0

In order to access a web server from the internet located on a private lan, we need to resort to the concept of dnat. My understanding is that dnat is kind of port forwarding. If someone on an external public network (e.g. the Internet) makes a connection to the web port (80) of a router's public address, they are transparently redirected to the ip address of the web server running on the internal network.

In a nutshell:

- router public ip: 159.149.xx.xxx
- web server private ip: 192.168.10.2

If someone tries to connect to 159.149.xx.xxx:80 it gets redirected to 192.168.10.2:80 Is that correct? dnat simply allows any host on the “outside” to get to a single host on the “inside”.

If my reasoning is right, can the same concept be applied to microtik routerboard? A technician from Microtik said that he enabled port ether5 to which it established an association with the internal subnet 192.168.10.0/24 A UPS web server has been placed on the same lan with static ip: 192.168.10.2 Now the guy said: please let me know the ports you want to be enalbled so that the UPS can be accessible from outside. Should I tell him: port 80? or any other port?

Thanks in advance.

minus
  • 1

1 Answers1

0

To address your former point: yes, that is the way dnat works; a tcp or udp port when accessed externally via a WAN IP is translated/passed through to an internal device.

You could potentially forward a port in the same manner to access the routerboard, provided its access interface is via a specific tcp or udp port, but it is important to note that

  1. A specific port can only be mapped once per protocol (udp/tcp)
  2. You should consider the security implications of essentially opening a port and forwarding it to an internal device (in doing so, you should make absolutely sure that your security measures for protecting the service the port communicates with are in good standing)
BE77Y
  • 2,667
  • 3
  • 18
  • 23
  • Thanks for your quick reply. So am I right in saying that 80(http) is the right one? According to what you stated one port only can be opened...If I wanted to open 443 and 22 ports that would be impossible ..am I correct? – minus Dec 08 '14 at 16:53
  • No, what I stated was that any port may only be mapped once, eg; 80(tcp) (for HTTP which is a TCP protocol) can only be mapped to one device. As for which port you would need to map for remote access to the routerboard - I'm afraid I have no idea, having no personal experience of them; you should check their documentation for which port(s) and protocol(s) are used to access their administration interface(s), and as above - do so if you are confident in the security of the device it's being mapped to. – BE77Y Dec 08 '14 at 16:57