Community discussions

 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Incoming traffic forwarding on 443 port

Sun Mar 22, 2015 12:59 pm

Hello,

please help me to setup incoming forwarding rule for 443 ports.
I have to froward incoming traffic on port 443 (SSL - browser) to other device than my router.

router-wan(internet source)=192.168.40.1
router-lan=192.168.50.1
ssl-device(forward ssl to)=192.168.50.2

I tried to make it by my selves:

ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.50.2 to-ports=443 protocol=tcp dst-port=443

but after this all my outgoing traffic on port 443 does not work.

ie

https://www.google.pl/?gws_rd=ssl

My chrome browser gives me message "NET::ERR_CERT_COMMON_NAME_INVALID"

NET::ERR_CERT_COMMON_NAME_INVALID

Subject: http://www.opennas.pl
Issuer: StartCom Class 1 Primary Intermediate Server CA
Expires on: 26 paź 2015
Current date: 22 mar 2015
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIGNzCCBR+gAwIBAgIDE9UqMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
...

It looks that after forwarding 443 port my browser also outgoing trafic gets my ssh cert connected to my domain opennas.pl

How to NAT my incoming traffic on port 443 and not block my outgoing traffic on port 443
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Incoming traffic forwarding on 443 port

Sun Mar 22, 2015 3:11 pm

Currently you're telling the router to take all traffic to port 443, going to *any* address and forward it to your device. And that's exactly what you're getting. You need to be more selective, some options are:

a) dst-address=192.168.40.1
b) in-interface=<name of wan interface>
c) dst-address-type=local
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Incoming traffic forwarding on 443 port

Sun Mar 22, 2015 4:12 pm

after that additional parameters forwarding from outside to 443 is not working ;-(
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Incoming traffic forwarding on 443 port

Sun Mar 22, 2015 6:24 pm

dst-address-type = local
I'd never heard of that option before - that's awesome for multi-WAN sites.
Keeping the tables lean and mean is always one of my primary goals.
Flexible is another of my primary goals. I hate going in to edit the firewall rules if you change IP addresses.
after that additional parameters forwarding from outside to 443 is not working ;-(
You should only need one of those 3 options.
I've always used suggestion b, personally.

If your rule reads like this, then it should work w/o breaking outbound SSL:
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.50.2 protocol=tcp dst-port=443 in-interface=WAN

If this rule isn't working, make sure of the following:
no other rule in the dstnat chain is matching packets before they reach this rule.
no filter rule in your forward chain is blocking the transaction
-- and the silly things you never think about because they're "never" why it's not working:
server is working
server is reachable from Mikrotik (ping works, correct MAC address in arp table)
server has correct IP/netmask/default gw settings.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Incoming traffic forwarding on 443 port

Mon Mar 23, 2015 6:11 pm

router-wan(internet source)=192.168.1.101
router-lan=192.168.2.254
ssl-device(forward ssl to)=192.168.2.2

The solution works but that depends from where I'm checking the whole solution.

1. OUTSIDE LAN - INTERNET

When I'm trying to check from outside to domain mydomain.com (195.123.33.44)

and configuration

ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=443
protocol=tcp dst-address=192.168.1.101 dst-port=443 in-interface=ether1-gateway


From Outside works fine, but when I'm checking from my LAN 192.168.2.1 server (192.168.2.2) is unrechable.


2. INSIDE LAN

When I change dst-address to my external IP dst-address=195.123.33.44 domain mydomain.com (195.123.33.44)
server is reachable from inside LAN (192.168.2.1) but is not reachable from outside.

ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=443
protocol=tcp dst-address=195.123.33.44 dst-port=443 in-interface=ether1-gateway


Please help me to find solution for this rule to be accessible from outside and inside LAN.
network.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Incoming traffic forwarding on 443 port

Mon Mar 23, 2015 7:02 pm

Since you want hairpin, you should just match on the dst-address and not the interface.
Furthermore, for my experiment in a lab, I had to add a src-nat rule for hairpin to work as well. Here are my rules:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-address=192.168.1.101 dst-port=443 protocol=tcp to-addresses=192.168.2.2
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=LAN src-address=192.168.2.0/24
Note that when doing this, the internal host cannot see the src IP for internal connections - they will all appear to come from the Mikrotik. (you have to do this for NAT hairpin)

A cleaner solution would be to implement DNS proxy on the Mikrotik.
Either explicitly configure it as the DNS server for your LAN, or else make a redirect rule for udp/53 on the LAN side.
Then create a static DNS host entry for mydomain.com -> 192.168.2.2

Your internal hosts will need to use the hostname to reach the server, but that's normal, and sounds like what you want to do anyway. Doing it this way will allow the logs on the web server to show the actual source IP in all cases, and not just external hosts.

