Forward HTTP port on mikrotik 1 to an address on another mikrotik
Trying to apply the Hairpin-nat concept on mikrotik1, my config is something like:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
add chain=srcnat out-interface=WAN action=masquerade
add chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.2.2 protocol=tcp dst-port=80
out-interface=LAN action=masquerade
But it doesn't work for me because (i think) 192.168.2.2 is defined on another mikrotik (lets call it mikrotik2), not on this one (mikrotik1) wich the configuration is being applied. Mikrotik1 only routes the 192.168.1.0/24 network, and mikrotik2 only routes the 192.168.2.0/24.
But, the two mikrotik devices are bridged and the addresses are reachable.
Someone can help-me? I don't have any single clue of what to do in this case. How do I forward my internet traffic to port 80 on mikrotik1, to the mikrotik2 lan address?
PS: Both mikrotiks are gateways, each from a provider.
Thanks.
networking routing port-forwarding nat mikrotik-routeros
add a comment |
Trying to apply the Hairpin-nat concept on mikrotik1, my config is something like:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
add chain=srcnat out-interface=WAN action=masquerade
add chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.2.2 protocol=tcp dst-port=80
out-interface=LAN action=masquerade
But it doesn't work for me because (i think) 192.168.2.2 is defined on another mikrotik (lets call it mikrotik2), not on this one (mikrotik1) wich the configuration is being applied. Mikrotik1 only routes the 192.168.1.0/24 network, and mikrotik2 only routes the 192.168.2.0/24.
But, the two mikrotik devices are bridged and the addresses are reachable.
Someone can help-me? I don't have any single clue of what to do in this case. How do I forward my internet traffic to port 80 on mikrotik1, to the mikrotik2 lan address?
PS: Both mikrotiks are gateways, each from a provider.
Thanks.
networking routing port-forwarding nat mikrotik-routeros
add a comment |
Trying to apply the Hairpin-nat concept on mikrotik1, my config is something like:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
add chain=srcnat out-interface=WAN action=masquerade
add chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.2.2 protocol=tcp dst-port=80
out-interface=LAN action=masquerade
But it doesn't work for me because (i think) 192.168.2.2 is defined on another mikrotik (lets call it mikrotik2), not on this one (mikrotik1) wich the configuration is being applied. Mikrotik1 only routes the 192.168.1.0/24 network, and mikrotik2 only routes the 192.168.2.0/24.
But, the two mikrotik devices are bridged and the addresses are reachable.
Someone can help-me? I don't have any single clue of what to do in this case. How do I forward my internet traffic to port 80 on mikrotik1, to the mikrotik2 lan address?
PS: Both mikrotiks are gateways, each from a provider.
Thanks.
networking routing port-forwarding nat mikrotik-routeros
Trying to apply the Hairpin-nat concept on mikrotik1, my config is something like:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
add chain=srcnat out-interface=WAN action=masquerade
add chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.2.2 protocol=tcp dst-port=80
out-interface=LAN action=masquerade
But it doesn't work for me because (i think) 192.168.2.2 is defined on another mikrotik (lets call it mikrotik2), not on this one (mikrotik1) wich the configuration is being applied. Mikrotik1 only routes the 192.168.1.0/24 network, and mikrotik2 only routes the 192.168.2.0/24.
But, the two mikrotik devices are bridged and the addresses are reachable.
Someone can help-me? I don't have any single clue of what to do in this case. How do I forward my internet traffic to port 80 on mikrotik1, to the mikrotik2 lan address?
PS: Both mikrotiks are gateways, each from a provider.
Thanks.
networking routing port-forwarding nat mikrotik-routeros
networking routing port-forwarding nat mikrotik-routeros
edited Dec 14 at 21:54
Duncan X Simpson
1,093821
1,093821
asked Feb 4 '16 at 19:29
Eduardo Augusto Alves Ayres
135
135
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Check that port 80 is not already in use by mikrotik1 (ip/services/disable http)
Also, you talk about bridging the two mikrotiks... I think this is a mistake, remove the bridge and add a route to 192.168.2.0/24 on mikrotik1, and a route to 192.168.1.0/24 on mikrotik2 if they don't exist already.
Mikrotik2 has to have also mikrotik1 as default gateway.
Then, you will only need
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
Assuming that 1.1.1.1 is your WAN address.
[edit]
If Mikrotik1 is not Mikrotik2's gateway, you will have to add scr-nat
/ip firewall nat
add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80
action=src-nat to-address=[IP_LAN_MT1]
Where IP_LAN_MT1 is the internal IP of Mirotik1
Right, but I cant put Mikrotik2 to have mikrotik1 as default gateway. There are two distinct WANs, 1.1.1.1 and 2.2.2.2 , and I route them by mk1 and mk2 respectively. What should I do? Thanks
– Eduardo Augusto Alves Ayres
Feb 5 '16 at 12:12
edited my reply adding src-nat rule
– Benoit PHILIPPON
Feb 6 '16 at 14:28
No change buddy, here:/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.2.2 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80 action=src-nat to-address=192.168.2.253
no effect :/ PS: linebreak markups dont work, sorry
– Eduardo Augusto Alves Ayres
Feb 12 '16 at 16:51
Is 192.168.2.253 the Mikrotik1 LAN address?
