The official Mikrotik router thread

Why four Pi’s instead of just one?

You’ll need a single instance of Apache to use the reverse proxy and then do a port redirect on the others that can live anywhere.

443 on the reverse proxy, any port on the actual pages internally.

It is however a silly and unnecessary point of failure compared to simply running it in the same location.

Presumably this is for a Hotspot type thing? Otherwise there are much better web servers than Pi’s.

Why only apache though? Nginx is a much better/easier reverse proxy and you could still run Apache or anything else on the proxies pages.
 
Thor said:
Static DNS feels like a workaround.

I think I need a hairpin nat approach.

What are the pro's and cons?
Click to expand...

It does appear to be what MikroTik call it, everyone else calls it LAN loop back.

Don’t see why there would be any cons, it’s just redirecting traffic based on origin.

Not sure how simple it will be having DNS outside of the MikroTik though and likely static dns entry is your only option in that case.

You seem to be unnecessarily complicating things.

Also technically every DNS service includes static entries...that’s kind of what it does so to do it locally is hardly a workaround.
 
SauRoNZA said:
Why four Pi’s instead of just one?

You’ll need a single instance of Apache to use the reverse proxy and then do a port redirect on the others that can live anywhere.

443 on the reverse proxy, any port on the actual pages internally.

It is however a silly and unnecessary point of failure compared to simply running it in the same location.

Presumably this is for a Hotspot type thing? Otherwise there are much better web servers than Pi’s.

Why only apache though? Nginx is a much better/easier reverse proxy and you could still run Apache or anything else on the proxies pages.
Click to expand...
Current raspberry has PI-Hole Installed and that thing has its own brain.

It clashes with Apache.
 
SauRoNZA said:
It does appear to be what MikroTik call it, everyone else calls it LAN loop back.

Don’t see why there would be any cons, it’s just redirecting traffic based on origin.

Not sure how simple it will be having DNS outside of the MikroTik though and likely static dns entry is your only option in that case.

You seem to be unnecessarily complicating things.

Also technically every DNS service includes static entries...that’s kind of what it does so to do it locally is hardly a workaround.
Click to expand...
Here is the solution, called a hairpin nat.

Error - MikroTik Wiki

wiki.mikrotik.com wiki.mikrotik.com

/ip firewall nat
add chain=srcnat src-address=(LAN subnet) dst-address=(LAN IP of host) protocol=(Variable) dst-port=(Variable) out-interface=(Interface with LAN IP assigned tonight) action=masquerade


Because the router attempts to respond out the interface the request is received on.
 
You could link your home Mikrotik router to a VPS running OpenVPN via PFsense or a CHR Mikrotik and expose port 443 on the VPS and do a portforward back to your Raspberry pi.

Install docker with a reverse proxy on the Pi.

The VPS will be the jump host.

Client Request (WAN) --> TCP 443 --> VPS <---> Home Mikrotik Router <---> Pi (Docker) reverse proxy 443 linked to multiple webserver containers

You could then run multiple web servers and access them on there own unique sub domain.


Otherwise use the Mikrotik's own cloud DNS update feature and link it to a CNAME entry and do a portforward.

774486


Setup your reverse proxy or external router to only accept traffic from a list of ZA addresses or one Public / Dynamic IP. That should help a tiny bit with the security.
and with some lets encrypt certs.

Nginx Block Geo Location – Linux Hint

GeoIP uses Maxmind to enable the release of GeoIP databases in “dat” format and ensures 99% accuracy in restricting the access of visitors to the websites.
linuxhint.com linuxhint.com


Or do it over a VPN?
 
I have a split dns entry for internal,pointing to reverse proxy on the Pi
 
Thor said:
Here is the solution, called a hairpin nat.

Error - MikroTik Wiki

wiki.mikrotik.com wiki.mikrotik.com

/ip firewall nat
add chain=srcnat src-address=(LAN subnet) dst-address=(LAN IP of host) protocol=(Variable) dst-port=(Variable) out-interface=(Interface with LAN IP assigned tonight) action=masquerade


Because the router attempts to respond out the interface the request is received on.
Click to expand...
Here is the full solution:

Code: 
/ip firewall nat
add action=masquerade chain=srcnat comment="NTP masq becuase Home-Connect ISP blocks 123" protocol=udp src-port=123 to-ports=12123-12153
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=udp src-address=!192.168.88.3 to-addresses=192.168.88.3
add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=tcp src-address=!192.168.88.3 to-addresses=192.168.88.3
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=udp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Plex port forwarding" dst-port=32400 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=32400
add action=dst-nat chain=dstnat comment="Raspberry Pi HTTP port forwarding" dst-address=!192.168.88.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.3
add action=dst-nat chain=dstnat comment="Raspberry Pi HTTPS port forwarding" dst-address=!192.168.88.1 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.3
add action=dst-nat chain=dstnat comment="PiHole HTTP port forwarding" dst-address=!192.168.88.1 dst-address-type=local dst-port=81 protocol=tcp to-addresses=192.168.88.3
add action=masquerade chain=srcnat comment="Raspberry Pi Hairpin http" dst-address=192.168.88.3 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Raspberry Pi Hairpin https" dst-address=192.168.88.3 dst-port=443 out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="PiHole Hairpin http" dst-address=192.168.88.3 dst-port=81 out-interface=bridge protocol=tcp src-address=192.168.88.0/24
 
Thor said:
Current raspberry has PI-Hole Installed and that thing has its own brain.

