Translate the income ip to the ethernet

doomer · Wed Feb 21, 2024 3:43 am

Hey!
I have a network topology like in the picture.
Some clients from the internet connect to my public ip to Microtik and it translates them to a web-server inside the ethernet.
Everything works, I don't have any problems with it, but the web-server recieves ethernet address of gateway (ex 192.168.88.1) instead of client public address. (ex 212.42.14.10)
How shell I manage my router to translate clients-from-internet ip to my web-server?

TheCat12 · Wed Feb 21, 2024 2:09 pm

If you want a full translation of the local address of the web server to the public IP of the router and vice versa through a specific port, you should have a srcnat and a dstnat rule:

/ip firewall nat
add chain=dstnat dst-address="public_ip" dst-port="web_server_port" action=dst-nat to-addresses="local_ip" to-ports="web_server_port"
add chain=srcnat src-address="local_ip" src-port="web_server_port" action=src-nat to-addresses="public_ip" to-ports="web_server_port"

If that's not your question, would you kindly elaborate what do you mean with "the web-server doesn't receive the clients ip-addresses"?

doomer · Wed Feb 21, 2024 6:08 pm

"the web-server doesn't receive the clients ip-addresses" means the webservers gets 192.168.88.1 enstead of 212.162.14.10
Hope this is undestandable

mkx · Wed Feb 21, 2024 6:38 pm

So there's a SRC-NAT rule which triggers on connections from internet to your server. If you post your config, we might be able to find it.

doomer · Thu Feb 22, 2024 4:32 am

So there's a SRC-NAT rule which triggers on connections from internet to your server. If you post your config, we might be able to find it.

You wanted me to commite a crime against security, and I did my best to hide everything useful)

