their web servers as DST-NAT's, their log files on their web server show all connections coming from the IP of the router instead of the external IP addresses of Internet users. Is it possible for MT to pass along the actual IP of the customer like other NAT routers do?

Thanks,
Brad
If I understand correctly, you have set the SRC-NAT rule with out-interface=all. This will also masquerade connections from outside->in. change the out-interface setting

yes it seems that this rule is taken everything out .. I always strict my rule using in-interface or out-interface so I can manage my network .

Posted: Fri May 18, 2007 4:46 pm
by Mukah
I set the out-interface=(outside interface) and now when I connect to the web server from the Internet, it is showing the correct IP in the logs so that resolved it. But now the problem I have is users internally can no longer get to the website by using the DNS name which points to the external IP. What would I need to change to resolve that?

Posted: Fri May 18, 2007 5:07 pm
by tneumann
users internally can no longer get to the website by using the DNS name which points to the external IP. What would I need to change to resolve that?
Set up split dns on your nameservers.

--Tom

Posted: Fri May 18, 2007 5:34 pm
by Mukah
So you are saying I need to setup a new zone on the DNS server the PC's point at and set all the records up to the internal IP addresses? I was hoping I wouldn't have to maintain two different sets of DNS records but if this is what I have to do, I will.

Thanks!

Posted: Fri May 18, 2007 6:31 pm
by cmit
You could redirect the internal requests like this (command from memory, check for typos!):
/ip firewall nat add chain=dstnat in-interface=ether2 protocol=tcp dst-port=80 dst-address=1.2.3.4 action=dst-nat to-addresses=192.168.0.100
/ip firewall nat add chain=srcnat out-interface=ether2 src-address=192.168.0.0/24 dst-address=192.168.0.100 action=masquerade
where:
1.2.3.4 is the public ip address of your webserver
192.168.0.0/24 is your internal ip address range
192.168.0.100 is the internal ip address of your webserver
ether2 is the interface name of your internal network interface

This should allow access to your internal webserver from the internal LAN using the public ip address of the webserver.

Best regards,
Christian Meis