– Benoit PHILIPPON
Feb 14 '16 at 16:25
Correct, the LAN address that connects the two mk's on mk1 is 192.168.2.253 and on mk2 is 192.168.1.253, reserved and static adresses.
– Eduardo Augusto Alves Ayres
Feb 15 '16 at 12:02
|
show 6 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1035749%2fforward-http-port-on-mikrotik-1-to-an-address-on-another-mikrotik%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Check that port 80 is not already in use by mikrotik1 (ip/services/disable http)
Also, you talk about bridging the two mikrotiks... I think this is a mistake, remove the bridge and add a route to 192.168.2.0/24 on mikrotik1, and a route to 192.168.1.0/24 on mikrotik2 if they don't exist already.
Mikrotik2 has to have also mikrotik1 as default gateway.
Then, you will only need
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
Assuming that 1.1.1.1 is your WAN address.
[edit]
If Mikrotik1 is not Mikrotik2's gateway, you will have to add scr-nat
/ip firewall nat
add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80
action=src-nat to-address=[IP_LAN_MT1]
Where IP_LAN_MT1 is the internal IP of Mirotik1
Right, but I cant put Mikrotik2 to have mikrotik1 as default gateway. There are two distinct WANs, 1.1.1.1 and 2.2.2.2 , and I route them by mk1 and mk2 respectively. What should I do? Thanks
– Eduardo Augusto Alves Ayres
Feb 5 '16 at 12:12
edited my reply adding src-nat rule
– Benoit PHILIPPON
Feb 6 '16 at 14:28
No change buddy, here:/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.2.2 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80 action=src-nat to-address=192.168.2.253
no effect :/ PS: linebreak markups dont work, sorry
– Eduardo Augusto Alves Ayres
Feb 12 '16 at 16:51
Is 192.168.2.253 the Mikrotik1 LAN address?
– Benoit PHILIPPON
Feb 14 '16 at 16:25
Correct, the LAN address that connects the two mk's on mk1 is 192.168.2.253 and on mk2 is 192.168.1.253, reserved and static adresses.
– Eduardo Augusto Alves Ayres
Feb 15 '16 at 12:02
|
show 6 more comments
Check that port 80 is not already in use by mikrotik1 (ip/services/disable http)
Also, you talk about bridging the two mikrotiks... I think this is a mistake, remove the bridge and add a route to 192.168.2.0/24 on mikrotik1, and a route to 192.168.1.0/24 on mikrotik2 if they don't exist already.
Mikrotik2 has to have also mikrotik1 as default gateway.
Then, you will only need
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
Assuming that 1.1.1.1 is your WAN address.
[edit]
If Mikrotik1 is not Mikrotik2's gateway, you will have to add scr-nat
/ip firewall nat
add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80
action=src-nat to-address=[IP_LAN_MT1]
Where IP_LAN_MT1 is the internal IP of Mirotik1
Right, but I cant put Mikrotik2 to have mikrotik1 as default gateway. There are two distinct WANs, 1.1.1.1 and 2.2.2.2 , and I route them by mk1 and mk2 respectively. What should I do? Thanks
– Eduardo Augusto Alves Ayres
Feb 5 '16 at 12:12
edited my reply adding src-nat rule
– Benoit PHILIPPON
Feb 6 '16 at 14:28
No change buddy, here:/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.2.2 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80 action=src-nat to-address=192.168.2.253
no effect :/ PS: linebreak markups dont work, sorry
– Eduardo Augusto Alves Ayres
Feb 12 '16 at 16:51
Is 192.168.2.253 the Mikrotik1 LAN address?
– Benoit PHILIPPON
Feb 14 '16 at 16:25
Correct, the LAN address that connects the two mk's on mk1 is 192.168.2.253 and on mk2 is 192.168.1.253, reserved and static adresses.
– Eduardo Augusto Alves Ayres
Feb 15 '16 at 12:02
|
show 6 more comments
Check that port 80 is not already in use by mikrotik1 (ip/services/disable http)
Also, you talk about bridging the two mikrotiks... I think this is a mistake, remove the bridge and add a route to 192.168.2.0/24 on mikrotik1, and a route to 192.168.1.0/24 on mikrotik2 if they don't exist already.
Mikrotik2 has to have also mikrotik1 as default gateway.
Then, you will only need
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
Assuming that 1.1.1.1 is your WAN address.
[edit]
If Mikrotik1 is not Mikrotik2's gateway, you will have to add scr-nat
/ip firewall nat
add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80
action=src-nat to-address=[IP_LAN_MT1]
Where IP_LAN_MT1 is the internal IP of Mirotik1
Check that port 80 is not already in use by mikrotik1 (ip/services/disable http)
Also, you talk about bridging the two mikrotiks... I think this is a mistake, remove the bridge and add a route to 192.168.2.0/24 on mikrotik1, and a route to 192.168.1.0/24 on mikrotik2 if they don't exist already.
