We have just set up Mikrotik router and have public ip address and our local ip address for the server.
We created a dst-nat rule where anyone who accesses
public_ip:80 is applied a dst_nat to local_ip:8082 port
However, from our local ip address we cannot access this public ip address.
It will work if at hosts file we write local_ip public_dns_name.
Why does mikrotik not send to the public_ip address, i.e does not apply a dst-nat rule?
The problem got solved via adding srcnat rule, which masquearades all traffic from local network
Chain
srcnat
Src. Address -> our local network
192.168.88.0/24
Dst. Address -> our server
192.168.88.249
Protocol
6 (tcp)
Action
masquerade
This problem and its solution are explained on microtik's documentation: https://wiki.mikrotik.com/wiki/Hairpin_NAT
Basically, the router translates everything into local IP addresses when replying to machines inside the network. Your client sent a request to some public IP, so it's waiting for a reply from that same public IP. The microtik translated the request into a local IP, so it sent a reply with the wrong "from" address, and your client ignored it. You can work around this by setting up a masquerade rule, or by adding a static DNS entry that bypasses the need for a public IP.
In my case, the problem was that the rule was set up to only work for traffic coming in on WAN (not LAN). I changed it to route traffic from anywhere, as long as it is requesting my public IP.
chain: dstnat
dst address: <public ip>
protocol: 6 (tcp)
dst port: 80
in. interface list: all
action: dst-nat
to addresses: <server local ip>
to ports: <server port>
Related
I have configured the keycloak server. I'm able to access the server with private IP address (192.X.X.X).
When I'm mapping this IP address to the external domain name, the keycloak page is not opened.
Moreover, I'm trying to run server as both format - such as
-b=192.x.x.x
-b=0.0.0.0.
None of them is working.
What is the problem and how can I resolve it?
The problem there is that private IP addresses (the ones in ranges below) are not routeable on the internet. You have to use public IP address to be access from the internet (out of domain).
Private ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
So actually what happens, when You set this IP address to the DNS server (set domain example.com to change into 192.168.1.1), it will correctly translate. However after that, the routers will drop the traffic, as it cannot go over the internet.
More on topic for example here: https://www.lifewire.com/what-is-a-private-ip-address-2625970
Solution:
consider this fake public IP address as yours 88.123.123.123, domain example.com
1) Get the server a public IP address so it can be reached from the internet, set forwarding-protocol on Your router at the company/home, e.g. transfer rule:
<from public int> -> <to private int>
--------------------------------------
88.123.123.123:80 -> 192.168.1.1:80 //Port for HTTP traffic
88.123.123.123:443 -> 192.168.1.1:443 //Port for HTTPS traffic
2) Set up listening of Your server on 0.0.0.0 and 192.168.1.1 should work just fine.
3) Last, set up the DNS translation on the DNS server.
example.com -> 88.123.123.123
Example of topology:
There is public IP 24.65.45.89 and the IP of the server 10.20.0.2:
I'm able to open the website being served on port 4568 on 127.0.0.1 (localhost) and my private ip address, but I can't seem to do so on my public ip address. I've tried to access the website by typing :4568 after my public ip like I did for my localhost and private ip.
Is it possible to open a site running locally on my computer through my public IP? If so, how? If not, why not?
NOTE: I'm not exactly clear what tags are appropriate. Feel free to add or remove any you deem inappropriate.
You are likly behind a NAT. What this means is that your public IP address and private IP address are not necessarily mapped to each other fully. To explicitly map your application to your public address, try the following:
Go to your modems management page
Look for a 'Port Forwarding' tab (might be under an advanced or
router menu)
There will probably be two or three field to enter:
The port on the public ip address to forward traffic from
The IP address to forward traffic to (your private IP)
(might be there) The port to send it to on the private IP
Assuming this works, all traffic going to your public IP address on that port will now go to your private IP address.
