I have an issue accessing a webserver via CNAME while it works when using IP address.
I have a port forward on my Fritzbox from port 443 to my NGINX reverse proxy. This is the working production setting I use to reach my Nextcloud instance. My public IP (at time of writing = 217.250.131.244) is dynamic. A CNAME xxx.onthewifi.com (masked my actual CNAME with xxx) pointing to the public IP is registered at a DynDNS provider and it works perfect for the production setup, i.e. I can reach my Nextcloud by going to https://xxx.onthewifi.com/.
My intention is to move the reverse proxy and Nextcloud to a docker container inside a QNAP TS473A NAS. So I added for test purposes a second port forward on my Fritzbox from port 80 to a docker container running traefik/whoami (see https://github.com/traefik/whoami/).
The problem is that I can reach whoami at http://217.250.131.244/ from outside my network but it is not working when using http://xxx.onthewifi.com/. I get a timeout when I try going by CNAME.
This is the network topology:
This is the Mikrotik CRS125 config:
Code: Select all
# mar/12/2023 11:40:17 by RouterOS 7.8
#
# model = CRS125-24G-1S-2HnD
/interface bridge
add igmp-snooping=yes ingress-filtering=no name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] name=eth03-gromit speed=100Mbps
set [ find default-name=ether5 ] name=eth05-wererabbit speed=100Mbps
set [ find default-name=ether13 ] name=eth13-PartyL speed=100Mbps
set [ find default-name=ether17 ] name=eth17-feathers speed=100Mbps
set [ find default-name=ether23 ] name=eth23-Fritzbox speed=100Mbps
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=99
add interface=bridge name=DMZ_VLAN vlan-id=40
add interface=bridge name=SERVER_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
add exclude=WAN include=VLAN,BASE name=LAN
add comment="Authorized to router" name=Authorized
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eth03-gromit pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eth05-wererabbit pvid=10 trusted=yes
add bridge=bridge frame-types=admit-only-vlan-tagged interface=eth13-PartyL
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eth17-feathers pvid=40
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set loose-tcp-tracking=no
/interface bridge vlan
add bridge=bridge tagged=bridge,eth13-PartyL untagged=eth03-gromit,eth05-wererabbit vlan-ids=10
add bridge=bridge tagged=bridge,eth13-PartyL untagged=eth17-feathers vlan-ids=40
add bridge=bridge tagged=bridge,eth23-Fritzbox,eth13-PartyL vlan-ids=99
/interface list member
add interface=SERVER_VLAN list=VLAN
add interface=BASE_VLAN list=VLAN
add interface=DMZ_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=bridge list=LAN
add interface=eth23-Fritzbox list=WAN
add interface=SERVER_VLAN list=LAN
add interface=BASE_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
/ip address
add address=192.168.180.1/24 interface=SERVER_VLAN network=192.168.180.0
add address=192.168.210.1/24 interface=DMZ_VLAN network=192.168.210.0
add address=192.168.170.1/24 interface=BASE_VLAN network=192.168.170.0
add address=192.168.178.2/24 interface=eth23-Fritzbox network=192.168.178.0
/ip dns
set servers=192.168.180.95,192.168.178.1,1.1.1.1
/ip firewall address-list
add address=192.168.170.0/24 list=local_lan
add address=192.168.180.0/24 list=local_lan
add address=192.168.210.0/24 list=local_lan
add address=192.168.180.0/24 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid"
add action=accept chain=input comment="accept ICMP (Ping)" protocol=icmp
add action=accept chain=input comment="accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="only allow IPs in list allowed_to_router" dst-port=2200,8291 in-interface-list=!WAN protocol=tcp src-address-list=allowed_to_router
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix="drop !LAN"
add action=accept chain=input comment="accept DNS from LAN (UDP)" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept DNS from LAN (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="accept NETBIOS from LAN (UDP)" dst-port=137,138,139 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept NETBIOS from LAN (TCP)" dst-port=137,138,139 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="accept DHCP" dst-port=67 in-interface-list=LAN log-prefix=DHCP protocol=udp
add action=accept chain=input comment="accept NTP" dst-port=123 in-interface-list=LAN log-prefix=NTP protocol=udp
add action=reject chain=input comment="reject all others" in-interface-list=LAN log=yes log-prefix="reject all" reject-with=icmp-admin-prohibited
add action=drop chain=input comment="drop all others" log-prefix="drop all"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow bridge traffic" in-interface=bridge log-prefix="allow LAN-LAN" out-interface=bridge
add action=accept chain=forward comment="allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow LAN to VLAN traffic" in-interface-list=LAN out-interface-list=VLAN
add action=accept chain=forward comment="allow dst-nat" connection-nat-state=dstnat
add action=accept chain=forward comment="allow SERVER traffic" log-prefix="allow LAN-LAN" out-interface=SERVER_VLAN
add action=accept chain=forward comment="allow DMZ traffic" log-prefix="allow LAN-LAN" out-interface=DMZ_VLAN
add action=accept chain=forward comment="accept DNS" dst-port=53 protocol=udp
add action=reject chain=forward comment="reject all others" in-interface-list=LAN log=yes log-prefix=reject reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="drop all others" log-prefix="drop all"
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade log-prefix=SRCNAT out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log-prefix=DSTNAT protocol=tcp to-addresses=192.168.210.100
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.178.1
/tool sniffer
set filter-ip-protocol=tcp filter-operator-between-entries=and filter-stream=yes streaming-enabled=yes streaming-server=192.168.190.244
In order to better understand the problem, I have checked the firewall log. There are no packet drops / rejects when I load the URL. Next I tried to capture the network traffic with Packet Sniffer + Wireshark. I'm not a network expert and this is my first experience using Wireshark. I captured both attempts, first with IP:
Next with CNAME:
You can see that the first request via IP worked and whoami answered with some connection details. The second request with CNAME has no answer. The full Wireshark files are attached.
Questions:
- Is there something wrong with my firewall rules? Especially, is the srcnat + dstnat correct?
- How can I trace the packets and get an idea where the traffic is blocked or getting lost?
- What else can I do or provide?
Of course, I have read the firewall guide https://forum.mikrotik.c ... p?t=180838 and the DST NAT / Portforwarding guide https:// ... p?t=179343.
I appreciate any hints you can give me.