Community discussions

MikroTik App
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Static DNS and local webserver problem ...

Tue Mar 18, 2008 10:08 am

Hi,

we have our webserver on local address 10.10.10.10. We have fully routed network, no NAT except main router masquarade. I wanted our customers to have access to our webserver, as there is web presentation of our town touristic portal. In the past I solved it with some DST NAT tricks, because we used NATted networks, etc. But with our new ISP and one central point I decided to simply put our locally hosted domains as static DNS entries onto our main router.

Users have DNS=gateway IP adresses. Each node runs DNS server too, and it is chained to our main router. No secondary DNS on subsequent nodes. But - there seems to be some odd behavior from time to time. It just happened for the second time in one month, when I was not able to get to the webserver, because what DNS returned was public IP adress, and not our internal, static one.

I would like to ask, if my understanding is correct, that no matter what, static entry has ALWAYS precedence. But if it is so, how subsequent nodes could get to the public address? This could mean one thing - there is some bug with OS 3.3 we run on our central router?

Thanks,
Petr
 
User avatar
Giepie
Member
Member
Posts: 432
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Re: Static DNS and local webserver problem ...

Sun Jul 06, 2008 5:42 pm

Hi

I also use MT for my DNS. At the end/core router I have a dst-nat rule which targets ALL port 53 UDP and TCP ports and dst-nat it to that router's address. Under

I have two dst-nat firewall rules, one for port53 UDP and one for port53 TCP. It dst-nat all DNS requests to that router's IP. I have setup that router to exclude all requests from that router. Under IP/DNS/Settings I specified my actual upstream DNS servers. For me it works like a dream.

Here's my DNS rules:

1 chain=dstnat action=dst-nat to-addresses=0.0.0.0/0 to-ports=53
src-address=!172.29.254.254 dst-port=53 protocol=tcp

2 chain=dstnat action=dst-nat to-addresses=0.0.0.0/0 to-ports=53
src-address=!172.29.254.254 dst-port=53 protocol=udp

Where 172.29.254.254 is the CORE (and DNS) router's address. Be sure to exclude (=!) the IP on the interface of your gateway to your upstream DNS server.

The above rules basically dst-nat's ALL dst:port53 traffic, EXCEPT when it's coming from that router.

Hope it helps
Last edited by Giepie on Sat Jul 12, 2008 11:07 pm, edited 1 time in total.
The only thing Mikrotik lack, is to send power to your High Sites wirelessly.....
 
alex_rhys-hurn
Member
Member
Posts: 325
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Static DNS and local webserver problem ...

Sat Jul 12, 2008 10:55 pm

Can you also achieve the same thing by setting the primary DNS server for the router to itself and then the secondary to your ISP DNS server?

Then get your DHCP clients to set their primary DNS server to the router?

Does that not also mean you are caching your DNS requests as well as serving the static records.

Are there any other benefits to doing this your way? (obviously my way means you dont have a good backup DNS server)

Rgds

Alex
 
User avatar
Giepie
Member
Member
Posts: 432
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Re: Static DNS and local webserver problem ...

Sat Jul 12, 2008 11:10 pm

You could do it that way, but some clients like static IP addresses and use any DNS server they can think of. Then they complain to you about bad service, meanwhile the problem is on their side.

I prefer to FORCE everyone to use the DNS I want them to use.

If you setup your CORE/DNS router to use itself as primary, it won't make any difference, as the CORE/DNS router will always check itself first anyway. And it is important to have a decent backup DNS server too.

G
The only thing Mikrotik lack, is to send power to your High Sites wirelessly.....
 
alex_rhys-hurn
Member
Member
Posts: 325
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Static DNS and local webserver problem ...

Tue Jul 15, 2008 1:33 pm

Hi!

I am playing with this, but am not sure which ip address that should be in the src-address field with the NOT (!) feature.

I have three interfaces:

ether1 - to internet, public interface
ether2 - to WISP network (customers)
ether3 - Management network in my office.

A assume that I should have the ip address for ether1 as src-address=!196.x.x.x

Is that right?

Regards

Alex
 
User avatar
Giepie
Member
Member
Posts: 432
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Re: Static DNS and local webserver problem ...