/interface bridge
add name=GUESTs_bridge port-cost-mode=short
add name=WORKERS_bridge port-cost-mode=short
/interface wireguard
add listen-port=443 mtu=1472 name=wireguard1
/interface vlan
add interface=WORKERS_bridge name=vlan502 vlan-id=502
add interface=WORKERS_bridge name=vlan602 vlan-id=602
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=LOGIN
/interface wifi channel
add band=2ghz-ax disabled=no name=WORKERS2 skip-dfs-channels=all width=20/40mhz-eC
add band=5ghz-ax disabled=no name=WORKERS5 skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=WORKERS_bridge disabled=no name=WORKERS
add bridge=WORKERS_bridge client-isolation=yes disabled=no name=GUESTs vlan-id=502
add bridge=WORKERS_bridge client-isolation=yes disabled=no name=free vlan-id=602
/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption=ccmp group-encryption=ccmp group-key-update=30m name=WORKERS
add authentication-types=wpa2-psk disabled=no encryption=ccmp group-encryption=ccmp group-key-update=30m name=GUESTs
add disabled=no name=free
/interface wifi configuration
add channel=WORKERS2 country=Kazakstan datapath=WORKERS disabled=no mode=ap name=WORKERS2 security=WORKERS ssid=WORKERS \
tx-power=35
add channel=WORKERS5 country=Kazakstan datapath=WORKERS disabled=no mode=ap name=WORKERS5 security=WORKERS ssid=WORKERS \
tx-power=20
add channel=WORKERS2 country=Kazakstan datapath=GUESTs disabled=no mode=ap name=GUESTs2 security=GUESTs ssid=GUESTs \
tx-power=15
add channel=WORKERS5 country=Kazakstan datapath=GUESTs disabled=no mode=ap name=GUESTs5 security=GUESTs ssid=GUESTs \
tx-power=20
add channel=WORKERS2 country=Kazakstan datapath=free disabled=no mode=ap name=free2 security=free ssid=Beker-Free \
tx-power=15
add channel=WORKERS5 country=Kazakstan datapath=free disabled=no mode=ap name=free5 security=free ssid=Beker-Free \
tx-power=20
/interface wifi
add configuration=WORKERS2 configuration.mode=ap .tx-power=35 disabled=no name=VIRT2 radio-mac=48:A9:8A:9F:7A:D6
add configuration=GUESTs2 disabled=no mac-address=4A:A9:8A:9F:7A:D6 master-interface=VIRT2 name=VIRT22
add configuration=free2 disabled=no mac-address=4A:A9:8A:9F:7A:D7 master-interface=VIRT2 name=VIRT23
set [ find default-name=wifi1 ] configuration=WORKERS5 disabled=no
set [ find default-name=wifi2 ] configuration=WORKERS2 disabled=no
add configuration=GUESTs5 disabled=no mac-address=4A:A9:8A:C8:49:1F master-interface=wifi1 name=VIRT5
add configuration=GUESTs2 disabled=no mac-address=4A:A9:8A:C8:49:21 master-interface=wifi2 name=VIRT24
add configuration=free2 disabled=no mac-address=4A:A9:8A:C8:49:22 master-interface=wifi2 name=VIRT25
add configuration=free5 disabled=no mac-address=4A:A9:8A:C8:49:20 master-interface=wifi1 name=VIRT52
/ip pool
add name=WORKERS_pool ranges=192.168.92.1-192.168.92.254
add name=GUESTs_pool ranges=192.168.11.5-192.168.11.250
add name=free_pool ranges=192.168.0.1-192.168.0.254
/ip dhcp-server
add address-pool=WORKERS_pool interface=WORKERS_bridge name=WORKR_dhcp server-address=192.168.92.1
add address-pool=GUESTs_pool interface=vlan502 name=GUESTs_dhcp server-address=192.168.11.1
add address-pool=free_pool interface=vlan602 name=free_dhcp server-address=192.168.0.1
/queue simple
add max-limit=5M/5M name=queue1 target=vlan602
/interface bridge port
add bridge=WORKERS_bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=WORKERS_bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=WORKERS_bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=WORKERS_bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=WORKERS_bridge interface=*6 internal-path-cost=10 path-cost=10
add bridge=WORKERS_bridge interface=*7 internal-path-cost=10 path-cost=10
add bridge=WORKERS_bridge interface=*18 internal-path-cost=10 path-cost=10
add bridge=WORKERS_bridge interface=*19 internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge=WORKERS_bridge vlan-ids=501
/interface wifi access-list
add action=reject disabled=yes interface=*BC signal-range=-120..-70
add action=reject disabled=yes interface=*C4 signal-range=-120..-71
add action=reject disabled=no interface=wifi1 signal-range=-120..-72
add action=reject disabled=no interface=wifi2 signal-range=-120..-65
add action=reject disabled=yes interface=*23 signal-range=-120..-80
/interface wifi cap
set caps-man-addresses=127.0.0.1 discovery-interfaces=WORKERS_bridge enabled=yes
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=WORKERS5 name-format=VIRT5 slave-configurations=\
GUESTs5,free5 supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=WORKERS2 name-format=VIRT2 slave-configurations=\
GUESTs2,free2 supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=10.5.5.2/32,192.168.92.0/24 comment=USER interface=wireguard1 public-key=\
"*"
add allowed-address=10.5.5.3/32,192.168.92.0/24 comment="USER" interface=wireguard1 public-key=\
