Re: [Mikrotik] Hairpin NAT revisted
Is there a way to execute a script based on access to a certain port ? Like http://10.5.50.1:9501 and then the Tik box senses that and runs a script. Sent via the WebMail system at avolve.net ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
On Mon, 2010-07-05 at 09:15 -0500, Stuart Pierce wrote: Is there a way to execute a script based on access to a certain port ? Yes and no. There is no way to directly tie a script in MT to a port. However, you can write a scheduler script that watches a firewall rule counters and then does something based on those counters. If you can be a bit more specific as to what you need done, perhaps we can come up with other/better ideas. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
Can you just allow all 192.168.0.0/24? On 6/28/10, Rory McCann rmm.li...@gmail.com wrote: I've been utilizing hairpin NAT to help with displaying webpages to computers on the same subnet as the webserver using the public IP - it has been working flawlessly, however now I am trying to utilize some new functionality. My webserver has a default host on it that clients are redirected to if they get blacklisted for high connection counts (flagged using Butch's QoS script). I have put together some ASP pages that allow them to manually remove themselves from the blacklist via telnet, however my problem comes in when the webserver tries to detect the client's IP address. Let's say client A is blacklisted. His IP is 192.168.0.9. The MT is 192.168.0.254. The webserver always sees the request as coming from 192.168.0.254 instead of 192.168.0.9, so I cannot get the script to automatically remove the correct IP from the address list. Is there any workaround to this, or is this just one of the pitfalls of hairpin NAT? Thanks in advance! Rory McCann Minn-Kota Ag Products -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/9e96c235/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 “Success is not final, failure is not fatal: it is the courage to continue that counts.” --- Winston Churchill ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
I don't think it's an issue of the traffic being blocked, but rather when the traffic is modified to redirect the user to my block page instead of Google.com, it utilized the hairpin NAT rule to find the webserver, but replaces the source address with that of the MT router instead of the source address of the client. On 6/28/2010 11:12 AM, Josh Luthman wrote: Can you just allow all 192.168.0.0/24? On 6/28/10, Rory McCannrmm.li...@gmail.com wrote: I've been utilizing hairpin NAT to help with displaying webpages to computers on the same subnet as the webserver using the public IP - it has been working flawlessly, however now I am trying to utilize some new functionality. My webserver has a default host on it that clients are redirected to if they get blacklisted for high connection counts (flagged using Butch's QoS script). I have put together some ASP pages that allow them to manually remove themselves from the blacklist via telnet, however my problem comes in when the webserver tries to detect the client's IP address. Let's say client A is blacklisted. His IP is 192.168.0.9. The MT is 192.168.0.254. The webserver always sees the request as coming from 192.168.0.254 instead of 192.168.0.9, so I cannot get the script to automatically remove the correct IP from the address list. Is there any workaround to this, or is this just one of the pitfalls of hairpin NAT? Thanks in advance! Rory McCann Minn-Kota Ag Products -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/9e96c235/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/cb529f7a/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
On Mon, 2010-06-28 at 11:15 -0500, Rory McCann wrote: I don't think it's an issue of the traffic being blocked, but rather when the traffic is modified to redirect the user to my block page instead of Google.com, it utilized the hairpin NAT rule to find the webserver, but replaces the source address with that of the MT router instead of the source address of the client. Post a copy of the output of: /ip firewall nat export -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
