Hello forum
is there a way to make the traffic incoming to a web server on a private IP behind a Mikrotik router use its real IP rather than the router's IP? My goal is to make my webserver log the IP of the incoming traffic rather than the router's IP when using NAT.
Re: traffic to a webserver sitting behind a router
Yes, there is, fix your broken srcnat config. You probably have something like:
and it touches even traffic you don't want it to. Adding out-interface=<WAN interface> to it could be the fix, unless you have some special requirements.
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade
Re: traffic to a webserver sitting behind a router
How the frig do you know that LOL,,,,,,,,
In any case
/export hide-sensitive file=anynameyouwish
should reveal the issues.....
In any case
/export hide-sensitive file=anynameyouwish
should reveal the issues.....
Re: traffic to a webserver sitting behind a router
I'll have to try this at night, I don't want my active webserver to drop connections at the time LOLYes, there is, fix your broken srcnat config. You probably have something like:
and it touches even traffic you don't want it to. Adding out-interface=<WAN interface> to it could be the fix, unless you have some special requirements.Code: Select all/ip firewall nat add chain=srcnat action=masquerade
Re: traffic to a webserver sitting behind a router
I'll post the NAT configuration in the meantime since the file is too big, if there's anything else tell me.How the frig do you know that LOL,,,,,,,,
In any case
/export hide-sensitive file=anynameyouwish
should reveal the issues.....
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="real ip" disabled=yes dst-address=\
REALIP log-prefix=OSS to-addresses=192.168.0.12
add action=dst-nat chain=dstnat comment=EVALUATION dst-address=REALIP \
dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.5 \
to-ports=80
add action=dst-nat chain=dstnat comment=VTE dst-address=REALIP \
dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.240 \
to-ports=80Re: traffic to a webserver sitting behind a router
That would appear to be a problem.
Do what SOB noted, it wont cause any issues.
As for the destination nat rule, how bout you tell me, how the router will know where to send a connection that is coming in on port 80????????
Do what SOB noted, it wont cause any issues.
As for the destination nat rule, how bout you tell me, how the router will know where to send a connection that is coming in on port 80????????
Re: traffic to a webserver sitting behind a router [SOLVED]
It can cause issues if there's need for hairpin NAT, i.e. when you connect to REALIP:80 not only from internet, but also from same LAN where server is. In that case it would need another srcnat rule:
Reasons are explained in https://wiki.mikrotik.com/wiki/Hairpin_NAT.
As for the two rules, router won't have any doubt about which one to use. User's expectations and their result is another matter.
Code: Select all
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masqueradeAs for the two rules, router won't have any doubt about which one to use. User's expectations and their result is another matter.
Re: traffic to a webserver sitting behind a router
Geez smarty sob, of course by the order of rules, and you know what I meant, no need to get nit picky LOL
Re: traffic to a webserver sitting behind a router
yep I was reading about the HairpinNAT and I was waiting to try it since if I'm connected to the router I can't open the websites hosted, and I think hairpin was the solution for it but ill have to try it on Monday. but as for the original goal, I haven't read anywhere if Hairpin can solve that problem (Source IP logging in the webserver, rather than the router's IP)It can cause issues if there's need for hairpin NAT, i.e. when you connect to REALIP:80 not only from internet, but also from same LAN where server is. In that case it would need another srcnat rule:
Reasons are explained in https://wiki.mikrotik.com/wiki/Hairpin_NAT.Code: Select all/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masquerade
As for the two rules, router won't have any doubt about which one to use. User's expectations and their result is another matter.
Re: traffic to a webserver sitting behind a router
but as for the original goal, I haven't read anywhere if Hairpin can solve that problem (Source IP logging in the webserver, rather than the router's IP)
As @sob mentioned: your src-nat was too greedy and did it's magic also for the incoming traffic. Without it your web server would have seen original clients' IP addresses.
However, this is not possible for clients which need hair pin NAT for their connections ... for those you'll see router's LAN IP as client's address.
Re: traffic to a webserver sitting behind a router
With the original broad srcnat rule, you already had working hairpin NAT, because it applied to all connections passing trough router. But one thing it does, it hides real addresses. It's easy choice for connections from LAN, because you can either have wrong source address, or not connect at all. But you don't want it for connections from elsewhere.
Re: traffic to a webserver sitting behind a router
hai Sob thanks for the previous advice it worked on one router but the other one it's not working at all I sat it up the same as the other one it's just not working, does having a Vlan have any effect on the process since I have Vlan on the unworking router?With the original broad srcnat rule, you already had working hairpin NAT, because it applied to all connections passing trough router. But one thing it does, it hides real addresses. It's easy choice for connections from LAN, because you can either have wrong source address, or not connect at all. But you don't want it for connections from elsewhere.
Re: traffic to a webserver sitting behind a router
post your config...........
Re: traffic to a webserver sitting behind a router
^^^ What he wrote.
And there's nothing special about VLANs, except when you mess with bridge's Use IP Firewall option, then things can become quite unexpected.
And there's nothing special about VLANs, except when you mess with bridge's Use IP Firewall option, then things can become quite unexpected.
Re: traffic to a webserver sitting behind a router
so I'll put the interface config and the NAT config of the thing I used, just noting that I have one DSL WAN internet connection and another Fibre on VLAN 2370 on ethernet port 12 so I have two.
and when I tried the NAT config you advised and it either breaks the internet connection in the ORG or doesn't show the source real IP it shows the Router's IP.
I attached the NAT screenshot that breaks the internet also (bear with me I'm not that of an expert in Mikrotik)
Code: Select all
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=DSL~WAN~E2 speed=100Mbps
set [ find default-name=ether1 ] name=LAN~E1 speed=100Mbps
set [ find default-name=ether3 ] name=Tamreed~E3 speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
/interface vlan
add interface=ether12 name="vlan 2370" vlan-id=2370
/interface bridge port
add bridge=bridge1 interface=LAN~E1 trusted=yes
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.9 to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.232 to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=8818 log-prefix=OSS protocol=tcp to-addresses=192.168.0.16 to-ports=8818
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=1433 protocol=tcp time=0s-23h,sun,mon,tue,wed,thu,fri,sat to-addresses= 192.168.0.120 to-ports=1433
I attached the NAT screenshot that breaks the internet also (bear with me I'm not that of an expert in Mikrotik)
Re: traffic to a webserver sitting behind a router
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.9 to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.232 to-ports=80
In the top line the masquerade rule is incomplete, and if you have a fixed wanip, then one should probably use sourcenat vice masquerade.
For the first two rules, do you actually think that any request for port 80 will get to 192.168.0.232 ???????
(a basic port forwarding no no)
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.9 to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.232 to-ports=80
In the top line the masquerade rule is incomplete, and if you have a fixed wanip, then one should probably use sourcenat vice masquerade.
For the first two rules, do you actually think that any request for port 80 will get to 192.168.0.232 ???????
(a basic port forwarding no no)
Re: traffic to a webserver sitting behind a router
I tried fixing the first NAT one but it wasn't fixed it either worked or didn't work at all if I used src-IP and dst-IP 192.168.0.0/24 is there anything I'm missing.add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.9 to-ports=80
add action=dst-nat chain=dstnat dst-address=RealIP dst-port=80 log-prefix=OSS protocol=tcp to-addresses=192.168.0.232 to-ports=80
In the top line the masquerade rule is incomplete, and if you have a fixed wanip, then one should probably use sourcenat vice masquerade.
yes that's exactly whats happening any request into real IP over port 80 goes directly to the specified IP over port 80For the first two rules, do you actually think that any request for port 80 will get to 192.168.0.232 ???????
(a basic port forwarding no no)