Community discussions

MUM Europe 2020
 
romaxe
newbie
Topic Author
Posts: 44
Joined: Sat Aug 26, 2006 12:08 pm
Location: Buenos Aires

Problem forwarding port from local LAN, using public IP addr

Mon Mar 24, 2008 10:52 am

Hello.

I cannot get to communicate from LAN using Public IP Addresss, to a server behind same NAT.

I cannot use DNS, cause I need to use only public ip addressses.

2 years ago I found how to solve the problem on an old Mikrotik, but now I cant.!

The scenario is simple, One SERVER on local network and I want to access it using its public ip from local network.

I searched this foro forward and back and tried lots of examples and I still cannot get to work. Some other user said he solved adding another rule for UDP. but didnt work too.

Please, somebody help.
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Mon Mar 24, 2008 3:20 pm

romaxe -
A little more info would be helpful - is your NAT'ing router a Mikrotik? Where is it located in your network (public / private)? Where is 'your' local LAN in regards to the server (routers in between?)?

R/
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
romaxe
newbie
Topic Author
Posts: 44
Joined: Sat Aug 26, 2006 12:08 pm
Location: Buenos Aires

Re: Problem forwarding port from local LAN, using public IP addr

Mon Mar 24, 2008 10:09 pm

These are the rules I am using.

Yes, of course, I am using a mikrotik (bought 6 months ago).

Router is in the middle, between Internet and LAN. (is my gateway).
I saw this problem on a lot of people. (not professionals, like me, if I can say that). I know this is not a problem, is just that users without the right knowledge cant make it work.

The scenario is, I have a webserver inside my local network. I can access my webserver from the internet without any problems, but not from inside my local network.

[admin@Mikrotik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Masquerade Red Local
chain=srcnat action=masquerade src-address=10.10.0.0/24

1 ;;; Entrada para web
chain=dstnat action=dst-nat to-addresses=10.10.0.1 to-ports=80
dst-address=200.10.22.10 in-interface=Internet_Uplink dst-port=80 protocol=tcp

hope this would be helpfull.
thanks.
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Mon Mar 24, 2008 11:30 pm

romaxe -

Put the rules in order as below - rule '0' stays where it's at.


1;;; to local web server from LAN
chain=dstnat action=dst-nat to-addresses=10.10.0.1 to-ports=80
dst-address=200.10.22.10 in-interface=LAN INTERFACE NAME dst-port=80 protocol=tcp


2;;; Entrada para web from the Internet
chain=dstnat action=dst-nat to-addresses=10.10.0.1 to-ports=80
dst-address=200.10.22.10 in-interface=Internet_Uplink dst-port=80 protocol=tcp

R/
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
romaxe
newbie
Topic Author
Posts: 44
Joined: Sat Aug 26, 2006 12:08 pm
Location: Buenos Aires

Re: Problem forwarding port from local LAN, using public IP addr

Tue Mar 25, 2008 12:39 am

Thank you for your quick replay.

that example you told I assume is the logical way to do it, and this was what I was trying.

I re-wrote both rules again... and it didnt work. Not a simple telnet can connect.

But it doesn work.

Maybe somebody knows how to mangle packets that destiny are my public IP addresses, to redirect them to lan again...

This is driving me crazy. I dont know why it works on cheap routers, and why mikrotik doesnt publish some "easy rules" for people like US.

I think not everybody has 5 years of network implementation or an academical degree... lol.

Thanks to all.
MAX
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Tue Mar 25, 2008 12:49 am

Max -
I'll look at this again...I was in a hurry earlier...

Thom
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Tue Mar 25, 2008 1:13 am

Max -
I just pulled this rule out of my own router - it works perfectly....

chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=80 in-interface=Local_lan dst-address=xx.xx.65.190 dst-port=80 protocol=tcp

R/

Thom
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
romaxe
newbie
Topic Author
Posts: 44
Joined: Sat Aug 26, 2006 12:08 pm
Location: Buenos Aires

Re: Problem forwarding port from local LAN, using public IP addr

Tue Mar 25, 2008 2:00 am

Maybe could be some problem with mangle rules.

I have 2 internet connections and I have mangle rules to always reply using the same link the connection came from.

