Community discussions

MikroTik App
 
ChristianMichels
just joined
Topic Author
Posts: 9
Joined: Fri Sep 13, 2019 3:03 pm

No answer using CNAME - works with IP - [solved]

Sun Mar 12, 2023 1:38 pm

Dear all,

I have an issue accessing a webserver via CNAME while it works when using IP address.

I have a port forward on my Fritzbox from port 443 to my NGINX reverse proxy. This is the working production setting I use to reach my Nextcloud instance. My public IP (at time of writing = 217.250.131.244) is dynamic. A CNAME xxx.onthewifi.com (masked my actual CNAME with xxx) pointing to the public IP is registered at a DynDNS provider and it works perfect for the production setup, i.e. I can reach my Nextcloud by going to https://xxx.onthewifi.com/.

My intention is to move the reverse proxy and Nextcloud to a docker container inside a QNAP TS473A NAS. So I added for test purposes a second port forward on my Fritzbox from port 80 to a docker container running traefik/whoami (see https://github.com/traefik/whoami/).

The problem is that I can reach whoami at http://217.250.131.244/ from outside my network but it is not working when using http://xxx.onthewifi.com/. I get a timeout when I try going by CNAME.

This is the network topology:
network.png
This is the Mikrotik CRS125 config:
# mar/12/2023 11:40:17 by RouterOS 7.8
#
# model = CRS125-24G-1S-2HnD
/interface bridge
add igmp-snooping=yes ingress-filtering=no name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] name=eth03-gromit speed=100Mbps
set [ find default-name=ether5 ] name=eth05-wererabbit speed=100Mbps
set [ find default-name=ether13 ] name=eth13-PartyL speed=100Mbps
set [ find default-name=ether17 ] name=eth17-feathers speed=100Mbps
set [ find default-name=ether23 ] name=eth23-Fritzbox speed=100Mbps
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=99
add interface=bridge name=DMZ_VLAN vlan-id=40
add interface=bridge name=SERVER_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
add exclude=WAN include=VLAN,BASE name=LAN
add comment="Authorized to router" name=Authorized
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eth03-gromit pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eth05-wererabbit pvid=10 trusted=yes
add bridge=bridge frame-types=admit-only-vlan-tagged interface=eth13-PartyL
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eth17-feathers pvid=40
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set loose-tcp-tracking=no
/interface bridge vlan
add bridge=bridge tagged=bridge,eth13-PartyL untagged=eth03-gromit,eth05-wererabbit vlan-ids=10
add bridge=bridge tagged=bridge,eth13-PartyL untagged=eth17-feathers vlan-ids=40
add bridge=bridge tagged=bridge,eth23-Fritzbox,eth13-PartyL vlan-ids=99
/interface list member
add interface=SERVER_VLAN list=VLAN
add interface=BASE_VLAN list=VLAN
add interface=DMZ_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=bridge list=LAN
add interface=eth23-Fritzbox list=WAN
add interface=SERVER_VLAN list=LAN
add interface=BASE_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
/ip address
add address=192.168.180.1/24 interface=SERVER_VLAN network=192.168.180.0
add address=192.168.210.1/24 interface=DMZ_VLAN network=192.168.210.0
add address=192.168.170.1/24 interface=BASE_VLAN network=192.168.170.0
add address=192.168.178.2/24 interface=eth23-Fritzbox network=192.168.178.0
/ip dns
set servers=192.168.180.95,192.168.178.1,1.1.1.1
/ip firewall address-list
add address=192.168.170.0/24 list=local_lan
add address=192.168.180.0/24 list=local_lan
add address=192.168.210.0/24 list=local_lan
add address=192.168.180.0/24 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid"
add action=accept chain=input comment="accept ICMP (Ping)" protocol=icmp
add action=accept chain=input comment="accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="only allow IPs in list allowed_to_router" dst-port=2200,8291 in-interface-list=!WAN protocol=tcp src-address-list=allowed_to_router
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix="drop !LAN"
add action=accept chain=input comment="accept DNS from LAN (UDP)" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept DNS from LAN (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="accept NETBIOS from LAN (UDP)" dst-port=137,138,139 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept NETBIOS from LAN (TCP)" dst-port=137,138,139 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="accept DHCP" dst-port=67 in-interface-list=LAN log-prefix=DHCP protocol=udp
add action=accept chain=input comment="accept NTP" dst-port=123 in-interface-list=LAN log-prefix=NTP protocol=udp
add action=reject chain=input comment="reject all others" in-interface-list=LAN log=yes log-prefix="reject all" reject-with=icmp-admin-prohibited
add action=drop chain=input comment="drop all others" log-prefix="drop all"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow bridge traffic" in-interface=bridge log-prefix="allow LAN-LAN" out-interface=bridge
add action=accept chain=forward comment="allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow LAN to VLAN traffic" in-interface-list=LAN out-interface-list=VLAN
add action=accept chain=forward comment="allow dst-nat" connection-nat-state=dstnat
add action=accept chain=forward comment="allow SERVER traffic" log-prefix="allow LAN-LAN" out-interface=SERVER_VLAN
add action=accept chain=forward comment="allow DMZ traffic" log-prefix="allow LAN-LAN" out-interface=DMZ_VLAN
add action=accept chain=forward comment="accept DNS" dst-port=53 protocol=udp
add action=reject chain=forward comment="reject all others" in-interface-list=LAN log=yes log-prefix=reject reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="drop all others" log-prefix="drop all"
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade log-prefix=SRCNAT out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log-prefix=DSTNAT protocol=tcp to-addresses=192.168.210.100
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.178.1
/tool sniffer
set filter-ip-protocol=tcp filter-operator-between-entries=and filter-stream=yes streaming-enabled=yes streaming-server=192.168.190.244