Finally, I would try to get the ISP to put their device in bridge mode and have the public IP directly on the Mikrotik. Being behind double NAT can cause problems with some applications, and requires you to coordinate with the ISP every time you add some new service (unless they just 1:1 all ports to your Mikrotik)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Incoming traffic forwarding on 443 port

Mon Mar 23, 2015 7:40 pm

Thank's for your solution.

this works same
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-address=192.168.1.101 dst-port=443 protocol=tcp to-addresses=192.168.2.2
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=LAN src-address=192.168.2.0/24
like code:
ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=443 
protocol=tcp dst-address=192.168.1.101 dst-port=443 in-interface=ether1-gateway
From outside LAN (internet) is ok, but this is not working from inside LAN (192.168.2.1).

Probably this is only one choice using NAT? but I still wondering why this common sitiation to publish 443 port causes such a problem ?

So I just wondering how may I implement DNS proxy on the Mikrotik?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Incoming traffic forwarding on 443 port

Mon Mar 23, 2015 8:27 pm

From outside LAN (internet) is ok, but this is not working from inside LAN (192.168.2.1).

Probably this is only one choice using NAT? but I still wondering why this common sitiation to publish 443 port causes such a problem ?

So I just wondering how may I implement DNS proxy on the Mikrotik?
Notice that there is a source NAT rule added for LAN<>LAN communications.

add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=LAN src-address=192.168.2.0/24

I tested my rules on a lab and they work for LAN->LAN and for WAN->LAN.
It also does not incorrectly redirect 443 for LAN->WAN - these continue to go out correctly to the Internet.

However, DNS proxy is pretty easy.

In Winbox, under IP > DNS, make sure there are servers defined (or dynamic servers learned from your WAN connection). As long as the Mikrotik itself can successfully make DNS lookups, make sure the "Allow Remote Requests" checkbox is checked.

In the same screen, click the Static button, then the + to add a new entry.
Be sure to include an entry for every name that clients can use to reach the server...
mydomain.com
http://www.mydomain.com
myotherdomain.com
http://www.myotherdomain.com
etc.

Finally, assign the Mikrotik's LAN IP as the DNS server in your internal DHCP (IP > DHCP-Server > Networks > 192.168.2.0/24 > DNS Servers: 192.168.2.1
Optionally, you can create a redirect rule in dstnat chain (port 53, udp and tcp) - action=redirect means to intercept the request and handle it with the Mikrotik itself. Interestingly, after doing this - every IP address on the Internet will work as DNS for your client PCs. ;)


FYI - the reason the srcnat is required is this:

request from 192.168.2.99:12345 -> 192.168.1.101:443
-DSTNAT-
packet is now 192.168.2.99:12345 -> 192.168.2.2:443
-packet forwards to server-
-Server sees source is local IP - sends reply directly to client-
-client receives packet directly from server, Mikrotik is skipped-
packet = 192.168.2.2:443 -> 192.168.2.99:12345
-client is confused - it never asked for 192.168.2.99:443 so it drops the packet-
-client never receives reply from 192.168.1.101:443, and sends a re-try-
-retry fails for same reason-
-max retries, connection times out-
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Incoming traffic forwarding on 443 port

Tue Mar 24, 2015 5:09 am

Just a few notes...

This is wrong:
ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=443
protocol=tcp dst-address=195.123.33.44 dst-port=443 in-interface=ether1-gateway
because packets coming from ether1-gateway interface won't ever have 195.123.33.44 as their destination. Packets from outside going to 195.123.33.44 get forwarded by first router to your WAN address 192.168.1.101 and that's their new destination address.

ZeroByte's hairpin rules are basically correct, but not exactly in this case (sorry ;)). If LAN client tries to connect to 195.123.33.44, it goes straight through your router to first one, which actually has 195.123.33.44. And if that router does hairpin NAT, it will send the packet back to your router with source address different from original 192.168.1.101 and you do not have to do anything special, because it will look as regular external connection. You would not need this rule:
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=LAN src-address=192.168.2.0/24
The problem here seems to be that the first router does not do hairpin NAT, so it just bounces packet back with original source address 192.168.1.101, your router does not expect it and drops it.

If you wanted it to work from both inside and outside, you'd have to intercept outgoing packets to 195.123.33.44 and redirect them back to server on your router. This should work:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-address=192.168.1.101 dst-port=443 protocol=tcp to-addresses=192.168.2.2
add action=dst-nat chain=dstnat dst-address=195.123.33.44 dst-port=443 protocol=tcp to-addresses=192.168.2.2
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=LAN src-address=192.168.2.0/24
First dst-nat is for packets from outside, second for packets from inside.

