Community discussions

MikroTik App
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

"Advanced NAT problem" - local web server

Fri Apr 28, 2006 12:55 pm

Hi,

this thread is not about how to get local webserver running. I have it running. Well, I needed to do it quickly, so I hacked double dst-nat thru two of our nodes, but it works, except the fact, that I can't access web server from local nework.

Now from MUM docs, I can see we had is as an "Advanced NAT problem" scenario, but I can't remember, what was said we have to do.

well:

I could add to windows hosts file static IP, or I could add static entries into DNS server probably, but how to do it other way?

so:

internet ---> 123.123.123.123 main-router 10.0.10.1-----> 10.0.10.10 webserver | 10.0.10.20 PC1

Now how to access from PC1 to webserver? What happens to packet? It surely asks DNS, and it tells PC1, that webserver is at 123.123.123.123 public IP. So it goes there. Then there is DST nat applied, so maybe even webserver is reached, but imo the answer is not delivered and my suspicion is, that somehow NAT is involved. It will imo go back to main router, and it will be given back 123.123.123.123 address and dropped? So is it solvable, without assigning web server public IP?

Thanks,
Petr
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Fri Apr 28, 2006 1:02 pm

there are two ways:

1) use static DNS cache entries

2) masquerade your local network behind your local router address :)
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
mezlo
newbie
Posts: 39
Joined: Tue Jan 17, 2006 3:08 am
Location: United States

Fri Apr 28, 2006 4:18 pm

To get it working under 2.9.x, I had to add another dst-nat rule which specified my local network as the in-interface and the dst-address of the webserver in question. Try this rule and see if it works for you:
/ ip firewall nat
add chain=dstnat in-interface=LAN dst-address=123.123.123.123 protocol=tcp \
dst-port=80 action=dst-nat to-addresses=10.0.10.10 to-ports=80 disabled=no 
Be sure to set the in-interface to whatever your LAN is on.

Mezlo

PS - I have not found a way to make this work under 2.8.x - anyone have a solution?
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Fri Apr 28, 2006 7:49 pm

Thanks Mezlo,

it does seem to work :-) The trick is not let local network request to go to public interface, but catch it incoming to main router, and dst-nat it to the server directly.

-pekr-
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Re: "Advanced NAT problem" - local web server

Sat Apr 29, 2006 3:43 pm

Hi,

this thread is not about how to get local webserver running. I have it running. Well, I needed to do it quickly, so I hacked double dst-nat thru two of our nodes, but it works, except the fact, that I can't access web server from local nework.

Now from MUM docs, I can see we had is as an "Advanced NAT problem" scenario, but I can't remember, what was said we have to do.

well:

I could add to windows hosts file static IP, or I could add static entries into DNS server probably, but how to do it other way?

so:

internet ---> 123.123.123.123 main-router 10.0.10.1-----> 10.0.10.10 webserver | 10.0.10.20 PC1

Now how to access from PC1 to webserver? What happens to packet? It surely asks DNS, and it tells PC1, that webserver is at 123.123.123.123 public IP. So it goes there. Then there is DST nat applied, so maybe even webserver is reached, but imo the answer is not delivered and my suspicion is, that somehow NAT is involved. It will imo go back to main router, and it will be given back 123.123.123.123 address and dropped? So is it solvable, without assigning web server public IP?

Thanks,
Petr
------------------------------------------------------------------------------------
Hello all,

You can use this two example rules, that's make redirect to your ip webserver [10.0.10.10] for destination Lan and from outside [123.123.123.123] too and included default MT WEB INTERFACE disappear, i mean everything from input for destination address at port 80:

------->> chain=dstnat dst-address=123.123.123.0/24 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.0.10.10 to-ports=0-65535
------->> chain=dstnat dst-address=10.0.10.0/24 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.0.10.10 to-ports=0-65535

Ok man....
Peace all
Balimore DOT com
------------------------------------------------------------------------------------

Who is online

Users browsing this forum: icsterm, svmk, Zacharias and 63 guests