In order to better understand the problem, I have checked the firewall log. There are no packet drops / rejects when I load the URL. Next I tried to capture the network traffic with Packet Sniffer + Wireshark. I'm not a network expert and this is my first experience using Wireshark. I captured both attempts, first with IP:
IP request.png

Next with CNAME:
CNAME request.png

You can see that the first request via IP worked and whoami answered with some connection details. The second request with CNAME has no answer. The full Wireshark files are attached.

Questions:
  • Is there something wrong with my firewall rules? Especially, is the srcnat + dstnat correct?
  • How can I trace the packets and get an idea where the traffic is blocked or getting lost?
  • What else can I do or provide?

Of course, I have read the firewall guide https://forum.mikrotik.c ... p?t=180838 and the DST NAT / Portforwarding guide https:// ... p?t=179343.

I appreciate any hints you can give me.
You do not have the required permissions to view the files attached to this post.
Last edited by ChristianMichels on Mon Mar 13, 2023 2:38 pm, edited 1 time in total.
 
ChristianMichels
just joined
Topic Author
Posts: 9
Joined: Fri Sep 13, 2019 3:03 pm

Re: No answer using CNAME - works with IP

Sun Mar 12, 2023 1:54 pm

I forgot to mention a few things.
  • I can ping whoami by IP from inside my network. So my VLAN trunk between CRS125 and QNAP is working.
  • Because I have an answer when using IP from outside my network, basic networking set-up seems to be OK (IP addresses, routes, etc.)
  • I think the SRC NAT / DST NAT rules do not really matter in my case. The Fritzbox is pointing directly to the webserver and doing its own NAT. When I disable the NAT rules, the production set-up still works.
  • Moreover, I can reach the whoami at http://next.onthewifi.com from inside my network when I temporarily add a CNAME in my pi-hole.
 
ChristianMichels
just joined
Topic Author
Posts: 9
Joined: Fri Sep 13, 2019 3:03 pm

Re: No answer using CNAME - works with IP - [solved]

Mon Mar 13, 2023 2:41 pm

Hi all,
actually it was a DNS issue. I registered another A record with another DynDNS provider and with the new name, it worked straight away.
Credits to Jeff Geerling who often promotes that DNS is the issue ;-)
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: No answer using CNAME - works with IP - [solved]

Mon Mar 13, 2023 3:48 pm

Glad you figured it out. As I was reading your description, DNS was my first guess...

Who is online

Users browsing this forum: No registered users and 44 guests