Long story short, NAT sucks and double NAT sucks more. :) Using DNS is probably better in your case.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Incoming traffic forwarding on 443 port

Tue Mar 24, 2015 5:32 pm

Good catch, sob. Adding the 4th rule to "catch the pinhole early" is needed. I didn't think about that case.

Honestly, I always hate to find such an installation with double nat.
Get the public IP on your own router, or else have static interior routes w/o NAT.
Don't add a second NAT to the mix.
(If I had a dollar for every user who had trouble with their wireless because they bought a wireless router, plugged it in, connected their wireless printer to the SSID, and then couldn't print to it from their lan PC......)

There's nothing in the world wrong with multiple routers, but most people don't have experience with static routes and just think nat behind nat behind nat behind nat is normal.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Incoming traffic forwarding on 443 port

Tue Mar 24, 2015 8:28 pm

Sob
Yor solution works great !
Thanks for help !
Good catch, sob. Adding the 4th rule to "catch the pinhole early" is needed. I didn't think about that case.

Honestly, I always hate to find such an installation with double nat.
Get the public IP on your own router, or else have static interior routes w/o NAT.
Don't add a second NAT to the mix.
(If I had a dollar for every user who had trouble with their wireless because they bought a wireless router, plugged it in, connected their wireless printer to the SSID, and then couldn't print to it from their lan PC......)

There's nothing in the world wrong with multiple routers, but most people don't have experience with static routes and just think nat behind nat behind nat behind nat is normal.
ZeroByte
I know that you are right. My access router is not so advanced and I cant do same thing as with MikroTik.
This access router provides me IPTV, Internet and Phone. Regarding my GPON line parameters they are quite nice:

Upstream : 1.2Gbit/s
Downstream : 2.5Gbit/s

For this moment only one way is to have DMZ from first access router, second router is MikroTik ;-)

Better solution from my provider just to avoid double NAT will be to get PPPoE but right now I don't have choice ;-(
 
kusakhan
just joined
Posts: 7
Joined: Wed Jan 30, 2013 9:24 pm

Re: Incoming traffic forwarding on 443 port

Fri Jun 10, 2016 7:09 pm

Hello,

Guys im using Mikrotik with 4xWAN 
1. Local 192.168.0.1
2. DSL 192.168.2.1
3. DSL+PCTV 192.168.1.1
4. EVDO 4ji 192.168.8.1
5. 4G Zong 192.168.4.1

I am facing problem
NET::ERR_CERT_COMMON_NAME_INVALID

Please tell me what should i change in setting 
thanks.

Image
 
kusakhan
just joined
Posts: 7
Joined: Wed Jan 30, 2013 9:24 pm

Re: Incoming traffic forwarding on 443 port

Fri Jun 10, 2016 7:19 pm

Image
Picture link for detail
http://imgur.com/YPCtBk9
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Incoming traffic forwarding on 443 port

Sat Jun 11, 2016 2:53 am

Where do you see this "NET::ERR_CERT_COMMON_NAME_INVALID", what do you do before it jumps on you, etc?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
kusakhan
just joined
Posts: 7
Joined: Wed Jan 30, 2013 9:24 pm

Re: Incoming traffic forwarding on 443 port

Sat Jun 11, 2016 5:54 pm

when i turn on or turn off 4g or evdo wan

sometime its do automaticly
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Incoming traffic forwarding on 443 port

Sat Jun 11, 2016 5:58 pm

No, you don't understand. Where do you see it? Like is it something that RouterOS spits out (I don't think so), or some other program, in that case what program is that and what exactly are you trying to do with it when it happens?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
kusakhan
just joined
Posts: 7
Joined: Wed Jan 30, 2013 9:24 pm

Re: Incoming traffic forwarding on 443 port

Mon Jun 13, 2016 12:08 pm

Brother im using Mikrotik Router Board and i have 4 connections  
1 is DSL broadband never shown error on that broadband 
2. is Online TV Service which i use some time (Once a week)
3. is a wireless broadband by name PTCL 4ji Evdo
4. is  a wireless broadband 4g technology wireless modem/router by ZONG 

mostly wan 3 and wan 4 used because GB quota is 400 gb on both wans 
the error shows by it self anytime in whole day of maybe once in 2 days
i dnt no why i just want that if this error shows the wan automatically shift its self to other wan (for example wan 3 shows error it goes disable or fallback and wan 4 take lead and use as a primary if wan 4 goes down wan 3 also down then wan 1 use.... 

thats awl 
 
kusakhan
just joined
Posts: 7
Joined: Wed Jan 30, 2013 9:24 pm

Re: Incoming traffic forwarding on 443 port

Mon Jun 13, 2016 12:10 pm

usually when im browsing its shows error sometime on downloading

Who is online

Users browsing this forum: MSN [Bot] and 109 guests