Mikrotik && HTTP server

N

Nks2012-04-20 10:00:50

Mikrotik

Nks, 2012-04-20 10:00:50

Preamble:
- there is a web server that should be accessible from outside and inside the network
- there is a machine with Mikrotik 2.9
- there is an internal network with win 2008 and AD

Accordingly, Mikrotik works, everyone goes to the Internet, everything works, but one problem - the web server is only visible from the outside. From the internal network, the server is visible only by the internal IP (192.168.1.33, for example). A NAT rule was created on Mikrotik: When tracing from the internal network, everything goes perfectly to the specified IP: And tracing from the outside: As I understand it, Mikrotik does not want to start everything that came from inside the network on the nat rule and everything just shuts up on it (does not nag at 192.168 .1.33). Where to dig?
add chain=dstnat dst-address=80.*.*.* protocol=tcp dst-port=80 \ action=dst-nat to-addresses=192.168.1.33 to-ports=80 comment="" \ disabled=no
C:\Users\Nks>tracert 80.*.*.* Tracing route to 80.*.*.*.*.*.ru [80.*.*.*] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 80.*.*.*.*.*.ru [80.*.*.*] Trace complete.
C:\Users\Nks>tracert 80.*.*.* Трассировка маршрута к 80.*.*.*.*.*.ru [80.*.*.*] с максимальным числом прыжков 30: 1 <1 мс <1 мс <1 мс GALAXY [192.168.0.15] 2 <1 мс <1 мс <1 мс l49-31-62.cn.ru [178.49.31.62] 3 <1 мс 1 ms <1 мс 10.245.234.33 4 * * * Превышен интервал ожидания для запроса. 5 1 ms 1 ms 1 ms 10.245.138.82 6 1 ms <1 мс <1 мс 10.245.138.74 7 1 ms 1 ms 1 ms nsk01.nsk28.transtelecom.net [217.150.43.142] 8 1 ms 1 ms 1 ms Linkey-gw.transtelecom.net [217.150.56.17] 9 1 ms 1 ms 1 ms 89.189.190.228.sta.211.ru [89.189.190.228] 10 * * * Превышен интервал ожидания для запроса. 11 1 ms 1 ms 2 ms 89.189.190.190 12 * * * Превышен интервал ожидания для запроса. 13 2 ms 1 ms 1 ms 80.*.*.*.*.*.ru [80.*.*.*] Трассировка завершена.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

DmZ, 2012-04-20
@DmZ

Dig in the direction of understanding the functioning of the network and nat :)
Mikrotik wraps everything correctly, it just won't work in this case:

A packet comes from the world (assume 8.8.8.8 -> 80.*.*.*), Mikrotik dnatit it to the local address (8.8.8.8 -> 192.168.1.33), webserver receives request from 8.8.8.8 and sends response back to Mikrotik (default route), Mikrotik escorts the packet back through nat and sends it to the world;
If the packet comes from the local area (let's say 192.168.1.2 -> 80.*.*.*), Mikrotik will dnat it to the local address (192.168.1.2 -> 192.168.1.33), the webserver receives the request from 192.168.1.2 and sends the response back to LOCAL network, computer 192.168.1.2 does not receive the expected response from 80.*.*.* and considers the response from 192.168.1.33 invalid, since it did not send a request there. Resp. TCP connection is not established.

If you really want Nat to solve this problem, then you need to do another src-nat 192.168.1.0/24 on 192.168.1.33:80 on Mikrotik to the address of Mikrotik (suppose 192.168.1.1). Then, when a packet is received from the local network, Mikrotik will hit it twice and send it to the server in the form (192.168.1.1 -> 192.168.1.33) and the web server will send a response back to Mikrotik and the connection will be established.
But the most correct way is to simply resolve DNS for internal hosts to the internal address of the web server, and for external hosts to the external one. Then the outside will be natitsya, and the inside will go directly.

I

ironsf, 2012-04-27
@ironsf

With dns option, but you can make it prettier:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.33 protocol=tcp dst-port=80 \
out-interface=LAN action= masquerade
Where LAN is the name of the interface that looks into the local network.
read more here