M
M
matews2016-07-13 07:52:23
Mikrotik
matews, 2016-07-13 07:52:23

How to forward a port for a site within the network on Mikrotik?

Good afternoon, dear ones!
The problem is this: there is a MikroTik rb951g-2hnd. Static ip address, let's say 100.101.102.103. Inside the network there is a server 192.168.0.101, the site is running on it, and on port 8080 (let the resource name be http://www.cp.test.ru). It is necessary to make port forwarding so that it works from the local network (at least by ip, better by name)
From the outside it works properly. Those. type cp.test.ru in the browser and everything works. On the local network, it now only works with the explicit address 192.168.0.101:8080
Now pinging from the network by name gives the external ip-address (I know that you can change it through Static DNS, but it doesn’t matter).
I really searched on different forums for this question, I tried various options. But it looks like I'm doing something wrong :(
Help me please! I would be very grateful.
The following are the settings
/ip firewall filter
add action=drop chain=input dst-address=100.101.102.103 dst-port=53 \
in-interface=eth1-wan protocol=udp
add action=drop chain=forward comment="\CE\ F2\EA\EB\FE\F7\E5\ED\FB" disabled=\
yes out-interface=eth1-wan src-address-list=Block
add chain=input protocol=icmp
add chain=input connection-state=new dst-port=80,8291,22 in-interface=br1-LAN \
protocol=tcp src-address=192.168.0.0/24
add chain=input connection-mark=allow_in connection-state=new disabled=yes \
dst-port =80 in-interface=eth1-wan protocol=tcp
add chain=input connection-state=new dst-port=53,123 in-interface=br1-LAN \
protocol=udp src-address=192.168.0.0/24
add chain=forward comment="RDP, HTTP" dst-port=80,8080,3389 in-interface=\
eth1-wan protocol=tcp
add chain=input dst-port =80,8080 protocol=tcp
add chain=input connection-state=established,related
add chain=output connection-state=!invalid
add chain=forward connection-state=established,new in-interface=br1-LAN \
out-interface =eth1-wan src-address=192.168.0.0/24
add chain=forward connection-state=established,related dst-address=\
192.168.0.0/24 in-interface=eth1-wan out-interface=br1-LAN
add action =reject chain=input
add action=reject chain=output
add action=reject chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=\
9999 in-interface=eth1-wan new-connection-mark=allow_in protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out- interface=eth1-wan
add action=masquerade chain=srcnat dst-address=100.101.102.103 src-address=\
192.168.0.0/24
add action=netmap chain=dstnat comment="\D1\E0\E9\F2 \E8\ E7\ED\F3\F2\F0\E8" \
dst-address=100.101.102.103 dst-port=80 in-interface=br1-LAN protocol=tcp \
src-address=192.168.0.0/24 to-addresses=192.168 .0.101 to-ports=8080
add action=src-nat chain=srcnat dst-address=100.101.102.103 dst-port=80 \
protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.101 \
to -ports=8080
add action=netmap chain=dstnat comment="\D1\E0\E9\F2 \F1\ED\E0\F0\F3\E6\E8" \
dst-address=100.101.102.103 dst-port=80 in-interface= eth1-wan protocol=tcp \
to-addresses=192.168.0.101 to-ports=8080
add action=netmap chain=dstnat comment=RDP dst-address=100.101.102.103 dst-port=\
31725 in-interface=eth1-wan protocol =tcp to-addresses=192.168.0.101 \
to-ports=3389
add action=redirect chain=dstnat dst-port=9999 in-interface=eth1-wan \
protocol=tcp to-ports=80

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Александр Романов, 2016-07-13
@matews

Hairpin NAT. И используйте dst-nat, и не netmap

M
matews, 2016-07-13
@matews Автор вопроса

Спасибо большое! Похоже проблема действительно была в Dst-nat!
Уже прописывал Hairpin-NAT, но не работало. Сейчас все получилось. Спасибо еще раз!
P.s. А не подскажете, чем все-таки отличается dst-nat от netmap ?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question