Community discussions

MikroTik App
 
Mukah
just joined
Topic Author
Posts: 16
Joined: Tue May 08, 2007 6:57 pm

External IP address replaced with router

Wed May 16, 2007 1:44 am

This may be a dumb question but I recently replaced a router on a customers network with a MT router. After doing this and setting up all of the NAT's to their web servers as DST-NAT's, their log files on their web server show all connections coming from the IP of the router instead of the external IP addresses of Internet users. Is it possible for MT to pass along the actual IP of the customer like other NAT routers do?

Thanks,
Brad
 
skynoc
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Wed May 16, 2007 3:42 am

this is normal Mukah , you should setup the MT as bridge , this can solve your situation
 
Mukah
just joined
Topic Author
Posts: 16
Joined: Tue May 08, 2007 6:57 pm

Wed May 16, 2007 6:47 am

If I set it up as a bridge from the External to the Internal interface, will I still use port forwarding or NATing to the machines?
 
skynoc
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Wed May 16, 2007 9:07 am

i dont think so , but you should try it .
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Wed May 16, 2007 9:21 am

this is normal Mukah
No, this is not normal. A destination NAT rule does not change the source address of the IP packets, only the destination address. If everything is configured correctly then you should still see the external source address of outside clients on you internal servers.

--Tom
 
skynoc
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Wed May 16, 2007 8:27 pm

but it will be translated to the MT ip address
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Wed May 16, 2007 9:00 pm

No, it will not. And why should it? Skynoc, did you try it for yourself? Try it and you'll see.

--Tom
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Thu May 17, 2007 7:07 am

Sounds to me like skynoc is getting confused between dst-nat and src-nat.

Mukah:
Are you sure you are not also getting confused?
You should post your nat configuration, and I am sure the answers will start coming to you.
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Thu May 17, 2007 10:00 am

As long as I was using this configuration ...
port forward helps you to open up a port in your router or firewall so that you can access your application safely but If you want to access your web server , users can not reach the ip of web server , they'll still see it as ip of router that is because we use or call it as webserver behind a firewall .

I use this configuration to protect my webserver which i give one public ip on Mikrotik Rourters then my webserver could be natted :wink: .
 
Mukah
just joined
Topic Author
Posts: 16
Joined: Tue May 08, 2007 6:57 pm

Thu May 17, 2007 9:41 pm

I have assigned the IP of "71.153.22.22" to the router, then I am doing a DST-NAT to the internal IP of the server "10.1.2.20" but in the logs on the webserver, it always lists every hit as coming from "71.153.22.23" which is an IP on the MT router that is not being used in a NAT.

add chain=dstnat dst-address=71.153.22.22 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.1.2.20 to-ports=80
 
changeip
Forum Guru
Forum Guru
Posts: 3806
Joined: Fri May 28, 2004 5:22 pm

Thu May 17, 2007 9:54 pm

do you also have any src-nat rules ?

Sam
 
Mukah
just joined
Topic Author
Posts: 16
Joined: Tue May 08, 2007 6:57 pm

Thu May 17, 2007 9:57 pm

Only one which is for internal access out to the internet, is this the reason everything is showing the .23 IP on the inside network?

add chain=srcnat action=src-nat to-addresses=71.153.22.23 to-ports=0-65535
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Fri May 18, 2007 12:37 am

what I am sure is that you are redirecting incoming requests by any port to your router ip which is 71.153.22.23 .

I think this rule should not work ..

add chain=dstnat dst-address=71.153.22.22 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.1.2.20 to-ports=80


right or am I wrong ?
 
Mukah
just joined
Topic Author
Posts: 16
Joined: Tue May 08, 2007 6:57 pm

Fri May 18, 2007 1:04 am

All of the rules I have setup seem to be forwarding traffic onto the correct servers on the specific ports, it just shows all connections as coming from the .23 IP.
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Fri May 18, 2007 1:50 am

look I have tried it at my MT and everything is working 100 % , try to check your configuration or move all dst-nat to be the first rule .
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Fri May 18, 2007 1:52 am

but I am wondering if there a rule that captures all ports or nat by ip which ends 23 .
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24493
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: External IP address replaced with router

Fri May 18, 2007 11:13 am

This may be a dumb question but I recently replaced a router on a customers network with a MT router. After doing this and setting up all of the NAT's to their web servers as DST-NAT's, their log files on their web server show all connections coming from the IP of the router instead of the external IP addresses of Internet users. Is it possible for MT to pass along the actual IP of the customer like other NAT routers do?

Thanks,
Brad
If I understand correctly, you have set the SRC-NAT rule with out-interface=all. This will also masquerade connections from outside->in. change the out-interface setting
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Re: External IP address replaced with router

Fri May 18, 2007 11:22 am

This may be a dumb question but I recently replaced a router on a customers network with a MT router. After doing this and setting up all of the NAT's to their web servers as DST-NAT's, their log files on their web server show all connections coming from the IP of the router instead of the external IP addresses of Internet users. Is it possible for MT to pass along the actual IP of the customer like other NAT routers do?

Thanks,
Brad
If I understand correctly, you have set the SRC-NAT rule with out-interface=all. This will also masquerade connections from outside->in. change the out-interface setting

yes it seems that this rule is taken everything out .. I always strict my rule using in-interface or out-interface so I can manage my network .
 
Mukah
just joined
Topic Author
Posts: 16
Joined: Tue May 08, 2007 6:57 pm

Fri May 18, 2007 4:46 pm

I set the out-interface=(outside interface) and now when I connect to the web server from the Internet, it is showing the correct IP in the logs so that resolved it. But now the problem I have is users internally can no longer get to the website by using the DNS name which points to the external IP. What would I need to change to resolve that?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Fri May 18, 2007 5:07 pm

users internally can no longer get to the website by using the DNS name which points to the external IP. What would I need to change to resolve that?
Set up split dns on your nameservers.

--Tom
 
Mukah
just joined
Topic Author
Posts: 16
Joined: Tue May 08, 2007 6:57 pm

Fri May 18, 2007 5:34 pm

So you are saying I need to setup a new zone on the DNS server the PC's point at and set all the records up to the internal IP addresses? I was hoping I wouldn't have to maintain two different sets of DNS records but if this is what I have to do, I will.

Thanks!
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Fri May 18, 2007 6:31 pm

You could redirect the internal requests like this (command from memory, check for typos!):
/ip firewall nat add chain=dstnat in-interface=ether2 protocol=tcp dst-port=80 dst-address=1.2.3.4 action=dst-nat to-addresses=192.168.0.100
/ip firewall nat add chain=srcnat out-interface=ether2 src-address=192.168.0.0/24 dst-address=192.168.0.100 action=masquerade
where:
1.2.3.4 is the public ip address of your webserver
192.168.0.0/24 is your internal ip address range
192.168.0.100 is the internal ip address of your webserver
ether2 is the interface name of your internal network interface

This should allow access to your internal webserver from the internal LAN using the public ip address of the webserver.

Best regards,
Christian Meis

Who is online

Users browsing this forum: beckerf, CoMMyz, msatter, MSN [Bot], trofiv and 154 guests