0

I have a web server behind NAT, accessible on the internet. I am using mikrotik router for NAT.

But when website is accessed from internet or outside LAN it is not showing the actual visitor's IP instead it is showing gateway IP address. I tried many thing changing the log format to assigning custom header to x-forwarded but still no luck.

NAT Rule:

chain=srcnat action=masquerade 
chain=dstnat action=dst-nat to-addresses=private-ip to-ports=80 protocol=tcp dst-address=public-ip dst-port=80
techraf
  • 4,163
  • 8
  • 27
  • 44

2 Answers2

4

Apache can't log information that's simply not there.

The problem is that your router is also masquerading the source address for public IP-addresses, where typically for requests coming from the internet you would only apply destination NAT.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • I would only apply destination NAT to webserver(192.168.xxx.xxx), how can i achieve that, if i remove the masquerading internet stops working. –  Nov 16 '16 at 06:20
  • You should only apply source NAT on traffic coming in on the internal interface that's routed out to the internet over the WAN interface. Traffic coming in on the WAN interface should only be destination NAT-ed not source NAT-ed. – HBruijn Nov 16 '16 at 09:22
  • could you please suggest the firewall rule in written form. I am new to this thing. –  Nov 16 '16 at 09:50
  • 2
    Please don't become a cargo-cult sysadmin that can only copy and paste other people's work. Server Fault is a site for information technology professionals -- as such we have certain professional expectations when people ask a question here, and one of those expectations is that you will do some **research**, find and **read the vendor documentation** and/or **try a solution** before asking the internet for help. You may still not be able to solve everything yourself, then at least you can [write a great question](http://meta.serverfault.com/a/3609/37681) that we can help you answer. – HBruijn Nov 16 '16 at 09:56
0

You need to setup on mikrotik so called port forwarding

Have a look here:

or here

Example from my mikrotik of port forwarding config

enter image description here

As you can see - there is a diff between what you posted and my config. In my config src nat is only applied to my private network. And the line below it - is a dst nat.

In your config you are doing src nat both ways.

I just did a little test
My ether1-gateway interface (the one that normally facing internet) is assigned static IP 10.0.0.1/16
My private network is 192.168.10.0/24 On my private network I have Linux laptop connected to ether2-master-local and it's set with IP 192.168.10.247
This laptop runs apache

I have these firewall settings on mikrotik

enter image description here

I have Mac connected to ether1-gateway interface (mimicking client located somewhere in internet). This Mac is set with 10.0.0.2.

And below is the apache access log. As you can see - real client IP is shown.

enter image description here

Dmitry Zayats
  • 1,378
  • 6
  • 7
  • I am forwarding port through NAT public port 80 to private port 80. Server is accessible through internet but not showing the client ip on access log instead its showing gateway ip. –  Nov 16 '16 at 07:27
  • Have a look at the link I posted. It describes port forwarding which is exactly what you need. I use it with Mikrotik router and can see remote client real ip. – Dmitry Zayats Nov 16 '16 at 07:30
  • I added the port forwarding but still it is showing gateway ip. –  Nov 16 '16 at 07:45
  • post your current mikrotik configuration. You are most likely still doing source nat. – Dmitry Zayats Nov 16 '16 at 08:46
  • `1.chain=srcnat action=masquerade` `2.chain=dstnat action=dst-nat to-addresses=private-ip to-ports=80 protocol=tcp dst-address=public-ip dst-port=80` `3.chain=dstnat action=dst-nat to-addresses=192.168.2.111 to-ports=80 protocol=tcp in-interface=ether2 dst-port=8080` These are the only firewall active. –  Nov 16 '16 at 08:54
  • Compare your config with my example. You are doing src nat both ways. – Dmitry Zayats Nov 16 '16 at 11:14