@
@
@migmax2016-11-25 14:43:40
Mikrotik
@migmax, 2016-11-25 14:43:40

How to access the external IP address from the local network on MikroTik NOT through the default route?

Dear, please clarify this point.
There is Mikrotik, it has 2 providers, one gives the conditional address A.A.A.A, the second address B.B.B.B.
In the local network, the default route is configured through the provider with the address A.A.A.A, the second provider is the backup one.
A site was forwarded from the local network from the address 192.168.0.31 to the Internet through the backup provider B:
NAT rule:
chain=dstnat action=netmap to-addresses=192.168.0.31 to-ports=80 protocol=tcp dst-address=B.B.B .B
in-interface=B dst-port=99
mangle rule:
chain=prerouting action=mark-routing new-routing-mark=B passthrough=no src-address=192.168.0.31
route:
AS 0.0.0.0/0 B. B.B.B Routing Mark - B 1
Everything works from the Internet, thanks to the rules described above, the site opens and works through a backup provider.
The problem is that you need to access the site using the external IP of B.B.B.B from the local network.
There is a NAT rule for this:
chain=srcnat action=masquerade to-addresses=192.168.0.31 src-address=192.168.0.0/16 dst-address=192.168.0.31 out
-interface=B
.BB so that the response from the site to the addressee did not go directly to the local address. The problem is that the masquerade works through the default route on the network, with the address A.A.A.A., and the response from the site does not come where it should.
What needs to be added or corrected to the config in order to access from the local network at the external address B.B.B.B?
PS:
In addition to the masquerade rule that is described above (in fact, it is Hairpin NAT - it does not work in my case), there are also 2 rules for accessing the Internet.
chain=srcnat action=masquerade dst-address=!192.168.0.0/16 out-interface=A
chain=srcnat action=masquerade dst-address=!192.168.0.0/16 out-interface=B
If you need anything else from the config, I'll post it .

Answer the question

In order to leave comments, you need to log in

4 answer(s)
M
migmax, 2016-11-29
_

I figured it out myself, the following rules helped:
/ip firewall nat
chain=dstnat action=netmap to-addresses=192.168.0.31 to-ports=80 protocol=tcp dst-address=B.B.B.B dst-port=99
chain =srcnat action=masquerade to-addresses=192.168.0.31 src-address=192.168.0.0/16 dst-address=192.168.0.31
out-interface=bridge-local
/ip firewall mangle
chain=forward action=mark-connection new-connection -mark=t31 passthrough=no src-address=!192.168.0.0/16 dst-address=192.168.0.31
chain=prerouting action=mark-routing new-routing-mark=B passthrough=no src-address=192.168.0.31 connection -mark=t31
/ip route
AS ;;; Routing Mark - B 0.0.0.0/0 B.B.B.B 1
Maybe someone will come in handy!

G
Gregory, 2016-11-25
@Maxlinus

how many masquerading rules do you have? show the config so it will be clearer

K
Kirill Vasiliev, 2016-11-27
@vasilevkirill

If I understand you correctly, then you need to use this technology wiki.mikrotik.com/wiki/Hairpin_NAT

P
polevoyserg, 2018-02-12
@polevoyserg

The above option didn't quite work for me. It worked with the following settings:
/ip firewall nat (first rule)
and the second rule, on the nat tab (ibid.)
5a8159312a45c291533234.png5a815936beac6355186244.png

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question