I have a few subnets on this unit (RB1000) running on several public IPs. Right now ether4 is my WAN. Ether2 (192.168.1.0/24) is the subnet I am trying to get my blacklisting scripts working on. The webserver is 192.168.1.250. The MT is 192.168.1.254. /ip firewall nat add action=src-nat chain=srcnat comment= disabled=no out-interface=ether4 src-address=192.168.1.4 to-addresses=\ x.x.x.x add action=src-nat chain=srcnat comment= disabled=no out-interface=ether4 src-address=192.168.1.250 to-addresses=x.x.x.x add action=src-nat chain=srcnat comment= disabled=no out-interface=ether4 src-address=192.168.25.15 to-addresses=x.x.x.x add action=dst-nat chain=dstnat comment= disabled=no dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250 to-ports=80 add action=dst-nat chain=dstnat comment= disabled=no dst-address=x.x.x.x dst-port=6500 protocol=tcp to-addresses=192.168.1.4 to-ports=6500 add action=dst-nat chain=dstnat comment= disabled=no dst-address=x.x.x.x dst-port=6510 protocol=tcp to-addresses=192.168.25.15 to-ports=6510 add action=dst-nat chain=dstnat comment= disabled=no dst-address=x.x.x.x dst-port=6520 protocol=tcp to-addresses=192.168.2.10 to-ports=6520 add action=src-nat chain=srcnat comment= disabled=no out-interface=ether4 src-address=192.168.1.0/24 to-addresses=x.x.x.x add action=src-nat chain=srcnat comment= disabled=no out-interface=ether4 src-address=192.168.25.0/27 to-addresses=x.x.x.x add action=src-nat chain=srcnat comment= disabled=no out-interface=ether4 src-address=192.168.2.0/28 to-addresses=x.x.x.x add action=dst-nat chain=dstnat comment= disabled=no dst-port=80 protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \ to-ports=80 add action=dst-nat chain=dstnat comment= disabled=no dst-port=53 protocol=udp src-address=192.168.25.15 to-addresses=192.168.1.2 to-ports=53 add action=src-nat chain=srcnat comment= disabled=no dst-address=192.168.1.250 dst-address-type= dst-port=80 protocol=tcp src-address-type= \ to-addresses=192.168.1.254 On 6/28/2010 12:15 PM, Butch Evans wrote: On Mon, 2010-06-28 at 11:15 -0500, Rory McCann wrote: I don't think it's an issue of the traffic being blocked, but rather when the traffic is modified to redirect the user to my block page instead of Google.com, it utilized the hairpin NAT rule to find the webserver, but replaces the source address with that of the MT router instead of the source address of the client. Post a copy of the output of: /ip firewall nat export -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/477f7fb5/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
On Mon, 2010-06-28 at 12:21 -0500, Rory McCann wrote: add action=dst-nat chain=dstnat comment= disabled=no dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250 to-ports=80 Ok, so the dstnat rule looks right. add action=dst-nat chain=dstnat comment= disabled=no dst-port=80 protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \ to-ports=80 This one looks ok, too. I suspected that you may have had a srcnat rule that was causing a problem. It does not look that way in your export, though. I'd double check the srcnat rules to ensure that they are NOT natting traffic leaving on the interface that has the 192.168.1.x IP assigned to it. You could add a rule like: /ip firewall nat add chain=srcnat out-interface=LAN action=accept Substitute the LAN interface for whatever interface has the 192.168.1.x address assigned. Put that rule above all other srcnat chain rules and see if it changes things. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
This fixed half the problem. Users on my 192.168.25.0/27 subnet now show the correct IP address on the webserver, however it breaks hairpin NAT for the 192.168.1.0/24 subnet (which the webserver resides on). On 6/28/2010 1:06 PM, Butch Evans wrote: I'd double check the srcnat rules to ensure that they are NOT natting traffic leaving on the interface that has the 192.168.1.x IP assigned to it. You could add a rule like: /ip firewall nat add chain=srcnat out-interface=LAN action=accept Substitute the LAN interface for whatever interface has the 192.168.1.x address assigned. Put that rule above all other srcnat chain rules and see if it changes things. -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/3819a307/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
I created a bit of a work around. The rule provided by Butch was necessary for proper IP detection by the webserver for clients coming from other subnets on the same router. I simply pointed the delisting link on the blacklist page to the direct delist script (ie: I made a hyperlink to http://192.168.1.250/delist.asp). Since the clients were now directly connecting to the webserver and not being masqueraded through the router, the IP detection worked correctly and removed the IP from the address list on the MT. Thanks for the help guys! On 6/28/2010 1:06 PM, Butch Evans wrote: On Mon, 2010-06-28 at 12:21 -0500, Rory McCann wrote: add action=dst-nat chain=dstnat comment= disabled=no dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250 to-ports=80 Ok, so the dstnat rule looks right. add action=dst-nat chain=dstnat comment= disabled=no dst-port=80 protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \ to-ports=80 This one looks ok, too. I suspected that you may have had a srcnat rule that was causing a problem. It does not look that way in your export, though. I'd double check the srcnat rules to ensure that they are NOT natting traffic leaving on the interface that has the 192.168.1.x IP assigned to it. You could add a rule like: /ip firewall nat add chain=srcnat out-interface=LAN action=accept Substitute the LAN interface for whatever interface has the 192.168.1.x address assigned. Put that rule above all other srcnat chain rules and see if it changes things. -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/853e94a3/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