This is where I took the example for what I am using on my mikrotik, and is working fine.
Maybe this could be making some trouble on the anothers rules you told me.
ip firewall mangle print

0 ;;; ISP1 incoming
chain=prerouting in-interface=1-2 Bond dst-address=85.xx.xx.xx/26
connection-state=new dst-address-list=WAN-NetIT action=mark-connection
new-connection-mark=conn_ISP1 passthrough=no

1 ;;; ISP2: incoming
chain=prerouting in-interface=1-2 Bond dst-address=195.xx.xx.xx/27
connection-state=new action=mark-connection
new-connection-mark=conn_ISP2 passthrough=no

2 ;;; Internal going out
chain=prerouting in-interface=3-Internal dst-address=!192.168.0.0/16
connection-state=new action=mark-connection new-connection-mark=conn_out
passthrough=yes

3 chain=prerouting in-interface=3-Internal connection-mark=conn_out
action=mark-routing new-routing-mark=route_ISP1 passthrough=no

4 ;;; ISP1: answer to incoming
chain=prerouting in-interface=3-Internal connection-mark=conn_ISP1
action=mark-routing new-routing-mark=route_ISP1 passthrough=no

5 ;;; ISP2: answer to incoming
chain=prerouting in-interface=3-Internal connection-mark=conn_ISP2
action=mark-routing new-routing-mark=route_ISP2 passthrough=no
 
romaxe
newbie
Topic Author
Posts: 44
Joined: Sat Aug 26, 2006 12:08 pm
Location: Buenos Aires

Re: Problem forwarding port from local LAN, using public IP addr

Tue Mar 25, 2008 8:52 am

Hello galaxynet, I checked again and you are correct. you are right.

I disabled all mangle rules for a few seconds and then I tried a telnet to webserver, and worked. then I re-enabled all mangle rules and telnet didnt work again.

That's a big step. PROBLEM FOUNDDD.

Now, I have to figure out how to make it work all together.!!
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Tue Mar 25, 2008 1:38 pm

romaxe-
Perhaps something like this as your FIRST mangel rule will help...

chain=prerouting in-interface=3-Internal dst-address=200.10.22.10 action=mark-connection new-connection-mark=INTERNAL WEB SERVER passthrough=no

This would mark the connection as something different than your other connections and also would not allow the connection to go through anymore mange rules (passthrough=no). It might have to be in the forward chain - since I do not know what else you have in your router I am just giving you may work and/or what to look at to get you to the correct answer.

R/
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
romaxe
newbie
Topic Author
Posts: 44
Joined: Sat Aug 26, 2006 12:08 pm
Location: Buenos Aires

Re: Problem forwarding port from local LAN, using public IP addr

Tue Mar 25, 2008 7:51 pm

Yes... something like this is what I was trying last night. But MT is producing a delay of about almost 2 seconds before server replies. very weird... i know.

The problem I have is that all another rules marks routes, for routing through specific gateways. And on my local network I dont have a gateway...

Sorry, I am noobish. For me everithing is trial and error...
I will try again later when I put my hand into MT.
 
romaxe
newbie
Topic Author
Posts: 44
Joined: Sat Aug 26, 2006 12:08 pm
Location: Buenos Aires

Re: Problem forwarding port from local LAN, using public IP addr

Mon Mar 31, 2008 8:46 am

TOM, you are a genius.

today I started all again from fresh, and WORKED.

Evidently I was doing something wrong, but now it worked.

Thank you, thank you very much.

Hugs, Max
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Mon Mar 31, 2008 2:28 pm

romaxe -

You're welcome romaxe.

R/
Thom
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
User avatar
AigarsABCD
just joined
Posts: 16
Joined: Sun May 04, 2008 5:47 pm
Location: Latvia

Re: Problem forwarding port from local LAN, using public IP addr

Sun May 04, 2008 6:18 pm

Hello.
I have the same problem mentioned above, but none of the solutions seem to work.
I have two interfaces on the router - Internal and External, and there is a webserver on the internal network.
[admin@MikroTik] ip firewall nat> print
 0   chain=srcnat action=masquerade out-interface=External

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 
     dst-address=85.254.xxx.xxx dst-port=80 protocol=tcp
But this doesn't work, if requests to webserver come from internal network.

How it works> When a client from internal network (192.168.0.31) asks for 85.254.xxx.xxx, the webserver(192.168.0.100) receives a request from 192.168.0.31 and it replies to 192.168.0.31 but client expects reply from 85.254.xxx.xxx so nothing works in the end. Router applies only my NAT rule 1 and it keeps the source address 192.168.0.31

How it should work> Router should first apply my NAT rule 0, as the connection actually goes through the External interface. Only then it should apply the rule 1 and webserver should receive request from 85.254.xxx.xxx, then reply to 85.254.xxx.xxx and finally NAT back to 192.168.0.31
This is also the way, all cheap routers do.

Then why doesn't it work as it should on RouterOS? I have tried to change many things, but I only get Connection Timed Out.
BTW, I use RouterOS 2.9.46
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Sun May 04, 2008 9:42 pm

AigarsABCD -
Well you almost have it....

Do you have DNS entry to your web server? You'll need it for this to work - or at least a DDNS address.....

First - If you want to masq the internal to the external make sure you use your internal address space as the 'qualifier' - as in if your internal address space is 192.168.0.0/24 then be sure to add that as the src-addr and then use the outgoing interface. This keeps 'stray' address space from getting masq'd as well.

Second - Since you are using dst-nat - make sure to use your 'External' interface as the qualifier as the 'incoming' interface - that will also keep spoofing down to minimum.

