Mikrotik
#4
https://help.mikrotik.com/docs/display/R...HairpinNAT


Citāts:The issue occurs, when a client on the same internal network as the webserver requests a connection to the web server's public IP address, the connection breaks:
  1. the client sends a packet with a source IP address of 10.0.0.2 to a destination IP address of 172.16.16.1 on port 443 to request some web resource;
  2. the router destination NATs the packet to 10.0.0.3 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 10.0.0.2;
  3. the server replies to the client's request. However, the source IP address of the request is on the same subnet as the webserver. The web server does not send the reply back to the router but sends it back directly to 10.0.0.2 with a source IP address in the reply of 10.0.0.3;
  4. The client receives the reply packet, but it discards it because it expects a packet back from 172.16.16.1, and not from 10.0.0.3;

To resolve this issue, we will configure the src-nat rule as follows:
Kods:
/ip firewall natadd action=masquerade chain=srcnat dst-address=10.0.0.3 out-interface=LAN protocol=tcp src-address=10.0.0.0/24

After configured rule above:
  1. the client sends a packet with a source IP address of 10.0.0.2 to a destination IP address of 172.16.16.1 on port 443 to request some web resource;
  2. the router destination NATs the packet to 10.0.0.3 and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is 10.0.0.3, and the source IP address is 10.0.0.1;
  3. the webserver replies to the request and sends the reply with a source IP address of 10.0.0.3 back to the router's LAN interface IP address of 10.0.0.1;
  4. the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of 1.1.1.1 into the source IP address field, and the original source IP address of 172.16.16.1 into the destination IP address field

Tā redz ...
"Kā cilvēks, kam trūkst pašcieņas, nav dīdzējs, bet nīcējs, tā arī tauta, kurai nav pašapziņas." K.Mīlenbahs
Atbilde
« Vecāks | Jaunāks »


Ziņas šai virtenē
Mikrotik - LvSnor - 2022-03-28 0:35
RE: Mikrotik - LvSnor - 2022-03-29 22:42
RE: Mikrotik - LvSnor - 2022-04-01 22:18
RE: Mikrotik - LvSnor - 2022-04-01 22:41
RE: Mikrotik - LvSnor - 2022-04-05 7:34

Pārlēkt uz:


Users browsing this thread: 2 Guest(s)