It clashes with Apache.
Click to expand...

Run all the kak on one Pi with Docker and make your life much easier and simpler.

Also. Adguard says Pihole can kiss my ass.
 
Thor said:
Here is the full solution:

Code: 
/ip firewall nat
add action=masquerade chain=srcnat comment="NTP masq becuase Home-Connect ISP blocks 123" protocol=udp src-port=123 to-ports=12123-12153
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=udp src-address=!192.168.88.3 to-addresses=192.168.88.3
add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=tcp src-address=!192.168.88.3 to-addresses=192.168.88.3
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=udp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Plex port forwarding" dst-port=32400 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=32400
add action=dst-nat chain=dstnat comment="Raspberry Pi HTTP port forwarding" dst-address=!192.168.88.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.3
add action=dst-nat chain=dstnat comment="Raspberry Pi HTTPS port forwarding" dst-address=!192.168.88.1 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.3
add action=dst-nat chain=dstnat comment="PiHole HTTP port forwarding" dst-address=!192.168.88.1 dst-address-type=local dst-port=81 protocol=tcp to-addresses=192.168.88.3
add action=masquerade chain=srcnat comment="Raspberry Pi Hairpin http" dst-address=192.168.88.3 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Raspberry Pi Hairpin https" dst-address=192.168.88.3 dst-port=443 out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="PiHole Hairpin http" dst-address=192.168.88.3 dst-port=81 out-interface=bridge protocol=tcp src-address=192.168.88.0/24
Click to expand...
Next question…
My Pi-Hole is my DHCP and DNS server
So the mikrotik is set as DHCP relay.
Now that I have super fast fiber I want to connect my Ubiquity AP and make the Wi-Fi open to all BUT I do not want these users to get onto my 192.168.0/24 LAN which is the PI-hole DHCP.
However, I DO want these users to use 192.168.88.3 as the DNS server - So I want to have 2 DHCP servers one for me Pi-Hole and one for the unifi AP + using Pi-Hole as DNS.

192.168.99.0/24 192.168.88.0/24 <- current active network. Dhcp is 192.168.88.3 as well as dns, gateway is 192.168.88.1
 
/ip firewall filter
add action=drop chain=forward disabled=no \
dst-address=192.168.99.0/24 src-address=\
192.168.88.0/24
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=\
tcp src-address=192.168.88.4-192.168.88.254 to-addresses=192.168.88.3 \
to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=\
udp src-address=192.168.88.4-192.168.88.254 to-addresses=192.168.88.3 \
to-ports=53
 
killerbyte said:
Why not do something like this...

Ether1-Internet (PPPoe to VDSL router)
Ether2-PiHole (possibly 192.168.77.xxx range)
Ether3-192.168.88.1 (Mikrotik does DHCP)
Ether4-192.168.99.1 (Mikrotik does DHCP)

Set the Mikrotik as the DNS server, then tell the Mikrotik to use the PiHole as its DNS server.
MASQ all traffic from Ether3 and Ether4 to go out via Ether1 and you are on your way to the races.

Feel free to drop me a PM if you need assistance.
Click to expand...
I want the PI to be the DHCP in this case. Get some added functionality if I do that.
 
Thor said:
I want the PI to be the DHCP in this case. Get some added functionality if I do that.
Click to expand...
What added functionality? I see no benefit to using the what ever OS you run DHCP server over the Mikrotik DHCP? Why even run DHCP?
 
Thor said:
Next question…
My Pi-Hole is my DHCP and DNS server
So the mikrotik is set as DHCP relay.
Now that I have super fast fiber I want to connect my Ubiquity AP and make the Wi-Fi open to all BUT I do not want these users to get onto my 192.168.0/24 LAN which is the PI-hole DHCP.
However, I DO want these users to use 192.168.88.3 as the DNS server - So I want to have 2 DHCP servers one for me Pi-Hole and one for the unifi AP + using Pi-Hole as DNS.

192.168.99.0/24 192.168.88.0/24 <- current active network. Dhcp is 192.168.88.3 as well as dns, gateway is 192.168.88.1
Click to expand...
Cannot get this to work.

I created DHCP on ether4

AP is on ether4 gets its IP address the problem is the unifi controller sits on 192.168.88.3

How do I get the AP 192.168.1.250 to have a 2-way chat to the unifi controller on 192.168.88.3 BUT prevent guests (192.168.1.0/24) from accessing 192.168.88.3

2020-01-26_21-19-16.png
 
Thor said:
Use pihole then you will see.
Click to expand...
Good answer, as per usual. I'll go ahead and answer this then considering you won't. There is no clear advantage, unless you are planning on tying logs to a host name. Not really that much of an advantage when you consider most people use PiHole just for Ad Blocking
 
Genisys said:
Good answer, as per usual. I'll go ahead and answer this then considering you won't. There is no clear advantage, unless you are planning on tying logs to a host name. Not really that much of an advantage when you consider most people use PiHole just for Ad Blocking
Click to expand...
I use the Pi-Hole API along with my app and based on the user's interaction on this particular wifi network, I give them free takealot vouchers.

It's out of scope entirely. All you need to know is what Network topology I wanted.
 
Any advice and assistance with setting up a hAP for home network as a repeater?
 
2020-02-01_134824.png


Interfaces would also need to be bridged... for the Apple machine to be able to connect via an Ethernet cable.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X