Once you do the above that should fix your issue. Please post back your results so others can learn as well.

R/
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
User avatar
AigarsABCD
just joined
Posts: 16
Joined: Sun May 04, 2008 5:47 pm
Location: Latvia

Re: Problem forwarding port from local LAN, using public IP addr

Sun May 04, 2008 11:13 pm

Thank you for your reply.
I have a DNS server on the same machine where the webserver, but DNS works fine also from internal network, since the DNS query goes through the ISP's server and then comes back.

I did what you said, now the rules look like this
0   chain=srcnat action=masquerade out-interface=External
     src-address=192.168.0.0/24 

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 
     in-interface=External dst-address=85.254.xx.xx dst-port=80 protocol=tcp
And now as I write external address in the browser window, there is no more dst-nat to the server, but Mikrotik's webbox interface comes up. From outside everything works fine.
I am confused. Isn't an IP adress associated with an interface? If I send something to external IP adress, shouldn't it also go through external interface? Seems that it does not. Does this really work for all those, who use this dst-nat?


The "Bridge" thing is only requred as if my device would be something like network switch. It is not needed for routing. <-- is this correct?
There also is a section called "NAT" in the Bridge section. In the manual there is a zero explanation what this section actually does. :D
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Mon May 05, 2008 4:04 pm

AigarsABCD -

What you are describing sounds like you only have a single IP address - is that correct?

I did not take in account your rules and the order above. Your webserver has to have it's address src-nat'd (not masq'd) BEFORE you masq the rest of your internal network. Rules are executed in order (by scr-nat then dst-nat).

An IP can be associated with an Interface - it can also be associated to other IP addresses with NAT and Masq. There is also bridging and routing which can make IP addresses appear in other locations - out of the scope of this thread but felt it was worth mentioning because of your comments above.

NAT under bridge works the same way as 'normal' nat. You just have to use it under the Bridge interface and not the standard IP/ Firewall / Nat section.

R/
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
User avatar
AigarsABCD
just joined
Posts: 16
Joined: Sun May 04, 2008 5:47 pm
Location: Latvia

Re: Problem forwarding port from local LAN, using public IP addr

Tue May 06, 2008 12:00 am

Yes, I have a single IP address and my internal network is masqed behind it.

It seems that nothing works for me :( Anyway, it is acctually not very important for me right now to access my webserver from internal network, so I'll just leave it as it is. Just wanted to figure out what I do wrong, because I took the configuration rules from manual and from wiki.mikrotik.com

By the way. Are there really any other differences between src-nat and masquerade, than I have to manually enter to-address and to-port for src-nat, but to-address is determinated automatically for masquerade?

Thank you for your help!
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Problem forwarding port from local LAN, using public IP addr

Tue May 06, 2008 12:16 am

AigarsABCD -
It is still possible to see your webserver with only 1 IP address - I just needed to know what you had.... You should be able to change the www port on the router - to say 81 or 8080 and then your dst-nat rule will work. You websever will still have port 80 as the 'default' web server port while the MT will have 81 or 8080....

There are reasons for src-nat and masq once you've done this a while it will be apparent. But as you surmised the main difference is you have the option to designate ports in src-nat and dst-nat, whereas masq has no such options....


R/
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
User avatar
AigarsABCD
just joined
Posts: 16
Joined: Sun May 04, 2008 5:47 pm
Location: Latvia

Re: Problem forwarding port from local LAN, using public IP addr

Sun May 25, 2008 10:06 pm

Hi again!
I finally have found a solution to my problem discussed above.
I had 2 NAT rules, but the second did not work from the internal network. I just took out the bolded part and it seems to work now.
0 chain=srcnat action=masquerade out-interface=External
src-address=192.168.0.0/24

1 chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80
in-interface=External dst-address=85.254.xx.xx dst-port=80 protocol=tcp
So why is the out-interface so important there? I have seen it in every example. Looks that it just makes problems.
Now everything that comes from internal network through the router, is masqed whether it goes really out to external or not. Am I right?
 
skye1
newbie
Posts: 29
Joined: Thu May 17, 2007 5:10 am

Re: Problem forwarding port from local LAN, using public IP addr

Sun Jul 06, 2008 5:34 am

Would'nt the in-interface be the public. I'm using 2.9.51 and have found that an in-interface did not need to be defined.
I tested this assiging in-interface=local_net and would not map.
this was working nat rule from my 2.9.51
chain=dstnat action=dst-nat to-addresses=172.x.x.x to-ports=80
dst-address=x.x.x.x dst-port=80 protocol=tcp
Max -
I just pulled this rule out of my own router - it works perfectly....

chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=80 in-interface=Local_lan dst-address=xx.xx.65.190 dst-port=80 protocol=tcp

R/

Thom

Who is online

Users browsing this forum: troubleshooter and 53 guests