Just looking at this now, I gather you already have the server and all the scripts setup. However.. if the telnet script/system becomes too much or doesn't work properly you could also try something like this: 1. on your block page have a link to a specific unused port on the same server (say http://192.168.1.250:) 2. add a rule to the Mikrotik that adds any user who hits that ip/port combination to an address list: delist-user 3. setup a script to run every 5-10 minutes that runs through and deletes each delist-user entry and if the ip is also in the Blacklist remove that entry too. Saves having to do any real work on the server at all ;-) Regards, Andrew On 29/06/2010 5:24 AM, Rory McCann wrote: I created a bit of a work around. The rule provided by Butch was necessary for proper IP detection by the webserver for clients coming from other subnets on the same router. I simply pointed the delisting link on the blacklist page to the direct delist script (ie: I made a hyperlink to http://192.168.1.250/delist.asp). Since the clients were now directly connecting to the webserver and not being masqueraded through the router, the IP detection worked correctly and removed the IP from the address list on the MT. Thanks for the help guys! On 6/28/2010 1:06 PM, Butch Evans wrote: On Mon, 2010-06-28 at 12:21 -0500, Rory McCann wrote: add action=dst-nat chain=dstnat comment= disabled=no dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250 to-ports=80 Ok, so the dstnat rule looks right. add action=dst-nat chain=dstnat comment= disabled=no dst-port=80 protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \ to-ports=80 This one looks ok, too. I suspected that you may have had a srcnat rule that was causing a problem. It does not look that way in your export, though. I'd double check the srcnat rules to ensure that they are NOT natting traffic leaving on the interface that has the 192.168.1.x IP assigned to it. You could add a rule like: /ip firewall nat add chain=srcnat out-interface=LAN action=accept Substitute the LAN interface for whatever interface has the 192.168.1.x address assigned. Put that rule above all other srcnat chain rules and see if it changes things. -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/853e94a3/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -- Kind Regards, Andrew Cox AccessPlus Head Network Administrator Ph: 1300 739 822 (7am - 12 midnight AEST) ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] Hairpin NAT revisted
Thanks for the tip! I probably should've done that from the get go being as I spent a good amount of time trying to find a working ASP telnet script. Oh well, it does what it's supposed to so I'll leave it alone unless it needs modification. On 6/28/2010 4:02 PM, Andrew Cox wrote: Just looking at this now, I gather you already have the server and all the scripts setup. However.. if the telnet script/system becomes too much or doesn't work properly you could also try something like this: 1. on your block page have a link to a specific unused port on the same server (say http://192.168.1.250:) 2. add a rule to the Mikrotik that adds any user who hits that ip/port combination to an address list: delist-user 3. setup a script to run every 5-10 minutes that runs through and deletes each delist-user entry and if the ip is also in the Blacklist remove that entry too. Saves having to do any real work on the server at all ;-) Regards, Andrew On 29/06/2010 5:24 AM, Rory McCann wrote: I created a bit of a work around. The rule provided by Butch was necessary for proper IP detection by the webserver for clients coming from other subnets on the same router. I simply pointed the delisting link on the blacklist page to the direct delist script (ie: I made a hyperlink to http://192.168.1.250/delist.asp). Since the clients were now directly connecting to the webserver and not being masqueraded through the router, the IP detection worked correctly and removed the IP from the address list on the MT. Thanks for the help guys! -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/32ab1b69/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