"*"
add allowed-address=10.5.5.4/32,192.168.92.0/24,::/0 comment="USER" interface=wireguard1 public-key=\
"*"
/ip address
add address=192.168.92.1/24 interface=WORKERS_bridge network=192.168.92.0
add address=192.168.11.1/24 interface=vlan502 network=192.168.11.0
add address=192.168.0.1/24 interface=vlan602 network=192.168.0.0
add address=10.5.5.1/24 interface=wireguard1 network=10.5.5.0
/ip dhcp-server lease
add address=192.168.92.254 client-id=1:9480:a3:cc:f4 mac-address=94:DE:80:A3:CC:F4 server=WORKR_dhcp
add address=192.168.92.91 client-id=1:48:a9:8a:9f:7a:d2 mac-address=48:A9:8A:9F:7A:D2 server=WORKR_dhcp
add address=192.168.92.82 client-id=1:a0:f3:c1:1d:4d:ef comment=stat1 mac-address=A0:F3:C1:1D:4D:EF server=WORKR_dhcp
add address=192.168.92.193 client-id=1:b4:4c:3b:4:55:6b comment=stat1 mac-address=B4:4C:3B:04:55:6B server=\
WORKR_dhcp
add address=192.168.92.191 client-id=1:6c:1c:71:5e:2d:31 comment=stat1 mac-address=6C:1C:71:5E:2D:31 server=\
WORKR_dhcp
add address=192.168.11.23 client-id=1:e0:bb:9e:77:ff:b1 comment=stat1 mac-address=E0:BB:9E:77:FF:B1 server=\
GUESTs_dhcp
add address=192.168.92.163 client-id=1:58:11:22:9a:af:67 comment=stat1 mac-address=58:11:22:9A:AF:67 server=WORKR_dhcp
add address=192.168.92.140 client-id=ff:29:3a:f7:3a:0:4:7f:80:4d:56:9:4e:d2:e8:50:65:30:42:4b:3a:f7:3a mac-address=\
00:0C:29:3A:F7:3A server=WORKR_dhcp
add address=192.168.92.141 allow-dual-stack-queue=no mac-address=00:0C:29:AA:C0:0A server=WORKR_dhcp
add address=192.168.92.148 comment=WEBSERVER.DOMAIN.COM mac-address=00:0C:29:09:D0:EE server=WORKR_dhcp
add address=192.168.92.48 client-id=ff:9f:6e:85:24:0:2:0:011:31f1:8c:2d:91:d:50 comment=delme mac-address=\
00:0C:29:F7:72:A2 server=WORKR_dhcp
add address=192.168.92.143 client-id=1:0:c:29:69:ca:68 mac-address=00:0C:29:69:CA:68 server=WORKR_dhcp
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1 netmask=24
add address=192.168.92.0/24 dns-server=192.168.92.1,8.8.8.8,1.1.1.1 gateway=192.168.92.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.92.148 name=WEBSERVER-SITE ttl=1m
add address=192.168.92.141 disabled=yes name=WEBSERVER2-SITE ttl=1m
add address=192.168.92.140 disabled=yes name=WEBSERVER3-SITE ttl=1m
/ip firewall filter
add action=accept chain=input comment="accept from main" src-address=192.168.92.0/24
add action=accept chain=input comment=WG disabled=yes dst-port=13231 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="sntp allow" in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="igmp allow" in-interface=pppoe-out1 protocol=igmp
add action=accept chain=input comment="icmp allow" disabled=yes in-interface=pppoe-out1 protocol=icmp
add action=accept chain=forward comment="establ related" connection-state=established,related
add action=accept chain=forward comment=printer> dst-address=192.168.11.23 src-address=192.168.92.0/24
add action=accept chain=forward comment=printer> dst-address=192.168.11.23 src-address=192.168.11.0/24
add action=accept chain=forward comment=printer< dst-address=192.168.92.0/24 src-address=192.168.11.23
add action=accept chain=forward comment=printer< dst-address=192.168.11.0/24 src-address=192.168.11.23
add action=accept chain=forward comment=WEBSERVER> dst-address=192.168.92.148 dst-port=80,443 in-interface=vlan502 \
protocol=tcp
add action=accept chain=forward comment=WEBSERVER< dst-port=80,443 out-interface=vlan502 protocol=tcp src-address=\
192.168.92.148
add action=drop chain=forward comment="block free>main" dst-address=192.168.92.0/24 in-interface=vlan602
add action=drop chain=forward comment="block GUEST>main" dst-address=192.168.92.0/24 in-interface=vlan502
add action=drop chain=input comment="drop input" in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT 0.0.0.0" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="NAT main>>GUEST>>free" dst-address=192.168.92.0/24
add action=dst-nat chain=dstnat dst-address=PUBLIC-STATIC-IP dst-port=80,443 protocol=tcp to-addresses=192.168.92.148
add action=dst-nat chain=dstnat dst-address=PUBLIC-STATIC-IP dst-port=143,993,110,995,25,465,587 protocol=tcp to-addresses=\
192.168.92.141
add action=dst-nat chain=dstnat dst-address=PUBLIC-STATIC-IP dst-port=8080 protocol=tcp to-addresses=192.168.92.140
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.92.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Almaty
/system identity
set name="BorderLine CAPsMAN"
/system note
set show-at-login=no
/system ntp client servers
add address=40.81.94.65
add address=84.43.191.2

Translate the income ip to the ethernet

Translate the income ip to the ethernet

Re: Translate the income ip to the ethernet

Re: Translate the income ip to the ethernet

Re: Translate the income ip to the ethernet

Re: Translate the income ip to the ethernet

Who is online