WARNING This is a simple rule and everyone on the internet can now access that port
Also make sure your web server is listening on 0.0.0.0 (all IP addresses) and your local firewall is allowing remote connections on the port in question.
Here is the scenario:
I have asked my ISP to give me public IP, which I can connect to my laptop and access from other outside network. They gave me following
IP : 103.51.2.198
subnet mask : 255.255.255.248
default Gateway : 103.51.2.193
preferred dns : 8.8.8.8
Alternate dns : 8.8.4.4
I have connected PPPoE connection in my laptop (not in router) and set these values at TCP/IP V4. My internet connection is fine.
But If I ping from other network by this IP (103.51.2.198), request is timed out.
Than I checked whatsmyrealip. and the IP is (103.51.2.102). this IP is a public IP of my ISP provider. And they are trying to give me an IP from that IP.
My ISP providers are not expert in networking nor am I. They are also not sure how they can give me a public IP.
I am not sure about what are they trying to do. and how will they give me another IP from a public IP. It will be very helpful, If anyone can explain the problem. and give a solution.
First of all, it's called public IP not "realIP".
Anyways, the answer for your question is:
You cannot access your home computer because it is behind NAT so it is unreachable from the outside of your network.
Quick example on how NAT works:
Scenario:
Private IP: 192.168.0.10
Public IP: 1.2.3.4
You are connecting to webserver on IP: 5.5.5.5
What happens:
You send data to your router, telling it that you want something from
5.5.5.5, your router assigns you a random port, let's say 11111,
sends the data with source IP 1.2.3.4 and port 11111. Stuff
happens on the webserver and the data comes back. Router reads it and
remembers that everything going to 1.2.3.4:11111 belongs to
192.168.0.10 so it sends you the data.
Here everything works because it's your computer the one starting the connection, otherwise, the webserver would never be able to connect to you.
Working in VMWare vCloud.
Webserver has internal ip 172.16.0.61, public ip 148.25.6.22 (invented numbers);
App Server has internal ip 172.16.0.52
From App Server I can ping and surf Webserver using its internal 172.16.0.61, but... how can I reach it (from App Server) using its public 148.25.6.22?
Just searching for something that let me say to the App Server
148.25.6.22 => 172.16.0.61
If I had a domain name I could resolv it in /etc/hosts, but at the moment I have just ip.
Thanks in advance
If I understand you correctly, your servers are behind a NAT, which masquerades their IP addresses (which is why your webserver has both an internal and an external IP address - the external one is actually the NAT's public address).
You can define a local route on your appserver, which will direct packets sent to 148.25.6.22 to 172.16.0.61, however that defeats the purpose, as that would cause the appserver to just send everything to the internal address.
What you should do is configure port forwarding on your NAT - this means that the NAT will listen on a port you specify, and all communication which reaches this port will be forwarded to the webserver's internal IP to another port you specify, for example: 148.25.6.22:8080 => 172.16.0.61:8080. Now, if your appserver connects to 148.25.6.22:8080, the packets will reach the webserver at port 8080.
Ignoring other possiblities such as Request.ServerVariables["HTTP_X_FORWARDED_FOR"], does Request.ServerVariables["REMOTE_ADDR"] gives me the "principal" IP of the client?
I'm talking about the IP that made the actual TCP connection.
Will ServerVariables["REMOTE_ADDR"] always be the "real" IP address of the remote endpoint?
Just to clarify: Even if it's a proxy who made the real TCP connection I'd like have its IP, and not a forwarded one.
Yes, except if its been through a NAT firewall. A NAT firewalled address would be masquerading many 192.168.x.x or any other private subnet behind a public IP address. So you'd be looking at the IP address of the NAT firewall (i.e. a Linksys Router or what have you).
Be warned that many cell phone carriers have HUGE NAT networks so they always look like they are coming from one or two public IP addresses.
The REMOTE_ADDR variable will be the IP of the system that directly connected to your web server to request the URL; so it would be the forward-most proxy server, if there is a proxy server.