This commit is contained in:
@ -48,22 +48,72 @@ The configuration establishes the connection to the provider. You can check it i
|
||||
However, this is just the connection, to get to the Internet via this connection a route, in particular a default route is required.
|
||||
|
||||
```
|
||||
/ip/route
|
||||
add dst-address=0.0.0.0/0 gateway=telekom-layer3
|
||||
```
|
||||
|
||||
Additional a masquarading rule in the firewall configuration is required:
|
||||
|
||||
```
|
||||
/ip/firewall/nat
|
||||
add action=masquerade chain=srcnat comment="nat on wan" log=no log-prefix=masq out-interface=telekom-layer3
|
||||
```
|
||||
|
||||
And finally a DNS server (I was a bit surprised that it was not configured dynamically.):
|
||||
|
||||
```
|
||||
/ip/dns
|
||||
add dns-servers=8.8.8.8 name=default
|
||||
```
|
||||
|
||||
## Second Task, no Challenge
|
||||
|
||||
Providing the services on the Kubernetes cluster to the Internet requires a port-forwarding setup. On Mikrotik it is call _destination NAT_ (`dstnat`).
|
||||
|
||||
This was an easy task, however, since I had to rework the whole firewall filter and nat configuration due to the next task/challenge, only a sample rule is here:
|
||||
|
||||
```
|
||||
/ip/firewall/nat
|
||||
add action=dst-nat chain=dstnat comment="http server" dst-address-type=local dst-port=80 log=no log-prefix=http-server protocol=tcp to-addresses=10.0.1.100
|
||||
```
|
||||
|
||||
This rule says: any access to a local address (one that is configured directly on the router) on port 80/tcp is forwarded to the address 10.0.1.100. That is the address
|
||||
of the http server.
|
||||
|
||||
|
||||
## Third Task, Second Challenge: Accessing Servers behind the Router from Clients behind the Router via the public Address of the Router
|
||||
|
||||
This was a hard one.
|
||||
|
||||
I've this Kubernetes cluster providing services like Nextcloud and Bitwarden, which I want to access from my mobile from my Intranet WLAN but also from off-road via 5G.
|
||||
|
||||
This is working perfectly in the current setup using a LANCOM router. But when switching to Mikrotik with naively the same rules, I was able to access the Internet from my Intranet and
|
||||
I was able to access the services on the Kubernetes cluster from the world (using my mobile via 5G), but I was not able to access the services on the Kubernetes cluster from the Intranet
|
||||
using the public address of my Internet connection.
|
||||
|
||||
It was a lot of debugging to understand the problem: the masquarading rule (`srcnat`), which is bound to the outgoing interface WAN is not triggered, because packets are no leaving the router through the WAN interface
|
||||
since they are addressed to an address which is configured directly on the router. Those, the source address of the packets will not be rewritten. The port-forwarding rule (`dstnat`) in turn is triggered, because a
|
||||
configured port is accessed via the public address of the router. The service itself consequently sees the original source address of the packet (the actual client address, which is in the scope of the router) and sends response
|
||||
packets to this address. These packets will be routed directly to the client without passing the connection handling of the masquarading engine. And then, the client sends to the public address of the router and receives directly
|
||||
from the service and thereby can not associate the request and response packet to the same connection.
|
||||
|
||||
The solution is to setup a dedicated masquarading rule which has the service addresses as `dst-address` condition and the addresses of the internal client networks as `src-address` condition. This rule will be triggered in the
|
||||
above described scenario and the source address is replaced by the local address of the interface, where the packet is leaving the router. That in turn will be used by the server to send responses to and then is handling correctly
|
||||
by the masquarading engine.
|
||||
|
||||
In the end I came to this rule:
|
||||
|
||||
```
|
||||
/ip/firewall/nat
|
||||
add action=masquerade chain=srcnat comment="Generic Hairpin NAT Rule, remember to maintain the lists CLIENTS and SERVICES" \
|
||||
dst-address-list=SERVICES log=yes log-prefix=hairpin1 src-address-list=CLIENTS
|
||||
```
|
||||
|
||||
The both mentioned lists `CLIENTS` and `SERVICES` are maintained at `/ip/firewall/address-list`.
|
||||
|
||||
To be honest, this special case is described in the [Mikrotik documentation](https://help.mikrotik.com/docs/spaces/ROS/pages/3211299/NAT#NAT-HairpinNAT), but I didn't understood it and had to learn it myself with
|
||||
an interesting test setup
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
BIN
content/static/IMG_6139.jpg
Normal file
BIN
content/static/IMG_6139.jpg
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 280 KiB |
Reference in New Issue
Block a user