Wed Jul 16, 2008 4:42 am

Hi Alex

Yes, according to your explanation you should use ether1's IP. If you have more than one address on that interface and still not sure what address to exclude, you could setup an IP address list (/ip firewall address-lists) with all IP's ON your CORE router, and choose =! <ip-address-list-of-router> under the advanced tab. This will make sure that none of the IP's ON your router will be dst-nat'd.

Hope it helps!

G
The only thing Mikrotik lack, is to send power to your High Sites wirelessly.....
 
alex_rhys-hurn
Member
Member
Posts: 325
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Static DNS and local webserver problem ...

Wed Jul 16, 2008 8:32 am

Hi Giepie

Well, this is totally dumbfounding me. When ever I put the following rules in to place my x86 Router reboots instantly, starts up and then reboots itself again. Over and over.

The funny thing is that it only does this with the LAN cables plugged in. If I take them out, the router runs, and I am then able to log in to the CLI and disable the two rules.

These are the rules:
1 X ;;; Force DNS Cache
     chain=dstnat action=dst-nat to-addresses=0.0.0.0-255.255.255.255 
     to-ports=53 src-address-list=!core-ip dst-port=53 protocol=tcp 

 2 X chain=dstnat action=dst-nat to-addresses=0.0.0.0-255.255.255.255 
     to-ports=53 src-address-list=!core-ip dst-port=53 protocol=udp 
Where address list is:
Flags: X - disabled, D - dynamic 
 #   LIST                                       ADDRESS                        
 0   core-ip                                    196.207.23.22                  
 1   core-ip                                    172.16.1.253                   
 2   core-ip                                    41.215.5.17 
And my Interface / ip addresses are:
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
     196.207.23.22/30   196.207.23.20   196.207.23.23   ether1                 
     172.16.1.253/24    172.16.1.0      172.16.1.255    ether2                 
     41.215.5.17/29     41.215.5.16     41.215.5.23     ether3          
RouterOS is 3.10, on an Intel Pentium 3 with 512 Ram.

Can you see what I have done wrong with my rules? Also its very weird to see it cause a router reboot. I would expect stalled traffic or something instead.

Help appreciated.

Alex
 
User avatar
Giepie
Member
Member
Posts: 432
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Re: Static DNS and local webserver problem ...

Wed Jul 16, 2008 8:52 am

Hi Alex

It really is weird that the router reboots!

The only funny thing I can see in your rules are the to-address. Usually 0.0.0.0 would be entered as 0.0.0.0/0 and not 0.0.0.0-255.255.255.255. I haven't tried it your way, but don't really want to risk a router rebooting. Perhaps you should mail to support, probably a ROS bug.

I would write the rules as follow:

1 X ;;; Force DNS Cache
chain=dstnat action=dst-nat to-addresses=0.0.0.0/0
to-ports=53 src-address-list=!core-ip dst-port=53 protocol=tcp

2 X chain=dstnat action=dst-nat to-addresses=0.0.0.0/0
to-ports=53 src-address-list=!core-ip dst-port=53 protocol=udp

Further on you did everything correctly.

Give it a try and let us know! G
The only thing Mikrotik lack, is to send power to your High Sites wirelessly.....
 
alex_rhys-hurn
Member
Member
Posts: 325
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Static DNS and local webserver problem ...

Wed Jul 16, 2008 9:37 am

Hey bwana!

I created those rules with winbox. Winbox shows the entries as 0.0.0.0/0 but in the CLI it shows them as 0.0.0.0-255.255.255.255

So I removed them and recreated them using the CLI and it still behaves the same way.

I will send some stuff to support, but I will have to plan a maintenance period with my clients so it will take a few days.

Thanks for the input!

Alex
 
User avatar
Giepie
Member
Member
Posts: 432
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Re: Static DNS and local webserver problem ...

Wed Jul 16, 2008 9:42 am

I added the same rules from CLI on a RB532A running 3.10, and it definitely comes as 0.0.0.0/0.

Did you perhaps upgrade from 2.9, or was that a clean MTROS3.x installation?

My RB532A was upgraded regularly throughout all the 2.9.x ranges up to 2.9.50 and then straight to MTROS3.0, then 3.4 I think and now 3.10.

Create a sipout.rif and mail it to support, even with your disabled rules. They could recreate your scenario and investigate if it's a bug.

G
The only thing Mikrotik lack, is to send power to your High Sites wirelessly.....

Who is online

Users browsing this forum: eg29, eworm, markom, ninja365 and 86 guests