Mikrotik2 has to have also mikrotik1 as default gateway.
Then, you will only need
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80
action=dst-nat to-address=192.168.2.2
Assuming that 1.1.1.1 is your WAN address.
[edit]
If Mikrotik1 is not Mikrotik2's gateway, you will have to add scr-nat
/ip firewall nat
add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80
action=src-nat to-address=[IP_LAN_MT1]
Where IP_LAN_MT1 is the internal IP of Mirotik1
edited Feb 6 '16 at 14:10
answered Feb 5 '16 at 8:18
Benoit PHILIPPON
23613
23613
Right, but I cant put Mikrotik2 to have mikrotik1 as default gateway. There are two distinct WANs, 1.1.1.1 and 2.2.2.2 , and I route them by mk1 and mk2 respectively. What should I do? Thanks
– Eduardo Augusto Alves Ayres
Feb 5 '16 at 12:12
edited my reply adding src-nat rule
– Benoit PHILIPPON
Feb 6 '16 at 14:28
No change buddy, here:/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.2.2 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80 action=src-nat to-address=192.168.2.253
no effect :/ PS: linebreak markups dont work, sorry
– Eduardo Augusto Alves Ayres
Feb 12 '16 at 16:51
Is 192.168.2.253 the Mikrotik1 LAN address?
– Benoit PHILIPPON
Feb 14 '16 at 16:25
Correct, the LAN address that connects the two mk's on mk1 is 192.168.2.253 and on mk2 is 192.168.1.253, reserved and static adresses.
– Eduardo Augusto Alves Ayres
Feb 15 '16 at 12:02
|
show 6 more comments
Right, but I cant put Mikrotik2 to have mikrotik1 as default gateway. There are two distinct WANs, 1.1.1.1 and 2.2.2.2 , and I route them by mk1 and mk2 respectively. What should I do? Thanks
– Eduardo Augusto Alves Ayres
Feb 5 '16 at 12:12
edited my reply adding src-nat rule
– Benoit PHILIPPON
Feb 6 '16 at 14:28
No change buddy, here:/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.2.2 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80 action=src-nat to-address=192.168.2.253
no effect :/ PS: linebreak markups dont work, sorry
– Eduardo Augusto Alves Ayres
Feb 12 '16 at 16:51
Is 192.168.2.253 the Mikrotik1 LAN address?
– Benoit PHILIPPON
Feb 14 '16 at 16:25
Correct, the LAN address that connects the two mk's on mk1 is 192.168.2.253 and on mk2 is 192.168.1.253, reserved and static adresses.
– Eduardo Augusto Alves Ayres
Feb 15 '16 at 12:02
Right, but I cant put Mikrotik2 to have mikrotik1 as default gateway. There are two distinct WANs, 1.1.1.1 and 2.2.2.2 , and I route them by mk1 and mk2 respectively. What should I do? Thanks
– Eduardo Augusto Alves Ayres
Feb 5 '16 at 12:12
Right, but I cant put Mikrotik2 to have mikrotik1 as default gateway. There are two distinct WANs, 1.1.1.1 and 2.2.2.2 , and I route them by mk1 and mk2 respectively. What should I do? Thanks
– Eduardo Augusto Alves Ayres
Feb 5 '16 at 12:12
edited my reply adding src-nat rule
– Benoit PHILIPPON
Feb 6 '16 at 14:28
edited my reply adding src-nat rule
– Benoit PHILIPPON
Feb 6 '16 at 14:28
No change buddy, here:
/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.2.2 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80 action=src-nat to-address=192.168.2.253
no effect :/ PS: linebreak markups dont work, sorry– Eduardo Augusto Alves Ayres
Feb 12 '16 at 16:51
No change buddy, here:
/ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.2.2 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade add chain=srcnat dst-address=192.168.2.2 protocol=tcp dst-port=80 action=src-nat to-address=192.168.2.253
no effect :/ PS: linebreak markups dont work, sorry– Eduardo Augusto Alves Ayres
Feb 12 '16 at 16:51
Is 192.168.2.253 the Mikrotik1 LAN address?
– Benoit PHILIPPON
Feb 14 '16 at 16:25
Is 192.168.2.253 the Mikrotik1 LAN address?
– Benoit PHILIPPON
Feb 14 '16 at 16:25
Correct, the LAN address that connects the two mk's on mk1 is 192.168.2.253 and on mk2 is 192.168.1.253, reserved and static adresses.
– Eduardo Augusto Alves Ayres
Feb 15 '16 at 12:02
Correct, the LAN address that connects the two mk's on mk1 is 192.168.2.253 and on mk2 is 192.168.1.253, reserved and static adresses.
– Eduardo Augusto Alves Ayres
Feb 15 '16 at 12:02
|
show 6 more comments
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1035749%2fforward-http-port-on-mikrotik-1-to-an-address-on-another-mikrotik%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown