Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
S10LI2020-06-19 12:14:15
Mikrotik
S10LI, 2020-06-19 12:14:15

How to forward a packet from LAN to LAN device when accessing external IP?


Network for example, any matches are random

WAN (ether1-wan) white IP: 10.10.10.10
Mikrotik address: 192.168.1.254
LAN (bridge-lan): 192.168.1.0/24
VPN+Web server: 192.168.1.100
5eec7b83f3ae2418382491.png

A rule is configured that redirects packets on port 80 and 12345 from the outside (ether1-wan) to the server (192.168.1.100)

/ip firewall nat
add action=netmap chain=dstnat dst-port=80 in-interface=ether1-wan protocol=tcp to-addresses=192.168.1.100 to-ports=80
add action=netmap chain=dstnat dst-port=12345 in-interface=ether1-wan protocol=tcp to-addresses=192.168.1.100 to-ports=12345


Accordingly, when accessing from the Internet at the address 10.10.10.10 in the browser, the clients go to the server 192.168.1.100, the same with the VPN client . would they go to the address 192.168.1.254

The task is to make a redirect for local network clients accessing the external address (10.10.10.10) to a server located in the same local network (192.168.1.100)

One of the options is to use some kind of DynDNS service to receive external address 10.10.10.10 domain name like company.dyndns.com, and inside the local network in the Mikrotik settings for this domain, set the server address 192.168.1.100. For HTTP, it’s quite okay, but for VPN, it’s a problem, because an .ovpn file is created to configure the client, which specifies the external IP, and not the domain name. I won’t go into details, it’s just that this option doesn’t roll. (The option to organize OpenVPN on Mikrotik is also not worth suggesting)

Another quite working option is as follows:
Clients accessing 10.10.10.10 are redirected to 192.168.1.100, while masquerading as Mikrotik
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=netmap chain=dstnat dst-address=10.10.10.10 dst-port=12345 in-interface=bridge-lan protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.100 to-ports=12345

It looks like this 5eec7fe310304150656504.png
And everything works fine, but the server sees that it is not the client 192.168.1.10 that connects to it, but the Mikrotik 192.168.1.254, and if many clients connect to it, then all will be displayed as 192.168.1.254. For logging, security and other things, this one is not suitable at all.

So what can be done to get the following scheme?
5eec80ee02ad8547182000.png

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
D
Dmitry, 2020-06-19
@S10LI

https://wiki.mikrotik.com/wiki/Hairpin_NAT

Similar questions
I
IceCream442018-11-23 16:24:17
How to calculate from the current date the number of months to the birthday in the next. year? 3Reply
A
abl_12016-06-15 12:54:26
How to configure IPSEC on Mikrotik? 1Reply
Z
Zenko2022-01-16 12:31:07
HAP ac lite cuts cable speed from 100Mbps to 20Mbps. How to eliminate? 2Reply
V
Victor2016-06-20 13:45:04
How to connect keenetic to the mikrotik l2tp server so that the Internet goes through keenetic, and not mikrotik? 1Reply
S
Systemshik2016-06-21 15:15:35
How to set up Mikrotik notification? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question